Stop the Thief in Your Inbox

Stay vigilant to thwart phishing schemes

A church accountant from Wisconsin opened his email inbox to find a request from his pastor, asking him to send money via wire transfer. The email looked legitimate, but he sensed that something was amiss.

“I thought the email was a little strange, but it definitely looked like it came from our senior pastor,” the accountant said. “I emailed back with a few questions and things just didn’t add up.” When asked directly, the pastor confirmed that he hadn’t sent the request.

As it turned out, the email was part of a phishing scam. In these increasingly common schemes, thieves send emails that appear to be authentic, trying to trick recipients into giving away money or sensitive data like bank account numbers or employee W-2 forms.

“Phishing emails can be difficult to spot, even for tech-savvy people,” says Ryan Tufo, technology support lead at Brotherhood Mutual. Tufo notes that these scams take advantage of potential victims’ grace. “When someone requests help, the natural response is to help them,” he says. “Many of these scammers try to use your helpfulness against you.”

Phishing schemes and data breaches can have serious consequences. In addition to investigations that can cost tens of thousands of dollars, losses often extend beyond money. A breach could also result in identity theft, legal issues, and a tarnished reputation.

Here are a few telltale signs that an email may warrant extra scrutiny:

  • Requests for sensitive information. Legitimate organizations generally don’t ask for sensitive information, like Social Security numbers or bank account information, to be submitted by email. When in doubt, call the sender or visit its website, using contact information you already know to be genuine. Do not enter information if you don’t know why you are being asked for it.
  • Misspellings in the sender’s email address. Thieves may use an email address that looks deceptively similar to a trusted address. For example, if a pastor’s email address is, a hacker may send requests for sensitive information using If an email doesn’t look right, check the spelling of the sender’s address. Or, ask the sender about the email in person. If the request is authentic, you may want to propose a more secure method for sharing the information.
  • Links that lead to unfamiliar websites. Hover your computer’s mouse pointer over the link to reveal the link’s destination. If the web address looks suspicious, investigate before clicking the link.


Similar scams can be delivered by phone. Using a technique known as “pretext calling,” thieves pretend to be someone else in efforts to gain personal information. For example, someone may call claiming to work for a trusted vendor, using details from the church website to convince a church employee that the caller is authentic. After establishing trust, the caller may ask for sensitive information such as a church membership log with addresses, birth dates, and other data. If you suspect a call is part of a scam, avoid giving information and contact the organization using contact information you know is legitimate.

Have Help Available

When your ministry has computer questions, who can you call for help? A trusted go-to person can be very valuable, whether the person is a paid staff member, an outside vendor, or a volunteer with a background in information technology.
When hiring or appointing technology consultants, consider:

  • Job scope. A volunteer technology team may be enough to serve a small church with a few laptops. A megachurch with dozens of employees and extensive technology will likely require a larger investment. Make sure the personnel you deploy can handle the task, both in numbers and expertise.
  • Technical qualifications. Research the people who will serve your technology needs. Are they well-meaning helpers who simply enjoy working with computers, or are they experienced professionals with official certifications? Give preference to trustworthy people who have strong backgrounds in the technology field.
  • Responsiveness. When you need help, you want someone who will respond right away. Look for someone who will view your ministry as a priority client. Also, it’s a good idea to ask a technology consultant to train all ministry employees and volunteers to recognize and avoid scams.


Follow the ministry’s standard background screening process when appointing a technology consultant or team. A good screening process includes a written application, a background check, a reference check, and a personal interview. If hiring a third-party technology vendor, look for a company with a good reputation and screening procedures that are similar to the ones your ministry uses.

Creating a Response Plan

If multiple church members report credit card fraud or ministry computers start behaving strangely, it may be time to look into a possible data breach. Following an organized response plan can help lead your ministry to a quick, structured response, limiting data losses and smoothing the recovery process. Major points to address in a response plan include:

  • Contacting your insurance agent. If you suspect a breach has occurred, notify your insurance agent right away. Many insurers offer cyber liability coverages that can help pay for expenses associated with data breaches. For example, Brotherhood Mutual offers Broad Scope Cyber Liability coverage. Your agent can tell you what types of coverage your policy includes, and can begin gathering information for a potential insurance claim.
  • Investigating possible breaches. Know who your ministry would call to look into a suspected data breach. It’s best to leave investigations to a qualified, third-party technology vendor. If a breach occurred, the investigators can begin taking steps to resolve the situation.
  • Working with an attorney. Once a breach is confirmed, it’s best to contact a locally licensed attorney. An attorney can help the ministry understand and carry out its legal responsibilities, which may include notifying those affected by the breach and offering credit monitoring services.
  • Preparing a sample notification letter. If you have to notify people that their information may have been stolen, having a sample notification letter ready can help meet these requirements quickly. The Federal Trade Commission’s Bureau of Consumer Protection offers a helpful resource that gives guidance on how to respond to a data breach and identity theft. The bureau also provides a sample notification letter.


Have an attorney review your data breach response plan before putting it into practice. This helps ensure that the plan fulfills the laws that apply to your ministry.

“Data breach response plans are common in the business world,” says Aaron Smith, information security program architect at Brotherhood Mutual. “A good plan improves the organization’s ability to respond when a breach occurs.”

By adding strong security measures and training workers to avoid phishing hooks, your ministry can increase the likelihood of avoiding a data breach.