Four Common Cybercrime Theft Trends in Ministries


In recent years, ransomware attacks have had a massive impact on major industries — ranging from oil pipeline companies to government agencies. But attacks like these are not just reserved for large corporations. Academic universities, churches and other ministries are also targeted for their data and systems. And although this level of news doesn’t usually make major headlines, these cyberattacks are becoming the fastest-growing theft crimes globally1.

As one of the nation’s largest ministry-exclusive risk management programs, GuideStone® knows the real risks that your ministry is facing — and that your ministry is at risk of being targeted right now. That’s why we want to equip you with up-to-date best practices to help protect your ministry from the new crime landscape that the internet and electronic commerce brought to our world. We hear stories from the ministries being robbed through coercive online and email maneuvers nearly every month who didn’t take preventive measures. But there’s good news — these cyber scams can be largely avoided. And we want to help you mitigate your risk of falling victim to cybertheft.

Cybertheft includes email fraud, data theft, computer systems takeover, ransomware and other crimes carried out over computers instead of in person. We’ve seen an increasing number of cybertheft claims from our ministries and have spotted four common trends:

1. Email Hacking to Redirect Bank Transfers

Most of those who submit cybertheft claims receive illegitimate requests to change his or her routing and bank information for payroll or money transfers. You may think you and your team would never fall for an online scam, but we have ministries with strong financial controls who are blindsided by these sophisticated cybercriminals.

The most common story we hear involves a ministry staff member’s hacked email account sending a fraudulent message to the payroll administrator asking to change their payroll direct deposit information. In most every case, we’ve seen the payroll administrator reply via email to confirm or adjust the request, and the scammer has been able to seamlessly respond as though they were the individual requesting the change. After the change has been requested, the administrator makes the change in good faith. It isn’t until the payroll money is pushed from the ministry’s bank account that the scam is discovered, and the staff member asks why he or she didn’t get paid.

To mitigate this risk, add a verbal verification step when any account information change or request comes in — such as a phone call. Make him or her repeat the account numbers over the phone and send you a copy of a voided check with their printed name. However, nothing beats confirming the requested change in person. In addition to implementing additional verification steps, we highly recommend our theft by coercion insurance coverage, offered through Brotherhood Mutual Insurance Company.

2. Indirect Email Spoofing

Another frequent cybercrime occurrence is when an email address looks very close to the actual staff member’s email but slightly differs in a message. It appears in the payroll administrator’s inbox with simply the person’s name, which is commonly the only visible section. A simple reply that includes necessary sensitive information between the ministry staff member and the cybercriminal can complete the crime. These crimes are sophisticated, and once the money is transferred to their account, the criminal immediately transfers it to offshore accounts or withdraws it in cash, making it no longer traceable. The ministry staff member is now without their paycheck, and the ministry realizes they have been robbed.

We offer theft by coercion insurance coverage through Brotherhood Mutual Insurance Company to cover these incidents. We highly recommend adding enough protection that covers at least the amount of your highest-paid worker’s regular paycheck.

Additional Example of Theft by Coercion

We have also seen indirect attacks through compromised third-party vendor emails. For example, a ministry in the middle of a new construction build receives an email from their primary construction contact with instructions for a wire payment. The ministry sends the money only to discover later that the wiring instructions were part of an email scam. In this situation, both the ministry and the contractor have been robbed, making it difficult to establish fault. Theft by coercion coverage is a coverage option that can respond to these situations subject to policy terms and limitations.

3. Theft by Electronic Means

Imagine this scenario3 — your ministry’s new treasurer opens an attachment in a phishing email which, unknown to her, installs a program that captures her every computer keystroke. When she logs in to the ministry’s bank account, the program captures her password and account number. That information is used to fraudulently transfer funds from the ministry’s account to one set up by the hacker who installed the software.

GuideStone, through Brotherhood Mutual Insurance Company, offers theft by coercion coverage, which pays to replace the stolen funds, up to the stated amount of coverage. We recommend you work with your dedicated agent to determine the proper limits for this coverage option

4. Ransomware for Valuable Data Information

Ministries are a target for data breaches — and many times through ransomware. Cybercriminals often target nonprofit organizations and ministries because of the financial and personal data they store for their members and donors. This information attracts cybercriminals because they can learn who to target in their crimes when they know more about their nonprofit affiliation and giving trends. If your ministry becomes victim to a cybercriminal who has locked up your computer systems rendering them unusable, the criminal will frequently request a ransom to make the system accessible again. This ransomware payment can also be covered by our theft by coercion insurance coverage, up to the limit purchased, subject to policy limits, terms, and conditions.

We offer theft by coercion insurance coverage through Brotherhood Mutual Insurance Company to cover these incidents. We highly recommend adding enough protection that covers at least the amount of your highest-paid worker’s regular paycheck and believe you should consider higher limits based on your risk tolerance for ransomware attacks.

How can my ministry mitigate these risks?

Nearly all cybertheft is avoidable. In our article, Cyber Liability for the Ministry Environment, we see that “almost 90% of cyberattacks are caused by human error or behavior.” Most cybertheft can be prevented through the implementation of multi-factor authentication.

According to PingIdentity.com2, “multi-factor authentication is when a user must provide two or more pieces of evidence to verify their identity to gain access to an app or digital resource. Multi-factor authentication (MFA) is used to protect against hackers by ensuring that digital users are who they say they are.” Multi-factor authentication is used in technology — and can be implemented in every online financial transaction for account information. Implementing a plan that requires the individual to provide multiple forms of identification or confirmation is the key to fighting these cybercrimes.

It’s impossible to prevent every instance of cybertheft or ransomware; these criminals are smart, and no one expects to be a victim. But proper insurance coverage is available and recommended in addition to the implementation of multi-factor authentication.

Your insurance coverage limit should align with your financial practices and controls. For payroll, we recommend your ministry choose a theft by coercion limit that is at least equal to your highest-paid worker's regular paycheck. Theft by coercion coverage also covers ransomware attacks. For theft by electronic means, we recommend your ministry select a limit equal to the highest transfer amount that your ministry would ever allow. Money transfers are often part of mission trips, mortgage payments, international interactions, and large purchases.

Remember all insurance policies have terms, limitations, exclusions and conditions. This article is not a guaranty of coverage for your specific situation but is intended for educational purposes to help reduce the risk for your ministry instead. We want to bring awareness to this fast-growing issue we are all facing. At GuideStone, we are here to monitor these trending threats so that you can focus on your ministry.

For more information, contact us at or (214) 720-2868, Monday through Thursday, from 7 a.m. to 4:30 p.m. CT and Friday, from 7 a.m. to 4 p.m. CT.

To learn about coverage options and get a quote, complete the form here.




3MinistryFirst 4.8 Examples of Covered Claims Property - Liability copyright 2021