When we think about who cybercriminals target, churches rarely come to mind. But they should — and church leaders increasingly need to.
Ministries collect and store a surprising amount of sensitive information: member names and addresses, donation history, prayer requests, children's registration forms, counseling notes, and financial records. Most churches store this data with very little protection. That combination — valuable data, minimal security — makes faith-based organizations an attractive target.
The good news is that basic cybersecurity doesn't require a tech team or a big budget. It just requires awareness and a few deliberate habits.
Why Churches Are Targeted
Cybercriminals often focus less on who holds data and more on who holds data without protecting it well. Nonprofits and churches frequently fall into that second category. Common attacks include:
- Phishing emails impersonating your pastor, finance director, or a trusted vendor to request a wire transfer or gift card purchase
- Ransomware that locks your files and demands payment to restore access
- Data breaches that expose member contact information, giving records, or stored payment details
- Account takeovers that compromise your church email, website, or social media accounts
These aren't hypothetical threats. The FBI has issued warnings about criminals specifically targeting churches and nonprofits with gift card scams and fraudulent wire transfer requests.
The Five Basics Every Church Should Have
You don't need enterprise software to protect your congregation. Start here.
1. Strong, Unique Passwords and a Password Manager
Reusing the same password across your church management software, email, website, and giving platform is one of the most common — and most dangerous — mistakes. If one account is compromised, all of them are.
A password manager like Bitwarden (free for individuals, affordable for teams) stores unique, complex passwords for every account so your staff doesn't have to remember them. This single change dramatically reduces your risk.
2. Two-Factor Authentication (2FA)
Enable two-factor authentication on every account that offers it, especially email, your church management system, your giving platform, and your website admin panel. Even if a password is stolen, 2FA means an attacker still can't get in without a second verification step — usually a code sent to a phone.
Most platforms now make this easy to set up under account security settings.
3. Regular Backups
If ransomware strikes or someone accidentally deletes critical data, a recent backup is the difference between a bad afternoon and a catastrophe. Back up your member database, financial records, and website files regularly — and store at least one copy offsite (cloud storage works fine).
Services like Google Drive, Backblaze, or iCloud can automate this for minimal cost.
4. Staff Training on Phishing
The most sophisticated security tools in the world won't help if someone on your team clicks a malicious link in an email. Train your staff and volunteers to:
- Verify any unexpected wire transfer or gift card request by calling the requester directly (not replying to the email)
- Hover over links before clicking to see where they actually lead
- Be skeptical of urgent requests involving money, even from familiar names
A simple 30-minute team discussion once a year can prevent thousands of dollars in losses.
5. Keep Software Updated
Outdated software — especially WordPress plugins, themes, and your church management system — is one of the most common ways attackers gain access to websites and databases. Enable automatic updates where possible, and audit your plugins or integrations every few months to remove anything you're no longer using.
A Note on Storing Sensitive Data
Before collecting information, ask whether you actually need to store it — and if so, for how long. Many churches hold onto data indefinitely by default. Build a simple policy: purge outdated visitor records after a set period, limit who has access to financial data, and never store payment card numbers in your own system (use a reputable giving platform that handles that for you).
This Is Part of Stewardship
Protecting your congregation's data isn't a technical obligation — it's a pastoral one. People share sensitive things with their church: financial struggles, health crises, family situations. They trust you with that information. Handling it responsibly is an extension of the same care and integrity that guides everything else you do in ministry.
Starting with the five basics above puts you well ahead of most churches — and gives your congregation one more reason to trust that they're in good hands.
Develop With Faith helps churches and faith-based organizations build secure, reliable websites and digital tools. If you have questions about protecting your ministry online, get in touch.