For the first scam, the predator can easily identify who to email on staff for a money transfer. For the second scam, it takes a little more skill. Either a data breach is needed, or access to big data that can identify those who have been on the church campus during worship hours based on smartphone pings.
Armed with this information, predators can trick many to fall prey to these email scams.
What Can You Do?
Churches want a simple comprehensive technological fix for these scams. Because they are one-off campaigns, there isn’t a simple fix. So what can you do to protect your church, staff, and congregants?
Technical Issues
The only technical step that might help is to contact your church IT experts. Have them confirm that your DNS SPF, DKIM, and DMARC records are correct and complete. A commonly missed item is in the SPF record. Be sure to list the only acceptable source of yourchurch.org’s email.
Policies to Avert the Scams
- Leadership should set a policy that any requests for money, gift cards, payroll changes, A/P payee changes, or wire transfers must occur face-to-face or some other verifiable method.
- A phone call that sounds suspicious can be too easily explained away as caused by a cold, bad connection, and so on. A video call might be considered a valid face-to-face request.
- Train staff on what to look for and to whom on the team it should be reported.
The second email scam is more challenging because it targets congregants.
- Leadership should set an enforceable policy that all church-related email from staff members must be sent from the church’s email system. No church-related email should come from another email system. For instance, all email must be sent from a team member’s yourchurch.org email address, and never from a gmail.com or similar account.
- Communicate to your congregation a summary of the scam and inform them that:
- Church staff will only email them from the yourchurch.org email address.
- No one on staff will ever ask for money or gift cards to support the church or another cause without also announcing it officially on the church’s website.
Unfortunately, some staff won’t like being forced to use the church’s email system. But, this is a serious threat, and they have a job at the church–thus the policy is appropriate. Some staff may argue that the church’s email system domain can be spoofed. While that might be true, these campaigns usually come from a gmail.com address or some similar system.
Take Action
If you see or experience these email scams, report it to the federal government. A report can take 5 to 10 minutes. Your report might provide the exact piece of information that helps the authorities connect all the dots and catch a predator.
There are two places to report such email scam activity:
This article originally appeared here, and is used by permission.