Getty Images
FRANKLIN — More than $85,900 was reported stolen from Immanuel Southern Baptist Church in Wagoner, Okla., last month, according to news reports. Cyberthieves drained money from the congregation’s building fund, savings account, youth, children’s, and missions accounts.
Previously, in May 2023, the Florida Baptist Convention found itself at the center of a cybercrime investigation after thieves made off with more than $700,000 in convention funds.
The threat is hitting Tennessee churches, too. Justin Sheffield, controller for the Tennessee Baptist Mission Board, said he recently heard from a Tennessee congregation whose accounting software was hacked, allowing thieves to distribute funds without the church’s knowledge until it was too late.
“It is a real issue facing our churches,” said Sheffield.
As congregations increasingly manage finances and communications online, cybercriminals are taking notice. And smaller churches with limited budgets and little or no IT support are often the most vulnerable of all.
Start with passwords and email
Doug Finch, technology services manager for the TBMB, said weak passwords are the single most common entry point for hackers. He urged churches to use a password manager to generate long, randomized credentials.
Sheffield added that each staff member and volunteer should have their own individual login to church systems rather than sharing credentials, creating an audit trail if something goes wrong. He also recommended enabling a two-factor authentication wherever possible and considering passphrases — long strings of words with spaces — which research suggests are significantly harder to crack.
On email, both urged a zero-trust approach. Finch said artificial intelligence has made phishing messages nearly indistinguishable from legitimate correspondence.
“You have to stop and analyze before you click on anything,” said Finch. “If something is asking you to transfer funds or change an account number, verify that through a separate channel before doing anything.”
Sheffield specifically cautioned churches to verbally confirm any vendor request to change a name, mailing address, or banking information using a known phone number — not a number provided in the suspicious email itself.
Keep software updated and devices protected
Finch said outdated software gives hackers a reliable path in.
Microsoft releases “security patches” monthly, and he urged not to delay in installing them. He also recommended investing in reputable endpoint security software, cautioning against assuming Windows Defender or Mac OS, for example, provide sufficient protection on their own. Trend Micro, he noted, covers five devices for around $50 per year.
Financial controls matter
Sheffield said cybersecurity for churches is not just an IT issue — it’s a financial stewardship issue. There are several practical controls that any church can implement regardless of budget.
He encouraged churches to ask their bank about “positive pay,” a service that allows organizations to pre-authorize withdrawals and manually approve any others. He also recommended segregating financial duties — determining who has transfer authority versus view-only access — and requiring dual signatures on checks, provided they are never pre-signed.
Financial statements and bank reconciliations, he said should be reviewed regularly by someone other than the person who prepared them.
“A church financial person once told me, ‘I could rob them blind if I wanted to,’” Sheffield said. “How are your processes and oversights preventing that from happening?”
If your church is victimized
Finch said churches that discover a breach should resist the urge to send emails and instead pick up the phone. A technical professional should be brought in immediately to stop the intrusion, disconnect compromised systems, and asses the damage. Cyber insurance carriers, affected parties, and potential legal counsel will also need to be contacted.
“By the time most breaches are discovered, hackers may have been inside the system for months,” said Finch. “This is not something a church should try to handle on their own.”
For many small churches, the question isn’t whether cybercriminals will come looking but rather whether the congregation will be ready when they do.
Tennessee Baptist churches and associations with technology questions can contact Finch at [email protected]. Churches with questions about financial controls and accounting practices can reach Sheffield at [email protected] or Joe Lovell at [email protected].
