When St. Ambrose Catholic Parish launched a major building renovation, they expected the usual budget pressures and coordination challenges. What they didn’t expect was that cybercriminals would intercept their communications, impersonate their contractor, and steal $1.75 million via a fraudulent wire transfer.
This wasn’t a complex hacking job. It was a textbook example of Business Email Compromise (BEC)—a phishing tactic that uses social engineering and impersonation to trick people into wiring money or sharing credentials.
It can happen to any church. And it often does.
What Is Business Email Compromise (BEC)?
BEC is a form of phishing that doesn’t rely on shady links or virus-laden attachments. Instead, it relies on trust. The attacker gains access to or mimics a legitimate email account, then uses that identity to request payments, change banking instructions, or access sensitive systems.
Think of it as phishing with a clipboard and a lanyard. It looks official. It feels familiar. And that’s why it works.
In the case of St. Ambrose, hackers monitored email conversations, mimicked language and timing, and then inserted themselves as the contractor to change the payment routing. No alarms were triggered—until the money was gone.And this isn’t isolated. Across the country, nonprofit organizations and churches are increasingly falling prey to similar schemes, often because the nature of their work involves multiple stakeholders, volunteers, and quick pivots. All of that flexibility can come at a cost if guardrails aren’t in place.
Why Churches Are High-Risk Targets
Churches, especially small- to mid-sized ones, are increasingly in the crosshairs of BEC attacks. Here’s why:
- Trusted Culture
Churches are built on relationships and assume good intent. - Lean Staff
One person may wear five hats—with little time for security protocols. - Decentralized Logins
Shared passwords, old volunteer accounts, and vendor access are often unmanaged. - No Financial Protocols
It’s still common to approve financial requests via casual emails or texts. - Seasonal Stress
Event seasons like Easter, Christmas, and capital campaigns strain internal bandwidth—and attackers know it.
As an IT leader, you might be managing this alongside website updates, Sunday livestreams, and database cleanups. But ignoring these vulnerabilities doesn’t just risk technical failure—it puts your entire ministry ecosystem at risk.
Learn how to protect your church staff from phishing and fake news.
What You Can Do Right Now
Here are five high-impact, low-disruption steps every church can take to protect itself today—
1. Enable MFA Everywhere
Require multi-factor authentication (MFA) for all staff, leadership, and vendor accounts. It’s one of the most effective defenses against unauthorized access.
Don’t stop at paid staff. Include your volunteers, pastors, and even part-time contractors in this policy. If they can log in, they can be compromised.
2. Formalize Financial Approvals
Create a rule: no wire transfers or banking changes without phone verification or in-person confirmation.
Put it in writing. Make it part of your financial playbook, and share it during staff onboarding and quarterly reviews.
3. Clean Up Login Access
Audit all user accounts on your key platforms (Google Workspace, giving systems, planning tools). Remove or disable any that are outdated.
We often find dozens of inactive accounts still enabled on church systems—some belonging to volunteers who left years ago. Each one is a potential back door.
4. Train Your Team
Staff and volunteers should know how to recognize BEC-style phishing. Tone, timing, and payment urgency are often red flags.
Keep the tone light but direct. Use real-life examples. Encourage a culture where asking “Is this legit?” is not only accepted, but expected.
5. Simulate and Prepare
Run a simulated phishing test or use a training kit to evaluate your current readiness. Practice your incident response plan.
Start by role-playing a scenario: what happens if your pastor gets an email that appears to come from your finance chair, asking to wire funds immediately? Who gets looped in? How do you verify?
Final Word: It’s About Stewardship
St. Ambrose lost $1.75M. Most churches can’t afford to lose a tenth of that. But this isn’t just about money — it’s about trust.
Protecting the people, finances, and systems entrusted to you is part of your ministry. You don’t need to be a cybersecurity expert. You just need to start tightening the basics.
And you can start today.
When you prioritize digital security, you’re not just protecting data. You’re protecting people, relationships, and the reputation of the church. That makes it worth the effort—and the conversation.
