an red, unlocked padlock in a sea of locked, green padlocks.
Image: Getty/MirageC

Church Cybersecurity Starts With the Human Firewall

While external threats are real, church cybersecurity starts with strong internal processes and education, experts say.

Matthew Branaugh, Attorney | Editor, Content and Business Development
Bio

An attack on church cybersecurity rarely comes at the right time, is rarely designed to be easily spotted, and is likely geared at exploiting human vulnerabilities, not firewalls or technological safeguards.

At Lafayette, Indiana-based Faith Ministries, the threat arrived in a staff member’s email inbox a few minutes before an early-morning worship service one Sunday this spring.

“I’m praying with some people,” the pastor wrote, adding he needed the staff member to send him several electronic gift cards for the people he was praying with.

Suspicious, the staff member flagged the email. He later learned the email really came from an outside party attempting to defraud the multisite church.

The human firewall

Jonathan Smith, Faith Ministry’s technology director and an advisor-at-large for Church Law & Tax, says the attack revealed just how well-versed some cybercriminals are in the normal routines and rhythms of the local church:
  • The sender knew the pastor’s name to pose as him.
  • The email described activities commonly occurring on a Sunday morning.
  • The email arrived just before the service started, a moment many church staff members might rush a response rather than verify it.

Thankfully, Smith’s colleague thought twice.

And that’s the key lesson in the never-ending fight against cyber fraud: people, not just technology, are the best defense.

While hardware and software defenses, technological best practices, and even cyberliability insurance, play important roles, training and education can go furthest toward minimizing susceptibilities at every church, technology and security experts say.

“The human firewall is our only hope,” Smith says.

Attacks are on the rise

Several high-profile church cybersecurity breaches have made recent headlines.
  • The Florida Baptist Convention had $700,000 stolen in early 2023 after an email purporting to be from the Southern Baptist Church’s North American Mission Board instead proved to be fraudulent. The instructions in the email tricked convention employees into changing account information for routing funds.
  • In late 2022, a North Carolina church received an email containing a bill, along with new electronic payment instructions, from a party posing as its building contractor. Nearly $800,000 was lost.
  • Another email scam in 2019 cost an Ohio Catholic church $1.7 million after criminals accessed email accounts of parish employees and then sent emails instructing them to change payment information for a construction contractor.

Training and educating

Educating and training church pastors and staff members about these types of tactics—and how they continue to evolve—is critical, says Allison Ward, a partner with CapinTech, a division of church and nonprofit accounting firm CapinCrouse.

Part one and part two of a webinar Allison Ward co-presented on security controls is available from CapinTech.

Repeating this training and education frequently is needed, too, adds Nick Vaernhoej, chief information security officer for Church Mutual Insurance Company, the largest insurer of US houses of worship. While criminal tactics mostly remain the same, the methods for accomplishing them rapidly shift.

The ways the tactics are adapted to trick recipients “change month by month,” Vaernhoej says.

‘Low-tech’ solutions

Building a strong human firewall is about getting people to:
  • Stop before they respond
  • Evaluate what’s happening
  • Take steps to verify what’s being requested through some other form of communication

“In my experience, the best methods for addressing ‘high-tech’ threats are typically ‘low-tech’ in nature,” Vaernhoej says. “For instance, some type of manual verification system, such as placing a phone call to the requester before releasing the funds requested.”

Smith agrees, adding a live confirmation before changing a payment method or process or releasing any funds is a must. Churches should adopt policies requiring live verifications, he adds, noting a live call, live video call, or in-person conversation should be used.

“AI can now mimic voices, so don’t rely on a voicemail left in tandem with an email,” Smith says.

At Faith Ministries, ongoing training comes multiple ways. The church partners with an outside vendor who sends about four test messages per week to staff members. These message are designed to trick an employee into clicking a link or opening an attachment. Those who fail get follow-up messages and tips.

Periodic staff wide training sessions also occur, Smith says.

KnowBe4—the vendor Faith Ministries uses—charges $3 per user per month. As Smith—who also consults for churches and ministries through his company, MBS Inc.—advises other churches to do the same, he frequently encounters resistance.

“How do we communicate the urgency for this? It’s such a simple thing to solve, it’s inexpensive to solve, and yet few are willing to do it,” Smith says.

Setting solid standards

Meanwhile, established standards for good hardware, software, and security protocols are available through the National Institute of Standards and Technology (NIST). These are especially helpful for technical specifications related to firewalls, network security, virtual private networks, password management, and encryption.

Ward and Vaernhoej offer these best practices:
  • Take inventory of the devices and software your church uses. Take inventory of the people who possess them (as well as have access to networks).
  • Keep up on security patching released by hardware and software vendors.
  • Require regular password management and institute multifactor authentication (MFA) preferably through an app-based option from Okta, Microsoft, or Google. This cuts down on the multifactor workarounds that bad actors use with text- and email-based options.
  • Use an email filtering solution. Work to balance the sensitivity levels to screen out problem messages while still allowing legitimate ones. Microsoft’s Office365 and Gmail’s cloud email options, work well for small and large operations. Both offer in phishing and malware prevention techniques.
  • Use combinations of complementary tools to boost overall security. A good example? Pairing a content filtering firewall with antivirus software. This simple mix of foundational tools will stop many problems before they can cause any damage.
Matthew Branaugh is an attorney, and the content editor for Christianity Today's Church Law & Tax.

This content is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. "From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations." Due to the nature of the U.S. legal system, laws and regulations constantly change. The editors encourage readers to carefully search the site for all content related to the topic of interest and consult qualified local counsel to verify the status of specific statutes, laws, regulations, and precedential court holdings.

ajax-loader-largecaret-downcloseHamburger Menuicon_amazonApple PodcastsBio Iconicon_cards_grid_caretChild Abuse Reporting Laws by State IconChurchSalary Iconicon_facebookGoogle Podcastsicon_instagramLegal Library IconLegal Library Iconicon_linkedinLock IconMegaphone IconOnline Learning IconPodcast IconRecent Legal Developments IconRecommended Reading IconRSS IconSubmiticon_select-arrowSpotify IconAlaska State MapAlabama State MapArkansas State MapArizona State MapCalifornia State MapColorado State MapConnecticut State MapWashington DC State MapDelaware State MapFederal MapFlorida State MapGeorgia State MapHawaii State MapIowa State MapIdaho State MapIllinois State MapIndiana State MapKansas State MapKentucky State MapLouisiana State MapMassachusetts State MapMaryland State MapMaine State MapMichigan State MapMinnesota State MapMissouri State MapMississippi State MapMontana State MapMulti State MapNorth Carolina State MapNorth Dakota State MapNebraska State MapNew Hampshire State MapNew Jersey State MapNew Mexico IconNevada State MapNew York State MapOhio State MapOklahoma State MapOregon State MapPennsylvania State MapRhode Island State MapSouth Carolina State MapSouth Dakota State MapTennessee State MapTexas State MapUtah State MapVirginia State MapVermont State MapWashington State MapWisconsin State MapWest Virginia State MapWyoming State IconShopping Cart IconTax Calendar Iconicon_twitteryoutubepauseplay
caret-downclosefacebook-squarehamburgerinstagram-squarelinkedin-squarepauseplaytwitter-square