Be on guard for scammers who request access to membership directories so they can harvest the Personal Identifiable Information (PII) to spam or scam church members. These individuals claim to be church members and request access to the directory via email or an online website form. Once given directory access, they can then send spam messages to members via email or text. At Instant Church Directory, we want to provide insights and best practices on how to keep your church directory safe from scammers.
Just like your church building, your directory should have doors with locks and keys, and you want to give those keys only to actual church members and not someone who is pretending to be a church member.
A church directory is a treasure trove of contextualized personal information about church members that may allow for targeted social-engineering attacks. The more information scammers have, the more likely these attacks will be successful, especially against elderly or vulnerable members.
We believe scammers are finding these churches via websites that mention “Church Directory” and provide an email address or contact form to request access to the directory.
Consider what scammers can do with information from your directory:
- Pose as other members and start an email or text scam.
- Pose as a son, daughter, mother or father within a family unit and start an email or text scam to gain personal information.
- Pose as a pastor and start a bigger “whaling” scam. Read more here about avoiding this phishing scam here: Don’t Take the Bait: Watch Out for “Whaling” Scams
- Sell the data to others who then might start a scam or combine it with stolen data from another source to commit fraud.
Scammers are experts at finding ways to make you think you are communicating with someone you know with their motive being to lie, cheat, and ultimately steal from you.
Ways a scammer might try to gain access to your church directory:
- A scammer finds a directory PDF that is posted online that is not protected by a password OR a password that was shared online near the PDF.
- Using an email address posted on the church website, they send an email to the church office posing as a church member and ask to be added to the directory. Once this is done, they can create a login and gain access to the complete directory.
- Some churches post a form online for members on their website or social media to complete in order to be added to the directory. This makes a scammer’s job easy to find and fill out to provide the information the church needs.
How you can stay vigilant.
To keep your church directory safe from social engineering scammers, we recommend creating a policy of when you can add someone to the directory. This may include verifying each membership request before adding a new member’s email address to your directory. This is especially true if you have a public form for requesting access.
Here are some specific security steps you can take to verify contact information:
- BEST PRACTICE: Use a Family Form that is to be filled out and submitted to the church office in person. Using a Church Directory Information Form for New and Existing Members
- Verify the person’s address via Google maps.
- Look up their name on a Google search to see if the person is local to your church.
- Ask for a phone number and call them if you feel unsure. This is typically called a multi-factor authentication method.
- Invite the person to worship and ask them to reach out to you or the pastor to provide their name and email.
We also highly recommend limiting personal data on your church’s website. We understand that you, as a church, are trying to make contact and engagement easy with your members and the community. Limiting information such as email addresses on a website, and instead providing secure contact us forms, is one way to can reduce the risk of someone potentially using that information for nefarious reasons.
What to do if a scammer gains access?
Once someone has access to names, emails, and phone numbers from your directory, there’s no way to stop scammers from targeting your members. The next step is to go on the defense. We’ve covered some ideas in Don’t Take the Bait: Watch Out for “Whaling” Scams.
Also, the U.S. Federal Trade Commission has issued warnings about scams targeting churches and congregants. This government agency urges anyone who’s been victimized by a scam to send a report to ftc.gov/complaint.
We keep your data secure from hackers who try to pick the lock to gain access to your data on a database, but you will need to ensure you don’t give the key to your church directory to someone who shouldn’t have it.