Protect your church from simple scams. Watch for urgent pastor emails (gift cards), fake donation links, & malware. Awareness is your best, free defense.
Mission Guard Team
October 23, 20256 min read
You don't need to be a technical expert to be a target. In fact, most cybersecurity attacks on churches aren't high-tech hacks; they're simple scams that prey on your trust and your desire to help.
Let's be honest: the word "cybersecurity" sounds complex, expensive, and frankly, like something for banks or big corporations. But for a church, it's not really about complex technology. It's about stewardship.
It’s about protecting your people, your donations, and the reputation you’ve worked so hard to build.
Scammers target churches because you are trusting and mission-focused. They know you want to help, and they use that to their advantage. The good news is that your best defense isn't a costly software package—it's awareness.
Let's look at five common tricks and the simple, no-cost ways to stop them.
1. The "Urgent" Pastor Email
What it looks like: You get an email that looks like it's from your senior pastor or a church leader. The message is urgent: "I'm in a meeting and can't take calls, but I need you to do me a favor. A parishioner is in the hospital (or some other urgent need), and I want to send them some gift cards. Can you please go buy $200 in Target or Amazon gift cards and just email me the codes off the back? I'll reimburse you."
Why it works: It uses the pastor's authority and a strong sense of urgency. It pulls on your heartstrings and your desire to serve. You want to be helpful, so you act quickly without thinking.
The Simple Fix: Create a verbal-only policy for all financial requests. Any request for money, gift cards, or wire transfers must be confirmed with a live phone call to a known number. A text message or email is not enough. If the "pastor" says they can't talk, that's your #1 red flag.
Don't leave your digital front door standing wide open. Investing in a dedicated firewall is a foundational step in being a good steward of the information your congregation has entrusted to you.
What it looks like: An email arrives in your inbox from "Tithe.ly," "Pushpay," "Subsplash," or whatever platform you use for online giving. It looks official, with the right logos and colors. The subject line is something like "Action Required: Problem with Your Giving Account" or "Please Verify Your Login." It urges you to click a link to log in and fix the problem.
Why it works: It creates panic. This is your church's financial lifeline, and the thought of it being "broken" is scary. You click before you check. The link, however, goes to a fake website designed to steal your administrative password.
The Simple Fix:Never click a login link in an email. Ever. If you get an email like this, go to your web browser and manually type in the correct address for your giving platform (e.g., tithe.ly) or use a bookmark you have already saved. If there's a real problem, you'll see it when you log in safely.
3. The "Update Your Directory" Phish
What it looks like: This email often goes to a church administrator, elder, or a key volunteer. It says, "We're updating the church directory for 2026. Please open the attached Excel file to confirm your contact details and make any changes."
Why it works: This sounds like a perfectly normal, routine administrative task. But the attached file (it could be an Excel, Word, or .zip file) doesn't contain a directory. It contains malware—a type of malicious software that can lock up your computer for ransom or steal your saved passwords.
The Simple Fix:Have a clear process. Never open attachments you weren't expecting. Designate one person (like the church secretary or administrator) to be the only person who manages and sends directory updates. If you get a file you didn't ask for, even from a name you know, call them at a known number to confirm they meant to send it.
4. The Fake Invoice
What it looks like: You get an email with an attached invoice from a vendor you "use," like "Office Solutions" or "Sanctuary Sound Systems." It says your payment for $189.50 is overdue for printer toner or microphone cables.
Why it works: The amount is small enough to not trigger major scrutiny, and it seems plausible. The church treasurer or bookkeeper, wanting to be a good steward and pay bills on time, might pay it just to clear the books.
The Simple Fix:Have a two-person approval process for all invoices. The person paying the bill (the treasurer) should get a separate "OK" from the person who received the goods or services (the admin, facilities manager, or worship leader). This simple check stops fake invoices cold.
5. The "Helpful" Tech Support Call
What it looks like: The church office phone rings. The caller ID might even say "Microsoft" or "Comcast." They say, "We've detected a virus on your computer, and we need to help you remove it immediately. Please go to this website and type in this code so we can connect to your computer and fix it."
Why it works: It sounds helpful, and the technical jargon is intimidating. They prey on a fear of "getting a virus." But the website they send you to gives them complete remote control of your computer, allowing them to steal files, install malware, or access your online bank account.
The Simple Fix:Remember: Microsoft, Google, and your internet provider willnevercall you to tell you about a virus. They just don't do that. Hang up immediately. If you're worried, have a trusted local IT person (or a tech-savvy volunteer) take a look.
Your Next Step: Share This Knowledge
As you can see, protecting your mission from these attacks doesn't require a big budget or an IT degree. It starts with awareness and building simple, clear policies. The most powerful defense you have is a staff and volunteer team that knows what to look for.
Don't keep this information to yourself. At your very next staff, elder, or key volunteer meeting, share these three simple rules:
VERIFY all financial requests with a live phone call.
NEVER click login links in emails. Type the address yourself.
NEVER open unexpected attachments. Call to confirm.
Ready to build a stronger defense? Start with Step 1 in our 5-Step Plan.
Managing dozens of church passwords on sticky notes is risky. Learn why password managers are essential for church security and how to implement one today.
Protect your church with MFA. It's a free security code on your phone that blocks hackers from your email, giving, and bank accounts. Turn it on today.
