Someone is sending emails to church members using the pastor's name to solicit funds. Recipients want to help, but something seems fishy so someone reaches out to the pastor. When he hears about it, he's paniced about being hacked. He makes a call, and the panic spreads.Like you, we HATE whenever we find out someone is trying to take advantage of relationships within the church. Everyone feels violated. There's always an urgency to fix this - and rightly so.
Cybersecurity is a big deal for us and we have set up all kinds of protocols to protect against nefarious objectives. When we receive the panic induced email or call, we feel the pain with you. This is a BIG deal to us.
In every case that we have investigated for our clients the problem was not technology security, it was what cybersecurity experts call social engineering. Here's an example.
The bad character searches for and goes to the public church website or social media pages to learn the pastor's name and any other information about him or other ministry leaders.
Now that he knows some things about the church, he seeks to gain access to the directory to get email addresses. He does this by calling or emailing the church office, identifying as a visitor or attender, and asking for access to the directory. The request could be for an online password, or for the directory to be emailed to him.
Next, he creates an email account that looks like it could be the pastor's. For example, pastorboydp@gmail.com looks like it could be from me, but it's bogus.
Finally, he uses this address to send an email to people in the directory with some story about why they need to send a gift card to him immediately. They often use personal information that they learned from the website or social media to make the email sound legitimate.
This is a social engineering scam often referred to as phishing. You may have heard the term. And, yes, it's a play on the word fishing. So, what can you as a church leader do to not get caught up in it? Here are four suggestions.
- Do not give out a churchwide directory. Our clients have options to control access to the directory should they choose to give it. But, many churches no longer give access to churchwide directories at all. If a directory is import to your church, be sure you verify the identity of everyone who has access to it. Churchteams clients should review this article related to use of a directory.
Push out directories at the group level. In Churchteams, there is a communication option within each group that enables the leader to email directory information on their group to their group. This is the level where most nonleaders develop friendships that they want to communicate with anyway. This feature gives the right access to the right people and keeps other member information secure. - Train staff to recognize potential scammers. Don't assume your staff and volunteers understand what phishing is. Share this blog post with them. Create a document or even a policy for sharing directory and other personal information. Requests for directory access or passwords that come by email or over the phone should raise flags for staff to verify the identity of the person making the request. Here is an example guideline to help train staff.
- Develop a "Use of Information" guide. Communicate with people how you will use their information when they give it to you. This could be a simple sentence or two in the bulletin or on a registration, or it could be a full policy that you include in your new member handouts. This is becoming a more common practice. Here is a template for creating this guide.
As a Churchteams client, you can be assured that we are paying very close attention to your cybersecurity needs. It is one of those behind the scenes things that we do to make sure system integrity is always maintained. However, if you ever have a concern, we will work with your IT person or team as much as needed to make sure you are completely confident that your data is safe.
