An attack on church cybersecurity rarely comes at the right time, is rarely designed to be easily spotted, and is likely geared at exploiting human vulnerabilities, not firewalls or technological safeguards.
At Lafayette, Indiana-based Faith Ministries, the threat arrived in a staff member’s email inbox a few minutes before an early-morning worship service one Sunday this spring.
“I’m praying with some people,” the pastor wrote, adding he needed the staff member to send him several electronic gift cards for the people he was praying with.
Suspicious, the staff member flagged the email. He later learned the email really came from an outside party attempting to defraud the multisite church.
The human firewall
Jonathan Smith, Faith Ministry’s technology director and an advisor-at-large for Church Law & Tax, says the attack revealed just how well-versed some cybercriminals are in the normal routines and rhythms of the local church:
- The sender knew the pastor’s name to pose as him.
- The email described activities commonly occurring on a Sunday morning.
- The email arrived just before the service started, a moment many church staff members might rush a response rather than verify it.
Thankfully, Smith’s colleague thought twice.
And that’s the key lesson in the never-ending fight against cyber fraud: people, not just technology, are the best defense.
While hardware and software defenses, technological best practices, and even cyberliability insurance, play important roles, training and education can go furthest toward minimizing susceptibilities at every church, technology and security experts say.
“The human firewall is our only hope,” Smith says.
Attacks are on the rise
Several high-profile church cybersecurity breaches have made recent headlines.
- The Florida Baptist Convention had $700,000 stolen in early 2023 after an email purporting to be from the Southern Baptist Church’s North American Mission Board instead proved to be fraudulent. The instructions in the email tricked convention employees into changing account information for routing funds.
- In late 2022, a North Carolina church received an email containing a bill, along with new electronic payment instructions, from a party posing as its building contractor. Nearly $800,000 was lost.
- Another email scam in 2019 cost an Ohio Catholic church $1.7 million after criminals accessed email accounts of parish employees and then sent emails instructing them to change payment information for a construction contractor.
Training and educating
Educating and training church pastors and staff members about these types of tactics—and how they continue to evolve—is critical, says Allison Ward, a partner with CapinTech, a division of church and nonprofit accounting firm CapinCrouse.
Repeating this training and education frequently is needed, too, adds Nick Vaernhoej, chief information security officer for Church Mutual Insurance Company, the largest insurer of US houses of worship. While criminal tactics mostly remain the same, the methods for accomplishing them rapidly shift.
The ways the tactics are adapted to trick recipients “change month by month,” Vaernhoej says.
Building a strong human firewall is about getting people to:
- Stop before they respond
- Evaluate what’s happening
- Take steps to verify what’s being requested through some other form of communication
“In my experience, the best methods for addressing ‘high-tech’ threats are typically ‘low-tech’ in nature,” Vaernhoej says. “For instance, some type of manual verification system, such as placing a phone call to the requester before releasing the funds requested.”
Smith agrees, adding a live confirmation before changing a payment method or process or releasing any funds is a must. Churches should adopt policies requiring live verifications, he adds, noting a live call, live video call, or in-person conversation should be used.
“AI can now mimic voices, so don’t rely on a voicemail left in tandem with an email,” Smith says.
At Faith Ministries, ongoing training comes multiple ways. The church partners with an outside vendor who sends about four test messages per week to staff members. These message are designed to trick an employee into clicking a link or opening an attachment. Those who fail get follow-up messages and tips.
Periodic staff wide training sessions also occur, Smith says.
KnowBe4—the vendor Faith Ministries uses—charges $3 per user per month. As Smith—who also consults for churches and ministries through his company, MBS Inc.—advises other churches to do the same, he frequently encounters resistance.
“How do we communicate the urgency for this? It’s such a simple thing to solve, it’s inexpensive to solve, and yet few are willing to do it,” Smith says.
Setting solid standards
Meanwhile, established standards for good hardware, software, and security protocols are available through the National Institute of Standards and Technology (NIST). These are especially helpful for technical specifications related to firewalls, network security, virtual private networks, password management, and encryption.
Ward and Vaernhoej offer these best practices:
- Take inventory of the devices and software your church uses. Take inventory of the people who possess them (as well as have access to networks).
- Keep up on security patching released by hardware and software vendors.
- Require regular password management and institute multifactor authentication (MFA) preferably through an app-based option from Okta, Microsoft, or Google. This cuts down on the multifactor workarounds that bad actors use with text- and email-based options.
- Use an email filtering solution. Work to balance the sensitivity levels to screen out problem messages while still allowing legitimate ones. Microsoft’s Office365 and Gmail’s cloud email options, work well for small and large operations. Both offer in phishing and malware prevention techniques.
- Use combinations of complementary tools to boost overall security. A good example? Pairing a content filtering firewall with antivirus software. This simple mix of foundational tools will stop many problems before they can cause any damage.