Email Phishing Scams Increasingly Target Churches

On Aug. 13, the rector of the 160-plus member Good Shepherd Anglican Church near Charlotte, N.C., sent an urgent warning to parishioners about an email claiming to be from him. The email requested donations in the form of gift cards — a known tactic used for phishing scams in which criminals deceive victims into revealing sensitive information.

“Please know that neither I nor anyone from our church will ever request funds via a gift card or any unconventional methods,” said Rev. David Libbon, noting how the sender’s email address differed slightly from his own.

Around the same time, multiple churches in Gilmer County, Ga., were hit by a similar phishing scam. Pastor Chad Hall of Cartecay Baptist Church showed local news accessWDUN an email purporting to be from him and asking for responses to “a request I need you to handle discreetly.”

READ: Online Blasphemy Scams Destroying Lives In Pakistan

“You’re trying to do good out there, and you’re trying to minister to a congregation, and then you get this,” Hall said. “They love their pastor, they think something’s going on with him when they see an email like this.”

These incidents were far from isolated, as churches and nonprofits both large and small increasingly find themselves in the cross-hairs of email scammers.

According to the FBI’s Internet Crime Report, cyber crimes have steadily risen over the last five years, while financial losses from such crimes have skyrocketed. The FBI reported that in 2024, the most commonly reported cyber crime was phishing/spoofing. At 193,407 complaints, phishing far outpaced the second most reported crime, extortion, which had just 86,415 complaints.

While the total phishing crimes reported to the FBI dipped significantly from the previous year, the financial impact was dramatically higher. In 2023, victims lost $18.7 million. In 2024, that number jumped to $70 million. Phishing losses were even higher in 2022, at $160 million.

Experts say that as organizations have implemented more sophisticated cybersecurity defenses, criminals have resorted to phishing as a workaround. In many cases, those scams target churches.

“Phishing attacks have increased at an alarming rate in recent years, with reports showing a 58 percent increase in global phishing attacks from 2022 to 2023,” wrote IT expert Marcelo Barros in a January article for Cyber Defense Magazine.

“One of the main reasons phishing continues to be effective is its focus on deep-rooted human emotions. Rather than seeking to overcome cyber defenses with computing power or zero-day exploits, it overcomes them by exploiting fear, greed, and empathy,” Barros said.

In a January article for Medium, Cybersecurity analyst Dami Olusanya warned that “churches and faith-based organizations are increasingly becoming targets for cybercriminals through data breaches and ransomware attacks.”

Olusanya said nearly 43% of North American cyberattacks target ministries and nonprofits, and that it is a mistake for churches to assume they are too small or don’t have the type of data to interest criminals. To the contrary, churches’ lax cybersecurity defenses can make them an attractive target for phishing, malware and ransomware attacks.

“A cyberattack can damage the church’s reputation, making members hesitant to share personal or financial information,” Olusanya said. “Prevention is crucial to maintaining trust within the community.”

Olusanya advises churches to build a culture of cybersecurity awareness. Workers, staff and volunteers should receive regular training so they won’t be duped by phishing emails or suspicious links. Robust firewalls and filters can stop phishing emails from reaching intended victims in the first place, and a guest Wi-Fi network can meet the needs of visitors without compromising sensitive data.

“While faith leaders focus on spiritual growth, they must also recognize that stewardship extends to protecting the church’s digital assets and its congregation,” Olusanya said.

The problem, according to Church Tech Today, is that “churches operate in high-trust, low-tech environments.” Email addresses are publicly listed, volunteers handle tech or admin work, and members tend to trust messages purportedly sent by leadership.

“Nonprofits have one of the highest phishing click rates among all sectors, with some church teams experiencing up to 34% failure rates in simulations,” Church Tech Today reported.

The Modern Nonprofit asserts that 70% of nonprofits do not have formal cybersecurity policies, despite 60% having reported a cyberattack in the last two years. This gap has led some agencies to focus on filling the need.

One such agency is Sightline Security, founded by Dr. Kelley Misata.

In a May interview with SecurityWeek, Misata said cybersecurity professionals have often assumed nonprofits have no interest in, or money to pay for, their services. She faults the industry for failing to listen to nonprofits’ needs or get acquainted with their missions.

“Nonprofits operate mission-first,” Misata said. “Trying to chase every new technology trend isn’t realistic. Staying grounded in your mission will help you make better choices about where to invest your limited resources.”

Even if a church or nonprofit lacks the budget for a major cybersecurity overhaul, it can implement some best practices to avoid falling victim to simple phishing scams.

Church Tech Today recommends five steps, including training all staff and volunteers, using two-factor authentication wherever possible, encouraging staff to forward suspicious emails to the tech lead, posting lists of trusted links, and hiring the services of agencies such as HigherGroundIT.com for training through simulated phishing attacks.

This article was originally published at MinistryWatch.

Tony Mator is a Pittsburgh journalist, copywriter, blogger and musician who has done work for World magazine, The Imaginative Conservative and the Hendersonville Times-News, among others. Follow his work and observations at twitter.com/wise_watcher.