BP Toolbox

Six steps to protect your church from online fraud


Several Southern Baptist churches and entities have been hit with online fraud nearing $1 million each. Their dramatic losses serve as warnings to all our churches.

The Florida Baptist Convention lost more than $700,000 in a transfer involving a fraudulent email that was intended for the North American Mission (NAMB). A similar scam involved an email sent to Elkin Valley Baptist Church in North Carolina by its contractor, including an invoice for the new worship center it was building. It was followed by a second email with payment instructions. The church paid the more $793,000 invoice with the money it had taken over seven years to save, only to find out the second email had been fraudulent. In both cases, the money is gone, probably for good.

Online fraud is becoming more common and is something that should be on the radar of every church and local association.

I was first exposed to this while serving as a missionary with the International Mission Board (IMB). At the time I was a logistics coordinator, which meant I administered the mission work in the country where my wife and I lived. I quickly learned you cannot trust the origin or destination of an email. There were times I received emails from a vendor to later learn the email did not come from that vendor.  Even now we cannot know for sure what we read came from the person we think sent it.

At IBSA, staff sometimes receive an email that appears to come from a management team member. It will say, “I do not have time to go get a gift card for someone. Please go get it for me and use your IBSA credit card, then send me the gift card number.” The name is right, but the return email address is not. Sometimes the scammers are clever, and the return address is much like the manager’s email which makes it harder to detect. Our team at IBSA knows no one here would ask for such a “favor.”

Recently IBSA was completing some building renovation and worked by email with the architect. One email supposedly from that architect requested funds to pay for a building permit. IBSA found out it was not from the architect, even though the person in the email knew many details about the project including phone conversations IBSA staff had with the architect earlier that same day.

How can a church or association prevent being defrauded online? Here are six steps to help protect your organization:

1. Update your virus software. If you already have anti-virus software installed on your internal systems, check that it’s up to date and have a system in place to automatically install updates.

2. Follow your normal procedures. If the person is asking you to deviate from how you have been paying an invoice, check it out before sending money. Maybe you are being asked to send the money by ACH (Automated Clearing House). Look for a different number than the last time you sent the vendor money.

3. If you have doubts, call your usual contact. If the scammer has done their homework, they will know how to answer your questions and may even have inside knowledge such as copies of your previous invoices. Verify until you feel confident.

4. Notice the grammar in the email. Pay attention to things like a lower case “I” instead of capital “I.” Scammers may be based outside the U.S. and English is not their first language.

5. Confirm and reconfirm. When doing business online always be cautious. Double check to be certain the return address matches that of the previous email. The best option is to pick up the phone and call the person to confirm what you are being asked to send before doing an ACH transaction.

6. Check your organization’s insurance policy. See if the policy covers online theft by coercion or consider obtaining a policy that protects against online phishing should an incident occur.

In the case involving the Florida theft, federal and state investigations continue, and authorities say no one at the state convention is suspected. Two committees have been formed to provide oversight and recommend steps based on their audit. And in North Carolina, the church hired a cyber analyst to investigate the crime and an attorney to help it try to recover the funds. The church downsized its construction plans and Baptists and others there have made donations.

The safest action of all is to make every effort to prevent responding to fraudulent emails in the first place.

Jeff Deasy is Operations team leader for the Illinois Baptist State Association.

    About the Author

  • Jeff Deasy