If it hasn’t happened already, sometime soon, you are likely to receive an email from your pastor, a teacher or friend, the bishop, or maybe even from yourself, asking for a favor. Be careful! Many of these requests are examples of spear-phishing, a practice of fraudulently sending email or text requests from a trusted leader.

The holiday season brings a welcome spirit of generosity and connection. It also brings a predictable rise in cybercrime. Scammers know people are busier, more trusting, and often making year-end donations. For churches and nonprofits, this creates a high-risk moment as they navigate increased giving, reduced staff capacity, and a shared posture of trust that criminals are eager to exploit.

But the reality heading into 2026 is that cyber threats are no longer seasonal—they’re year-round. Faith communities, in particular, have become attractive targets. Attackers view churches as organizations with valuable personal data, public staff information, volunteer-managed systems, and sometimes older technology. Awareness and simple preventative steps are essential parts of protecting our ministries and our people.

Why churches and nonprofits are targeted

Churches and other organizations aren’t being targeted for overly complex reasons. Fraudsters and scam artists target small and mid-sized nonprofits because they assume their defenses are limited. Churches are attractive as they often receive and manage items like donor and congregant information, online giving platforms, pastoral care notes and other sensitive records, and publish leadership directories online to build trust and belonging. And they often manage these things with limited IT staffing and outdated software and hardware.

These characteristics can make churches vulnerable but we are not helpless. Adopting a proactive and defensive posture can help us avoid many of the following threats, preserving vital resources for the church’s work.

The most common threats in 2025

Spear-phishing and impersonation – Sophisticated scammers now impersonate bishops, pastors, treasurers, district superintendents, and vendors with convincing emails. These messages may request gift cards, wire transfers, or “urgent” financial help. Unlike old phishing scams, today’s messages may be well-written, contextual, and difficult to spot at a glance.

Business email compromise (BEC) – Attackers gain access to or mimic a staff member’s email, then quietly redirect payments, modify invoices, or trick volunteers into sharing credentials.

Fake donation appeals – Fraudulent websites or emails pretending to represent your church may appear during holidays or special giving campaigns. These look increasingly legitimate and often pressure donors to act quickly.

Ransomware and data extortion – Even small churches have experienced ransomware attacks that lock files or threaten to leak sensitive data unless money is paid. Limited budgets and the need for continuity can exacerbate this issue.

Vendor and invoice fraud – Scammers impersonate contractors, service providers, or grant funders, sending fake invoices or “updated bank information” in an attempt to divert funds.

Outdated systems and software attacks – Churches running outdated operating systems, old WordPress plugins, or unpatched computers are easy targets for automated attacks that exploit known vulnerabilities.

How to protect your church

Staff, volunteers, and members of local churches can help mitigate the threats posed by criminals and scam artists. Use extra caution when encountering any of the following red flags:

  • Unexpected financial requests
  • Messages with urgency or secrecy
  • Slightly altered email addresses or odd tone
  • Messages with poor grammar, spelling or unconventional phrases/greetings.
  • Requests to purchase gift cards
  • Unexpected attachments or links
  • Emails claiming a vendor has new payment instructions
  • Donation requests that don’t match your church’s known practices

Adopting some, if not all, of the following simple practices can drastically reduce risk:

  • Verify financial requests by phone using known contact numbers.
  • Enable two-factor authentication (2FA) on all major accounts.
  • Use (and avoid reusing) strong passwords and keep them secure. Don’t make a practice of sharing.  
  • Keep software and devices updated. If a device is too old to update, develop a plan to replace it.
  • Back up critical data in secure cloud storage or offline.
  • Limit administrative access for accounts and platforms to essential staff only.
  • Offer a brief annual training for staff and key volunteers on best practices and policies.
  • Use trusted donation platforms and remind donors that the church will never request gift cards or sensitive information by email or text.

Don’t let these lists intimidate you. Try to address the items you can as you can; perfection can be the enemy of improvement.

Cybersecurity may seem technical, but at its heart, it is stewardship. Good security protects the people we serve and the resources, relationships, and trust they give to us.

As we approach a season of generosity and as we navigate ministry throughout the year, being cautious is one more way we care for the communities we serve.

Generative AI was used to assist with developing some of the content of this article.

Previous articleHospitality, hard work, and hope
Patrick Scriven
Patrick Scriven
Patrick Scriven is a husband who married well, a father of three amazing girls, and a seminary-educated layperson working professionally in The United Methodist Church. Scriven serves the Pacific Northwest Conference as Director of Communications.

RELATED ARTICLESMORE FROM AUTHOR

Leave a Reply