Hacking a Church Is About Exploiting Its Weakest Link

As generative AI improves communications, church hackers are refining their tactics.

Email scams on churches in Florida, North Carolina, and Ohio led to millions of dollars in losses, but they also highlight the reality that hacking a church can be about human behavior as much as technology.

Contrary to Hollywood-produced stories, sophisticated work from a remote location to access a victim’s network or computer isn’t what leads to most breaches, says Jonathan Smith, technology director for Indiana-based Faith Ministries, a multisite church.

“‘Hacking’ is a misnomer,” Smith says. “It’s the user usually unwittingly enabling the bad actor.”

AI is making hacking a church easier

Phishing remains the most common tactic, but generative artificial intelligence (AI) is making it harder to spot. Using chatbots, bad actors create error- and typo-free messages, says Allison Ward, a partner with CapinTech.

“Bad actors follow what we do,” Ward tells Church Law & Tax. “They do what we do, and do what’s normal to us, to get us to fall victim.”

Part one and part two of a webinar Allison Ward co-presented on security controls is available from CapinTech.

“The tricks haven’t changed. The methods haven’t changed,” Smith adds. “But now, AI makes the playing field level.”

Phishing, Vishing, SMSishing …

Some of the more common tactics include:

  • Phishing: An email sent to the victim appears to come from a familiar sender. Examples include an online retail website or the security team of a social media platform. The message sounds dire, It also instructs the recipient to take immediate action by clicking on a link or opening an attachment. Either option might contain malicious code, potentially infecting the victim’s computer. Or the messages may redirect the victim to an official looking page that then captures sensitive information shared by the victim.
  • Spear Phishing: This is the same as a phishing attempt, except the email appears to come from someone the victim knows. The email may include specific instructions to coax the victim into doing something—send electronic gift cards, change routing information for making payments.
  • Vishing: A voice mail that uses similar messaging as a phishing email or spear phishing email. Generative AI can mimick the voice of someone the victim recognizes to make the message sound legitimate.
  • SMSishing: A phishing or spear phishing attempt sent via text message to a victim’s mobile phone instead of email.
  • Ransomware: A phishing or spear phishing attempt containing malicious code in a link clicked by the victim or an attachment opened by the victim. The code enables a criminal to access systems and files and hold them ransom. Generative AI now allows bad actors with little programming experience to create ransomware. This means increased attempts are likely to come.
  • Multifactor workarounds: A bad actor obtains the victim’s password to a site or system, either through a breach unrelated to the victim, or through a victim’s weak password. The victim’s church uses multifactor authentication (MFA), a commonly used best practice in which a code is sent via email or text to confirm the victim’s identity. The bad actor has the site or system send the victim repeated MFA requests. Then, the bad actor sends an email or text claiming to be from the church, asking the victim to send the MFA code.

Download and share this glossary of hacker tactics with your church staff, pastors and other key users:

Matthew Branaugh is an attorney, and the content editor for Christianity Today's Church Law & Tax.

This content is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. "From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations." Due to the nature of the U.S. legal system, laws and regulations constantly change. The editors encourage readers to carefully search the site for all content related to the topic of interest and consult qualified local counsel to verify the status of specific statutes, laws, regulations, and precedential court holdings.

ajax-loader-largecaret-downcloseHamburger Menuicon_amazonApple PodcastsBio Iconicon_cards_grid_caretChild Abuse Reporting Laws by State IconChurchSalary Iconicon_facebookGoogle Podcastsicon_instagramLegal Library IconLegal Library Iconicon_linkedinLock IconMegaphone IconOnline Learning IconPodcast IconRecent Legal Developments IconRecommended Reading IconRSS IconSubmiticon_select-arrowSpotify IconAlaska State MapAlabama State MapArkansas State MapArizona State MapCalifornia State MapColorado State MapConnecticut State MapWashington DC State MapDelaware State MapFederal MapFlorida State MapGeorgia State MapHawaii State MapIowa State MapIdaho State MapIllinois State MapIndiana State MapKansas State MapKentucky State MapLouisiana State MapMassachusetts State MapMaryland State MapMaine State MapMichigan State MapMinnesota State MapMissouri State MapMississippi State MapMontana State MapMulti State MapNorth Carolina State MapNorth Dakota State MapNebraska State MapNew Hampshire State MapNew Jersey State MapNew Mexico IconNevada State MapNew York State MapOhio State MapOklahoma State MapOregon State MapPennsylvania State MapRhode Island State MapSouth Carolina State MapSouth Dakota State MapTennessee State MapTexas State MapUtah State MapVirginia State MapVermont State MapWashington State MapWisconsin State MapWest Virginia State MapWyoming State IconShopping Cart IconTax Calendar Iconicon_twitteryoutubepauseplay