Unfortunately, this is the time of year when scammers try their hardest to create a challenging season, distracting us from the joy that Christmas brings. Many of these come in the form of email scams. The scammers may try to obtain access to the pastor’s accounts and impersonate him/her in communications with the congregation. Read the following blog (a repost) for information about ways to keep this from happening at your church.
Does your church have a policy/procedure for responding to account updates via email and/or phone?
It is vital to be proactive in training your church on how to identify and limit potential data breaches. We recommend that your policies on data safety be reviewed by your staff quarterly and communicated more broadly to your congregation at least twice a year as a helpful reminder.
You might be wondering, “How is this a scam?”
The first thing that is clear is that the person is emailing from a new email address. This email address might look legitimate. We’ve seen examples that follow this format – first.last@outlook.com. While it is possible that a scammer could be sending an email from a compromised account, it is not always the case. If it comes from a compromised account, it is often harder to prevent. If it is a brand-new email address, simply follow the recommendations below.
How does the email scams work?
Email scams may occur when a request is made to an unsuspecting staff member who updates a personal record of an email address. If an unsuspecting staff person updates the person’s record with the new email address, the scammer then resets the person’s password and logs into the church’s management software using the new email address. They then attempt to harvest any information about other church members and attendees (if possible). Because the user is logging in with legitimate credentials, there is often little we (your church management software) can do to prevent this. They then email fellow churchgoers and try to trick them into giving gift cards or donating to the church, where the link to the donation page is not a legitimate donation page.
You Might Be Wondering, “What Can You Do To Prevent This?”
There are a few things we recommend:
1. If a person is emailing from an email address that is not in the database, DO NOT ACCEPT any changes. You can reply by asking them to email from an email address that is already on their record or to contact the church office (then follow the recommendations below).
2. Have a clear policy and procedure that your staff follows for when and how they should update a person’s record in the database. While your church should come up with your own requirements, here are a few ideas to get you started:
- If a person reaches out via email, either have a standard template prepared saying that all record update requests must be made via phone and give them the contact information of who to call, or require that a phone call is made from the phone number on their record confirming the change.
- If a person calls the church office asking to update their record, the person fielding the call should verify other details on their record, like what small group they attend, their DOB, and/or family member names. You’ve likely had your bank do something like this to verify your identity when you’ve called them.
- Whatever you do, make sure all your staff and/or lay leaders who have access to update a person’s record are doing so with caution, knowing that there are people out there trying to scam churches.
3. Make sure that all users – both staff and lay leaders – have the appropriate access levels in TouchPoint. They should only have access to the information they need.
- Have you removed access from former staff, officers, and lay leaders?
- Is it necessary for lay leaders to be able to update information?
4. Educate your staff and congregants on the risks of email scams and other cyber threats. Here are a few key points that you can share with them:
- Nobody from the church staff will ever reach out via email or social media asking for donations via gift cards, money transfers, or any other means besides what you can find on our church website.
- If you see odd links in emails or social media leading to donation pages that don’t look legitimate, please report them to a church staff member immediately.
- Let them know that the best way to donate to your church is from a link directly on your church’s website.
5. Require all staff with admin or finance access to have two-factor authentication enabled on their account. This adds an extra layer of protection for these users to further safeguard your most sensitive data.
Last year, TouchPoint led a virtual keynote session at a conference for Executive Pastors on Human Firewalls. You can check it out here to learn additional helpful tips to prevent email scams and other cyber security attacks.
We are praying for protection over everyone this Christmas season.