Email scams on churches in Florida, North Carolina, and Ohio led to millions of dollars in losses, but they also highlight the reality that hacking a church can be about human behavior as much as technology.
Contrary to Hollywood-produced stories, sophisticated work from a remote location to access a victim’s network or computer isn’t what leads to most breaches, says Jonathan Smith, technology director for Indiana-based Faith Ministries, a multisite church.
“‘Hacking’ is a misnomer,” Smith says. “It’s the user usually unwittingly enabling the bad actor.”
AI is making hacking a church easier
Phishing remains the most common tactic, but generative artificial intelligence (AI) is making it harder to spot. Using chatbots, bad actors create error- and typo-free messages, says Allison Ward, a partner with CapinTech.
“Bad actors follow what we do,” Ward tells Church Law & Tax. “They do what we do, and do what’s normal to us, to get us to fall victim.”
“The tricks haven’t changed. The methods haven’t changed,” Smith adds. “But now, AI makes the playing field level.”
Phising, Vishing, SMSishing …
Some of the more common tactics include:
- Phishing: An email sent to the victim appears to come from a familiar sender. Examples include an online retail website or the security team of a social media platform. The message sounds dire, It also instructs the recipient to take immediate action by clicking on a link or opening an attachment. Either option might contain malicious code, potentially infecting the victim’s computer. Or the messages may redirect the victim to an official looking page that then captures sensitive information shared by the victim.
- Spear Phishing: This is the same as a phishing attempt, except the email appears to come from someone the victim knows. The email may include specific instructions to coax the victim into doing something—send electronic gift cards, change routing information for making payments.
- Vishing: A voice mail that uses similar messaging as a phishing email or spear phishing email. Generative AI can mimick the voice of someone the victim recognizes to make the message sound legitimate.
- SMSishing: A phishing or spear phishing attempt sent via text message to a victim’s mobile phone instead of email.
- Ransomware: A phishing or spear phishing attempt containing malicious code in a link clicked by the victim or an attachment opened by the victim. The code enables a criminal to access systems and files and hold them ransom. Generative AI now allows bad actors with little programming experience to create ransomware. This means increased attempts are likely to come.
- Multifactor workarounds: A bad actor obtains the victim’s password to a site or system, either through a breach unrelated to the victim, or through a victim’s weak password. The victim’s church uses multifactor authentication (MFA), a commonly used best practice in which a code is sent via email or text to confirm the victim’s identity. The bad actor has the site or system send the victim repeated MFA requests. Then, the bad actor sends an email or text claiming to be from the church, asking the victim to send the MFA code.
Download and share this glossary of hacker tactics with your church staff, pastors and other key users: