Securing Your Church Office From Online Threats and Scams

In today's digitally driven world, church offices are just as susceptible to online threats and scams as any other organization or individual. And unfortunately, many churches have been the victim of online scams. For example:

• A cyberattack targeted the Mormon Church and gained access to some of its computer systems which included personal data of members, employees and contractors.
• Using a legitimate looking email address, scammers posed as a local pastor and asked several church attendees to purchase iTunes, Google Play and Amazon gift cards for the pastor to give away. Once the scammers obtained the card number and pin of the gift card, they had immediate access to the money loaded on the cards.
• A pastor in Oregon replied to an official-looking email from Yahoo which asked for her login information. She completed the form and was immediately locked out of her account. At the same time, her friends starting getting emails from “her” that said she had been robbed while ministering overseas and needed $1,400 wired to a specific account in order to get back home.
• One pastor fell victim to an email scheme and lost $48,000. An unsolicited email from his credit card company appeared authentic but was really a phishing scheme asking for personal account information. The pastor replied to the email, and the scammers immediately accessed his credit card account.

These stories highlight the fact that protecting sensitive information and ensuring the safety of your congregation's data and finances is crucial. 

Here are some comprehensive strategies to safeguard your church office from online threats and scams.

1. Educate and Train Staff
The first line of defense against online threats is an informed and vigilant team. Conduct regular training sessions to educate staff about the common types of online scams, such as phishing emails, malware, and ransomware. Teach them how to recognize suspicious links and emails, and ensure they know the importance of not sharing sensitive information.

Here are some tips to recognize these suspicious links and emails:

• URL Mismatch: Hover over the link without clicking it. If the displayed URL doesn't match the actual hyperlink, it's a red flag.
• Unusual Domain Names: Look out for strange or unfamiliar domain names, or slightly altered domains to mimic legitimate websites. 
• Unfamiliar Sender: Check the sender’s email address. If it doesn’t match the company or person it claims to be from, be cautious.
• Unexpected Attachments or Links: Be wary of unsolicited emails with attachments or links, especially if you weren’t expecting them.
• Poor Grammar and Spelling: Many phishing emails contain noticeable grammatical or spelling errors.
  

2. Be Wary of Social Engineering Attacks
Social engineering attacks manipulate individuals into divulging confidential information. Encourage staff to be cautious when sharing information over the phone or email, and to verify the identity of the requester before providing any details. Remind them that legitimate organizations will never ask for sensitive information through these channels.

Many attacks include what I call the four “P’s”. The sender pretends to be someone you trust and states there is a problem with your account, credit card, or identify. The sender asks for payment to fix the issue and pressures you to send the money right away. Be wary when you see these red flags.

3. Use Strong, Unique Passwords
Encourage staff to use strong, unique passwords for all their accounts. Passwords should be at least 14 characters long and include a mix of uppercase and lowercase letters, numbers, and special characters. Another idea is to string together multiple words that are easy to remember but difficult to guess. 

Since it's essential to use different passwords for different accounts, consider implementing a password management app to help securely store and manage passwords. A password management app helps you generate new, random passwords, and stores them for you. A few password managers to consider include NordPass, 1Password and LastPass.   

4. Enable Multi-Factor Authentication (MFA)
Multi-factor authentication adds an extra layer of security by requiring users to verify their identity through multiple methods. This could include something they know (a password or pin), something they have (a smartphone), or something they are (biometrics like a fingerprint or facial recognition). MFA significantly reduces the risk of unauthorized access, even if a password is compromised.

MFA options can include time-sensitive codes sent via a text message or email; codes generated by authenticator apps from Google or Microsoft; or codes generated from physical hardware devices like YubiKey or Google Titan. 

5. Install Antivirus and Anti-Malware Software
Ensure that all computers and devices used in the church office have up-to-date antivirus and anti-malware software installed. These programs help detect and remove malicious software that could compromise your security.

6. Regularly Update Software and Systems
Ensure all software and systems are regularly updated to protect against known vulnerabilities. This includes operating systems and any specialized church management software. Consider enabling automatic updates whenever possible to ensure you're always running the latest, most secure versions.  This includes all computers, tablets and phones used by staff, and any computer systems attached to sound or video projection systems.

7. Backup Data Regularly
Regular data backups are crucial for recovering from potential cyberattacks. Implement a robust backup strategy that includes both onsite and offsite backups. Ensure that backups are performed regularly and test the restoration process periodically to ensure your data can be recovered in case of an emergency.

Both Windows and MacOS have built-in backup tools. Windows 10 and 11 include a File History feature and a full disk backup feature. For MacOS users, you can use Apple's Time Machine software. Both offer cloud backup with iCloud and OneDrive. These free options are well worth using but may lack some of the extra benefits you get from running a paid, standalone backup solution like iDrive, Backblaze or Acronis True Image.

8. Secure Your Network
A secure network is essential for protecting your church office from online threats. Use a reliable firewall to monitor incoming and outgoing traffic and block unauthorized access. Ensure that your Wi-Fi network is encrypted with at least WPA3 and consider setting up a separate guest network for visitors to keep your main network secure.

9. Limit Access to Sensitive Information
Implement the principle of least privilege, which means granting staff the minimum level of access necessary to perform their duties. This reduces the risk of accidental or intentional data breaches. Regularly review and update access permissions to ensure they remain appropriate.

10. Develop an Incident Response Plan
Finally, create an incident response plan outlining the steps to take in the event of a cyberattack. This plan should include contact information for key personnel, procedures for containing the threat, and steps for notifying affected individuals. Regularly review and update the plan.

To keep up-to-date on online threats and scams, visit the Federal Trade Commission’s website for online privacy and security here: Online Privacy and Security | Consumer Advice

These ten steps may seem daunting at first glance, but it doesn’t have to be overwhelming. Take each step one at a time and make a goal to implement them all over a three- to six-month period. Once completed, these ten steps will help reduce the risk of data or finances being compromised and help ensure your church resources are stewarded in a safe and secure manner.