Millie is responsible for running payroll at her church. She receives an email from the
pastor who’s currently on vacation. In the email, the pastor states that he has changed
banks. He supplies a new account number and routing number, and requests the change be made
today. Millie complies. Several days later, she receives a phone call from the vacationing
pastor. He asks why his pay was not deposited in his account. Millie explains that she made the
banking change as he requested. After a pause, the pastor says, “I never made that
request.”
Cyber thieves use techniques called social engineering to get you to act before you think.
“Unfortunately, this particular scam and others like it are far too common for
churches,” said Caleb Sloan, operations manager for MinistryWorks. “The result can be
stolen funds, stolen information, or ransomware placed on your computer network, any of which can
tie up your organization’s resources or even cripple your operations.”
A common scam, especially at tax time, is a request for
employees’ W-2s that appears to come from a person of authority within your
organization.
Social Engineering: Common Tricks
Cyber thieves often use easy-to-obtain information culled from your organization’s social
media or website to appear credible. Using that information and the following techniques, a thief
can prey on your trust:
- Phishing, vishing, and smishing use emails, phone calls, and texting to
incorporate elements of surprise, scare tactics, or fear of imminent danger.
- Spear phishing is a targeted phishing attack that personalizes an email to
make it appear legitimate.
- Spoofing imitates an email address or website to make you think you’re
interacting with someone you know. They typically change one letter and hope you
won’t notice. Example: CFO@dtcollege.edu (real) and CFO@dtcollege.com (fake).
- Pretexting creates a story in order to gain your trust to manipulate you into
thinking the scammer is legitimate or in a position of authority. For example, someone might
impersonate a vendor you typically use to gain access to your computer systems or pretend to be
a bank representative to con you into divulging your account information.
Outsmart the Scammers
Once you know cyber thieves’ methods, you can begin to thwart the attacks. “You
can make your ministry less of a target,” said Sloan. “With just a few simple but
highly effective processes and controls, you can stop scammers from being successful.”
Here’s four ways you can outsmart their treachery:
- Verbal verification. Sloan says to simply ask the person face-to-face or
by phone when a request for sensitive information seemingly comes from within your
organization. Never hit “reply” to an emailed request. Use a familiar phone
number or the listed number for the business—such as a bank—to verify the
request.
- Two-factor authentication. Two-factor authentication takes security to a
new level. It requires users to have a password and an additional method of verification,
such as a pin number, texted to a smartphone, before they can gain access to an account.
MinistryWorks recommends using two-factor authentication on all accounts that offer the
option. Even if your password is stolen, hackers won’t be able to access your account
because they won’t have access to the pin on your smartphone.
- Two-person verification. To help guard against an “urgent
ask,” develop a two-person verification procedure. This ensures that no one person can
distribute ministry funds alone, for any reason. This may include a written document for all
monetary requests that is signed by two people with the authority to do so. Train staff to
say “no” if procedures aren’t followed.
- Manage your passwords. Passwords help protect systems and data from
unwanted access, but they can create a false sense of security. With so many separate
accounts that require passwords, it’s common for people to use the same password
across multiple systems and accounts. If hackers steal a password on one site, they easily
can gain access on other sites you use. A simple remedy is to use a reputable password
manager.
Take the time to educate your clergy and staff to recognize the red flags of social
engineering. Then develop and train on control measures to protect against accidental fraud.
Sloan said it’s okay to be suspicious. “Social engineers use our desire to be good
servants against us. If you receive an email requesting an account change or someone shows up
without an appointment to fix your computers, take a moment. Stop and verify.”
Think Before You Click
Whenever you receive an email, text message, or phone call that requests immediate action,
especially a transfer of funds, take a minute to run through the following questions:
- Were you expecting it?
- Is it a known problem that you need to address?
- Did you receive an email when a phone call or in-person conversation would have been
more appropriate?
- Can you independently verify the request?
Related Resources
Posted on May 2, 2022
The information in this article is intended to be helpful, but it does not
constitute legal advice and is not a substitute for the advice from a licensed attorney in your
area. We strongly encourage you to regularly consult with a local attorney as part of your risk
management program.
