Chris Dolan • Jun 05, 2023

A few of our partner churches have recently notified us that their congregation received emails from someone impersonating their pastor. Be sure to read the following blog (re-posted from December) for information about ways to keep this from happening at your church.

Does your church have a policy/procedure for responding to account updates via email and/or phone?
We have had several churches recently report that church members have emailed various church staff asking them to update their account. At first glance, this appears to be a legitimate request, but several factors have tipped off the staff to know that it was indeed a scam.

You might be wondering, “how is this a scam?”
The first thing that is clear is that the person is emailing from a new email address. This email address might look legitimate. We’ve seen examples that follow this format – first.last@outlook.com. While it is possible that a scammer could be sending an email from a compromised account, it is not always the case. If it comes from a compromised account, it is often harder to prevent. If it is a brand-new email address, simply follow the recommendations below.

How does the scam work?
If an unsuspecting staff person updates the person’s record with the new email address, the scammer then resets the person’s password and logs into the church’s management software using the new email address. They then attempt to harvest any information about other church members and attendees (if possible). Because the user is logging in with legitimate credentials, there is often little we (your church management software) can do to prevent this. They then email fellow church goers and try to trick them into giving gift cards or donating to the church, where the link to the donation page is not a legitimate donation page.

You might be wondering “What can you do to prevent this?”
There are a few things we recommend:

1. If a person is emailing from an email address that is not in the database, DO NOT ACCEPT any changes. You can reply, asking them to email from an email address that is already on their record or to contact the church office (then follow the recommendations below).

2. Have a clear policy and procedure that your staff follow for when and how they should update a person’s record in the database. While your church should come up with your own requirements, here are a few ideas to get you started:

  • If a person reaches out via email, either have a canned response saying that all record update responses must be made via phone and give them the contact information of who to call, or require that a phone call is made to the phone number on their record confirming the change.
  • If a person calls the church office asking to update their record, the person fielding the call should verify other details on their record like what small group they attend, their DOB, and/or family member names. You’ve likely had your bank do something like this to verify your identity when you’ve called them.
  • Whatever you do, make sure all your staff and/or lay leaders who have access to update a person’s record are doing so with caution, knowing that there are people out there trying to scam you.

3. Make sure that all users – both staff and lay leaders – have the appropriate access levels in TouchPoint where they only    have access to the information they need.

  • Have you removed access from former staff, officers, and lay leaders?
  • Is it necessary for lay leaders to be able to update information?

4. Educate your staff and congregants on the risks of cyber threats. Here are a few key points that you can share with    them:

  • Nobody from the church staff will ever reach out via email or social media asking for donations via gift cards, money transfers, or any other means besides what you can find on our church website.
  • If you see odd links in emails or social media leading to donation pages that don’t look legitimate, please report them to a church staff member.
  • Let them know that the best way to donate to your church is from a link directly on your website.

5. Require all staff with admin or finance access to have 2 factor authentication enabled on their account. This adds an extra layer of protection for these users to further safeguard your most sensitive data. 

Our Head of Product, Chris Dolan, recently led a virtual keynote session at a conference for Executive Pastors on Human Firewalls. You can check it out here to learn additional helpful tips.