There are two email scams occurring with increasing frequency. These scams hurt churches in two ways, by stealing finances and by breaking congregational trust. What are these scams? What can or should you do about them? What should you do if you find yourself a victim of a scam?
Each one of the two email scams appear to come from the pastor or a trusted member of church leadership.
The first scam directs emails at church staff. In it, “the pastor” requests the recipient to send funds or gift cards with PINs. This has been going on for a few years and has caught many churches by surprise. The good news, if there is any, is that the scam is usually only targeted at staff.
The second scam is worse because it targets congregants. Seeming to be from “the pastor” or a trusted church leader, congregants are asked to wire funds or send gift cards with PINs. This one hurts more because it becomes more widely known in your congregation than the first type of scam. It can break the trust that congregants have in the church’s communication systems. It is such a serious threat that the U.S. Federal Trade Commission posted a blog about it on July 29, 2019.
How Do the Scams Happen?
Churches want to be open and welcoming communities, especially for those who they are trying to reach. So churches publish staff structures and biographies on their websites. This is a good thing that can unfortunately also arm predators with the details needed to launch a valid-appearing campaign. A predator might even email the pastor to try and get a response–and thus capture the pastor’s email signature!
For the first scam, the predator can easily identify who to email on staff for a money transfer. For the second scam, it takes a little more skill. Either a data breach is needed, or access to big data that can identify those who have been on the church campus during worship hours based on smartphone pings.
Armed with this information, predators can trick many to fall prey to these scams.
What Can You Do?
Churches want a simple comprehensive technological fix for these scams. Because they are one-off campaigns, there isn’t a simple fix. So what can you do to protect your church, staff, and congregants?
The only technical step that might help is to contact your church IT experts. Have them confirm that your DNS SPF, DKIM, and DMARC records are correct and complete. A commonly missed item is in the SPF record. Be sure to list the only acceptable source of yourchurch.org’s email.
Policies to Avert the Scams
- Leadership should set a policy that any requests for money, gift cards, payroll changes, A/P payee changes, or wire transfers must occur face-to-face or some other verifiable method.
- A phone call that sounds suspicious can be too easily explained away as caused by a cold, bad connection, and so on. A video call might be considered a valid face-to-face request.
- Train staff on what to look for and to whom on the team it should be reported.
The second scam is more challenging because it targets congregants.
- Leadership should set an enforceable policy that all church-related email from staff members must be sent from the church’s email system. No email should come from another email system. For instance, all email must be sent from a team member’s yourchurch.org email address, and never from a gmail.com or similar account.
- Communicate to your congregation a summary of the scam and inform them that:
- Church staff will only email them from the yourchurch.org email address.
- No one on staff will ever ask them for money or gift cards to support the church or another cause without also announcing it officially on the church’s website.
Unfortunately, some staff won’t like being forced to use the church’s email system. But, this is a serious threat, and they have a job at the church—thus the policy is appropriate. Some staff may argue that the church’s email system domain can be spoofed. While that might be true, these campaigns usually come from a gmail.com address or some similar system.
If you see or experience these scams, report it to the federal government. A report can take five to ten minutes. Your report might provide the exact piece of information that helps the authorities connect all the dots and catch a predator.
There are two places to report such activity: