So, Your Church Account Has Been Hacked
Apr 19, 2018
By the Rev. Justin Johnson
I woke up as if it were a normal day. I had my cup of coffee in my hand and was ready to sit and read my email as my normal morning routine. I had an email from my treasurer addressed to the council president and me- There has been a breach in our church account and a large sum of money was withdrawn, we recovered half of it, but the rest was cleared. This was found because our financial officers regularly check our bank accounts to keep up to date. It is not something you normally want to read in the morning.
As the day progressed, it turned out worse than we imagined. It wasn’t just that sum of money, but a much, much larger sum. It also wasn’t just one account too, but several. Someone was writing printed checks for large sums of money and cashing them. They had also transferred funds from savings accounts into another account.
As a pastor, I have never dealt with this before, but I knew communication was key as was trust in my church leadership. After connecting with the bank, the first thing we needed to do was notify the council of what was happening. I shared the details, what we were doing to help resolve the issue, and who we were working with. At this point, we did not know if it was an inside job, a breach, or someone in the neighborhood with our account number, so being discrete while informing our leaders was important.
I contacted my Dean and the Synod office to inform them of what was going on. We are part of a larger church and even though our church was handling it, communication with the larger church was important. If it turned out to be something larger, such as an embezzlement or being part of a fraud ring, I wanted to make sure the larger church was not taken by surprise by the news.
As a team, we identified leaders within the congregation who would understand the issue. While a treasurer may be the main contact for much of this, the need for neutral eyes and individuals with more knowledge became important. One of our council members worked in a bank, for example, so she became part of our communication with the bank and became a secondary contact person. She knew what questions needed to be asked. I, as pastor, stepped back because banking systems are not my realm, so I took care of communication and care giving to our key leaders.
I was also in regular contact with the council president, as we were not sure what type of theft we were dealing with. We had to be prepared for any kind of theft, including embezzlement. We also came up with a plan on what to say to the congregation and when it say it. We came up with a plan in case we had an inside issue.
As the bank investigated the situation, it turned out it was a professional breach. Someone in another state had gotten ahold of our account information through an online account, placed themselves on our account, and waited. Within 24hrs, the attack occurred moving money from one state to another through various banks. The checks were “scrubbed,” so we could not trace where they ended. The account information was gotten either through a phone app, phone usage, or unsecured laptop connection. It was probably a simple mistake or a quick convenience.
Knowing this, we are currently in discussion about how to make sure we log into any church accounts using a secure connection. Currently, we are proposing only using church computers on the church WiFi system to log into church accounts. If a laptop is used, it must have had a virus sweep done prior to logging onto an account with sensitive information.
I am sharing all this because no church thinks this will happen to them. Good accounting/money handling practices are key to making sure churches do not open themselves up to hackers. At times, we might become lax in our practices because of convenience. Having apps, using home computers, or non church laptops access key church information might be easier, but it may come at a cost, as we found out.
I also share this to write about crisis management. Communication with leaders is key within a crisis. The temptation might be for one individual to handle everything or several individuals taking charge who wind up doing the same thing and getting in one another’s way. In moments of crisis, it is important to place individuals in roles where they can help and not in roles they have no knowledge in. It would have been easy, for example, for me as pastor to take over, but recognizing my own strengths and my role helped avoid a bigger crisis and allowed people in the know to act accordingly. Micromanaging never helps, but having everyone one the same page and letting leaders know what the plan was helped with anxious leaders.
All of this kept things moving and we resolved everything within less than 24hr. We are expected to have our case closed and all of our funds returned. Knowing strengths, assigning roles, communication, and giving focus helped move this crisis into something manageable. There is still lots to do, such as change all of our accounts, but we got through being hacked.
I hope this article helps you to think about how to hack proof your church accounts.