Holiday giving 2021 – protecting your organization from cyber-theft

By Craig Huss

Before the coronavirus (COVID-19) pandemic, 73% of religious organizations accepted online donations. Today, 93% of religious organizations with more than 100 members offer online giving, and nearly half of organizations with fewer than 50 members provide the option.
That’s good news for churches who want to use Giving Tuesday (and the upcoming charitable holiday season) to help them make up budget shortfalls.
But it can also leave them at risk for cyber-theft.
Craig Huss, assistant vice president, Chief Information Security Officer at Church Mutual

While some people might think a church is unlikely to be the victim of a cyberattack, the opposite is true: Houses of worship and other nonprofits are prime targets for thieves who want to access members’ personal and financial information. When you are looking to safeguard your organization, use the acronym “CESA” to remember the steps you should take with your congregation.

  • Communication — Tell members your authorized methods of giving.
  • Education — Teach them who will be their point of contact for donations and how to spot fake requests and how to report any suspicious requests.
  • Smart — As an organization, stay current on cyber-theft trends.
  • Action — Put cybersecurity measures into practice through existing tools and providers.


You probably have already publicized to your congregation ways that members can give. But have you done so recently? If I were to come into your church today and ask every person to name all the methods they can use to give, how many could do so? Frequently communicating your methods of giving has two very important functions: First, the repetition might result in increased giving, which is a benefit for your budget goals. Second, members are more likely to identify when something isn’t right. The more they know, the more they can advocate for themselves when they receive a communication asking for money that comes from a suspicious source.


Once your members are well-versed on the ways they can give, they need to know who to trust. You should limit the number of people who have contact with money — even online — so you can easily track it. Whether it is a staff member or volunteer who handles electronic giving, the members of your congregation should have that person’s contact information and feel comfortable asking questions.

Fake requests range from scams such as a foreign prince who needs to transfer money, to a genuine-looking email from a person who claims to be your church’s pastor. Educate your members on how to spot fraudulent requests and provide consistent looking communications in your requests for donations. For example, an email requesting personal information, or a call to action asking them to click on an external link, is potentially a scam to steal their information.


Every year, cybercriminals become smarter — and so should your organization’s leadership. Make sure you know about the most common types of cybercrime. Phishing — which is the practice of sending emails that appear to be from a reputable company or person to solicit credit card or personally identifiable information (PII) — remains one of the top methods used by attackers.  Thieves prey on people’s fears about COVID-19 to convince them to share sensitive information. Cybercriminals use many forms of trickery to incite emotion in their victims, everything from government stimulus checks, winning prizes or emotional stories, hoping to trick victims into sharing their personal information or bank information.

Another malicious form of cyber-theft is ransomware, where the attacker infects the victim’s computer and uses encryption to hold a victim’s information at ransom so they cannot access certain files. To regain access to the information, the victim must pay a fee to the attacker.


There are many ways in which criminals can attack your congregation’s system and individually target members. But there are also many ways you can fight back:

Password protection: The easier a password is to guess, the easier it is for a hacker to access a system. Common mistakes people make is using information that is easy to obtain like their birthday or address in their password. Another is to use a word that can be found in the dictionary. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recommends using a series of words with symbols replacing letters in some cases. For instance, instead of the password “football,” use 1w@LmGBp! for the phrase “I will always love my Green Bay Packers!” Using a combination of upper and lowercase letters, numbers and special characters creates a password very different from any common word that could be found in a dictionary.

Restrict access to your network: When an employee or volunteer leaves, immediately disable their access and change passwords. Only the people who need to use the system should have access credentials.

Back up critical information: Ransomware could destroy your data, so you should establish a process to regularly backup your computer data and keep the backup separate from your online computer data and files.

Using these steps can help you safely use online giving for your organization and for your members.  Continue doing great things for your community — but stay safe at the same time.



Leave a Reply

HTML Snippets Powered By :