Trust, But Verify: Protecting Your Ministry From The New Face of Fraud

With AI impersonation, email scams, and stolen millions, is cyber insurance a ministry essential?

The man who messaged Pastor Jennifer LeClaire had a legitimate complaint: Why hadn’t she delivered on her promises?

The Florida pastor, though, had never spoken to him. Unbeknownst to her, an AI impersonation of herself had been asking people for money. To many, the video seemed real.

“They’re preying on the trusted believers on my good name, exploiting their faith for their own wicked ends,” she said. [1]

Fraud is fraud – but its appearance continues to evolve and find new ways to deceive.

Cybercrime is a sweeping umbrella of misdeeds that ranges from identity theft to “phishing” to ransomware attacks. Many of the same threats to individuals also target businesses and nonprofit organizations.

In today’s digital world, cyber security is as important – or more so – than locking the door on the way out. What role can insurance play in protecting faith-based organizations?

Cyber liability insurance and data breaches
Perhaps the most well-known coverage related to digital disruptions is cyber liability insurance. It’s an effective – though limited – policy that helps organizations respond to a data breaches. These occur when an outsider gets access to a list of members, congregants or customers. The database may contain enough information to directly steal from people. More likely, contacts will be later targeted for fraud or sold to others who will do the dirty work.

While cyber liability coverage can’t undo a data breach, it can help organizations respond properly. This is significant, because far more than saying, “We’re sorry” is required. Cyber insurance can include coverage for:

• Formal notification of each person whose information may have been compromised

• Public relations services

• Digital forensic investigation

• Credit monitoring for affected individuals

• Legal defense and judgments resulting from litigation

Cyber liability is an important aspect of insurance coverage. But there are many other digital threats to contend with. These may require a different type of cyber insurance or an addendum to a policy.

Business email compromise (BEC)
Perhaps the most alarming thing about cybercrime is its non-alarming nature. There are no broken windows, no threatening phone calls and often no overtly suspicious communications. For example, what could be dangerous about a payment request from an existing vendor?

A large Ohio church and school discovered just how treacherous one could be when it lost $1.75 million to a bogus entity claiming to be their construction company. [2]

The scam rolled out in multiple phases. First, criminals infiltrated the church’s internal email system, allowing them to impersonate staff. With this rapport, they convinced the finance department to redirect payment to a new bank account. From there, one click sent nearly $2 million into the pockets of digital gangsters. [3]

This technique doesn’t have to be digital. A Wisconsin church was similarly duped based on snail mail letters and phone calls. [4]

Many have heard of the term “phishing.” A more refined technique is called “spear phishing.” Leaders and personnel are specifically sought out and methodically targeted.

A North Carolina congregation was robbed by a scam similar to the one that befell the Ohio church. This time, however, the criminals convincingly impersonated the vendor instead of church staff. This resulted in unwittingly paying about $800,000 to scammers. “What took more than seven years to save, somebody wiped out in just a few minutes,” said the lead pastor. [5]

How can we stop it?
In all these cases, the criminals appeared to be reasonable and legitimate actors. So how can we know the good from the bad?

Begin with cultivating awareness. Cyber security training is essential for anyone who uses your organization’s computer resources for any purpose. As we’ve noted, an email address is enough to plunge an organization into financial distress.

Whether they’re employees or volunteers, people don’t know what they don’t know. The role of training is to fill in the gaps and protect your cause.

Organizations that require a verification process for vendor payments already have a head start. By mandating multiple approvals, fraud is more likely to be detected. In addition, the FBI suggests confirming large invoices with the vendor. [6]

Beyond training and accountable financial practices, organizations must ensure their computer networks and email systems are secure. This requires professional expertise, whether it’s in-house or from an outside firm such as Enable Ministry Partners.

But training is not enough. Education must translate into policies about passwords, access to data, payment procedures and more. A sound but unenforced policy is a paper tiger.

The insurance firewall
These preventative activities are the first lines of defense. But even the most robust security can fail. The NSA, Pentagon and cyber security companies themselves have been hacked repeatedly. Insurance kicks in when even our best efforts couldn’t prevent the damage.

Types of cyber insurance include:

• Cyber liability: It generally responds to data breaches.

• Cyber deception coverage: This relates to incidents when an employee unknowingly sends fraudulent payment to an imposter.

• Computer fraud insurance: Covers incidents when a criminal actively and directly steals funds electronically.  

Different insurers may use different names for the same coverages, so it’s easy to become confused. The best approach is to identify the risk, then ask your broker to help you connect the right coverage to the threat.

What about trust?
As people who serve the greater good, adopting a skeptical approach may feel disconcerting. At its root, though, it’s consistent with other, familiar protective measures: locking doors, buying insurance and keeping our IDs in a safe place.

Secure cyber practices can be likened to the wise stewardship counseled in the Old and New Testaments. It’s protecting the flock, donors, and people who depend on you.

As was popularized in a Russian proverb: “Trust, but verify.”

REFERENCES

• [1] https://www.tampabay.com/news/crime/2026/03/01/deepfakes-scam-churches-florida/

• [2] https://www.forbes.com/sites/leemathews/2019/04/30/cybercriminals-steal-1-75-million-from-an-ohio-church/

• [3] https://www.fbi.gov/contact-us/field-offices/cleveland/news/press-releases/st-ambrose-catholic-parish-was-a-victim-of-a-business-email-compromise-scheme

• [4] https://www.tmj4.com/news/local-news/local-church-swindled-of-500k-in-construction-scam

• [5] https://www.baptistpress.com/resource-library/news/online-scammers-steal-793k-from-n-c-church/

• [6] https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise

GET A CYBER INSURANCE QUOTE FROM MINISTRY PACIFIC

We’d be happy to discuss cyber insurance and provide a complementary quote that meets your organization’s unique needs. You are welcome to call us directly at 1.866.870.2700 or you can provide a few details in the form below. Thank you!