Don’t Take the Bait: Watch Out for “Whaling” Scams

Scam Alert

For the past few years, churches and pastors have been the target of scammers who try to take advantage of the openness and generosity that characterize religious communities. The schemes go beyond typical “phishing” attempts to what’s known as “whaling”: sending fraudulent communications that appear to be from a church’s pastor or a denomination’s leader — in other words, from the “big fish.”

The messages (mainly emails but sometimes texts) usually contain urgent requests for money or gift cards with PINs to help a person or family in need. To appear authentic, they often include the leader’s photo and/or email signature, which scammers can easily obtain online or through bogus correspondence attempts. The email bodies rarely contain recipients’ names, and recipients’ email accounts haven’t been hacked.

Ways to Protect Your Church Members from Scams

Likewise, it doesn’t mean your Instant Church Directory account or information has been hacked if a scammer attempts to fool congregants via a whaling scheme. Scammers usually can find what they need on a church website’s homepage or staff page. By nature, churches are very vulnerable to wrongdoers desiring to take advantage of Christian kindness.

That doesn’t mean you’re helpless, however. Experts recommend taking these steps to protect your church and its members from being exploited:

  • Alert members to the scam ahead of time. Include a blurb in the church newsletter or bulletin, or make an announcement before or after worship. Tell people if they receive a message from the pastor asking for a gift card to NOT respond or act. Inform members that your church will never solicit for gift cards via text or email, especially because the IRS wouldn’t approve of that.
  • Inform congregants that any legitimate requests will be announced via official channels. Clearly state that requests for donations will also appear in church publications, including the website.
  • Use the church’s email account for all church-related correspondence. Require church staff to use their church email address for any official communications. Although hackers might be able to spoof an email system’s domain, usually scammers send from other addresses, such as Gmail.
  • Educate staffers and congregants about what to watch for. If a suspicious email appears to be from a pastor or church leader, recipients can double-check the “from” address. If that doesn’t match up with the church’s usual address, or if it’s even a slight variation, that’s a red flag. Recipients shouldn’t reply, download any attachments, or click any links. Typos are another warning sign.
  • When in doubt, ask! Tell church members if they ever have questions or concerns, they should contact the leader directly. Instead of hitting “reply” on a questionable email, recipients should pick up the phone and call, or start a new email, using the contact information published in official church channels.
  • Never post your pastor’s email or phone number on the church website. This is tough, because you want members to be able to easily connect with the pastor. But when contact information appears online, scammers can easily use it against you— and against people who trust your organization.
  • Keep member information behind a SECURE password. If your photo directory or any member information is posted to your website, be sure the information is locked behind a secure password that only members can access. A secure password consists of a combination of lowercase letters, uppercase letters, and numbers or special characters, and it should be at least 8 characters long. Never post the password to your website! Best security practices require members to each have their own secure password and not share passwords throughout the congregation.

Ways We Protect You & Your Church

Instant Church Directory hosts all data and services between Microsoft Azure and Amazon AWS, and we employ all the available mechanisms by both companies for intrusion detection and mitigation. Our databases are encrypted, and we hash all passwords. We use geo-redundant services (East and West  Coast, U.S.) and follow or exceed industry best practices for data backup and retention.

Like you, we’re continually saddened that we must expend so many resources to provide data security when our heart is in helping folks connect and share the Gospel message. But it’s a reality of our technological age — and a responsibility we take seriously. We hope this information is helpful to your church and members.

A final note: The U.S. Federal Trade Commission, which has issued warnings about scams targeting churches and congregants, urges anyone who’s been victimized to send a report to

Share This Post:

Author Bio:

The Instant Church Directory Team

We are a small team of dedicated folks working hard to build a simple tool for connecting church members.

Looking For More Content?

Scroll to Top