Social engineering is the term used for scams that prey on human vulnerabilities. People within ministry that have access to employees’ personal data and organizational financial controls are considered high-value, vulnerable targets to social engineers.
The goals of scammers are changing, and their schemes are harder to detect. In fact, today’s scammers aren’t trying to get you to send them money—their aim is to gain access to ministry accounts, email addresses, and personal information that can be sold. Your goal as a payroll administrator: recognize their tricks to protect the ministry and avoid becoming a victim.
Social engineers craft a good story. Caleb Sloan, operations manager for MinistryWorks, said the goal is to get you to say “yes” before you think. “Social engineers exploit ministry payroll administrators and HR professionals who are eager to do a good job and hardwired to trust,” he said. “They use your trust against you.”
When securing payroll systems, there’s so much more at stake. Click on a malware link, and it unleashes a domino effect that can result in employee personal information being stolen, and ministry accounts and finances being compromised. Malware also can sift through sensitive information, destroy data, steal passwords, and record your every keystroke.
Successful techniques target known trust signals to infiltrate your organization. They use easy-to-obtain information—like the names of your pastor’s family members—from social media or your website to appear trustworthy.
Sloan said that “urgent request” communications from someone posing as a trusted source in your organization usually ask you to do something right away. “Most payroll administrators likely would be suspicious of highly unusual requests, such as a demand to wire thousands of dollars to an unfamiliar bank,” he said.
But other requests—like when an employee needs to change bank account information—are reasonable and in line with what a payroll processor may encounter. Social engineers know that if a request seems common, it likely will not raise a red flag.
Here’s a few examples of scams that use social engineering to mimic a trust signal to catch a payroll administrator off-guard:
When it comes to scams, the list is exhaustive and ever-changing. While the method may morph, the basic concept remains the same: social engineers target a person’s instinct to trust. “The only way to stay a step ahead is by building awareness and adopting stringent control procedures,” said Sloan.
Consider incorporating these tips into your overall payroll administration practices:
For payroll administrators, there’s no such thing as too much security. Whether you complete payroll tasks using a payroll subscription service or a third-party software company, like MinistryWorks, ask these questions about your current practices:
MinistryWorks considers protecting the data of our customers to be highest level of our stewardship service to you. We are fully compliant with regulatory banking rules and certifications. Our systems and customer data are hosted in the cloud with the very highest levels in security, redundancy, and scalability.
To learn more about how we can serve your Christian church, school, camp, college, mission organization, or non-profit click here.
As soon as you know you’ve become a victim, contact your insurance agent and your payroll provider to mitigate further damage and future litigation. Do not wait. Some states require that you notify the affected individuals and possibly government agencies if certain personal or medical information was stolen. Each state has its own definition of a breach and a time frame to complete notifications. International countries may have altogether different rules. Your insurance policy may offer the tools and access to help notify breach victims.