Outsmart Payroll Cyber Thieves

Millie is responsible for running payroll at her church. She receives an email from the pastor who’s currently on vacation. In the email, the pastor states that he has changed banks. He supplies a new account number and routing number, and requests the change be made today. Millie complies. Several days later, she receives a phone call from the vacationing pastor. He asks why his pay was not deposited in his account. Millie explains that she made the banking change as he requested. After a pause, the pastor says, “I never made that request.”

Cyber thieves use techniques called social engineering to get you to act before you think. “Unfortunately, this particular scam and others like it are far too common for churches,” said Caleb Sloan, operations manager for MinistryWorks. “The result can be stolen funds, stolen information, or ransomware placed on your computer network, any of which can tie up your organization’s resources or even cripple your operations.”

A common scam, especially at tax time, is a request for employees’ W-2s that appears to come from a person of authority within your organization.

Social Engineering: Common Tricks

Cyber thieves often use easy-to-obtain information culled from your organization’s social media or website to appear credible. Using that information and the following techniques, a thief can prey on your trust:

  • Phishing, vishing, and smishing use emails, phone calls, and texting to incorporate elements of surprise, scare tactics, or fear of imminent danger.
  • Spear phishing is a targeted phishing attack that personalizes an email to make it appear legitimate.
  • Spoofing imitates an email address or website to make you think you’re interacting with someone you know. They typically change one letter and hope you won’t notice. Example: (real) and (fake).
  • Pretexting creates a story in order to gain your trust to manipulate you into thinking the scammer is legitimate or in a position of authority. For example, someone might impersonate a vendor you typically use to gain access to your computer systems or pretend to be a bank representative to con you into divulging your account information.

Outsmart the Scammers

Once you know cyber thieves’ methods, you can begin to thwart the attacks. “You can make your ministry less of a target,” said Sloan. “With just a few simple but highly effective processes and controls, you can stop scammers from being successful.”

Here’s four ways you can outsmart their treachery:

  • Verbal verification. Sloan says to simply ask the person face-to-face or by phone when a request for sensitive information seemingly comes from within your organization. Never hit “reply” to an emailed request. Use a familiar phone number or the listed number for the business—such as a bank—to verify the request.
  • Two-factor authentication. Two-factor authentication takes security to a new level. It requires users to have a password and an additional method of verification, such as a pin number, texted to a smartphone, before they can gain access to an account. MinistryWorks recommends using two-factor authentication on all accounts that offer the option. Even if your password is stolen, hackers won’t be able to access your account because they won’t have access to the pin on your smartphone.
  • Two-person verification. To help guard against an “urgent ask,” develop a two-person verification procedure. This ensures that no one person can distribute ministry funds alone, for any reason. This may include a written document for all monetary requests that is signed by two people with the authority to do so. Train staff to say “no” if procedures aren’t followed.
  • Manage your passwords. Passwords help protect systems and data from unwanted access, but they can create a false sense of security. With so many separate accounts that require passwords, it’s common for people to use the same password across multiple systems and accounts. If hackers steal a password on one site, they easily can gain access on other sites you use. A simple remedy is to use a reputable password manager.

Take the time to educate your clergy and staff to recognize the red flags of social engineering. Then develop and train on control measures to protect against accidental fraud. Sloan said it’s okay to be suspicious. “Social engineers use our desire to be good servants against us. If you receive an email requesting an account change or someone shows up without an appointment to fix your computers, take a moment. Stop and verify.”


Think Before You Click

Whenever you receive an email, text message, or phone call that requests immediate action, especially a transfer of funds, take a minute to run through the following questions:

  • Were you expecting it?
  • Is it a known problem that you need to address?
  • Did you receive an email when a phone call or in-person conversation would have been more appropriate?
  • Can you independently verify the request?

Related Resources

Posted on May 2, 2022

The information in this article is intended to be helpful, but it does not constitute legal advice and is not a substitute for the advice from a licensed attorney in your area. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.

You could claim up to $33,000/employee with the
Employee Retention Credit.

Select your organization type
to learn more.

I'm a ministry I'm a school