In 2025, it is unlikely that anyone utilizing technology to do ministry, business, or any other kind of activity or work is unaware of the threats posed by cybercriminals. Nevertheless, many individuals and organizations continue to fall prey to some of the most elementary, common, and easily prevented cyber-attacks. Why?

There are many reasons, of course, but three stand out as common.  First, many churches have not adequately trained their staff to protect against these issues.  Next, some churches do not fully appreciate that they are an attractive target for these types of attacks—such cybercrime is not reserved for big companies. Finally, many churches have not instituted processes, protocols, and tools to ensure that their systems, data, and people are as protected as possible. Effective technology security does not happen by accident; it is the function of an intentional, consistently followed, and focused plan.

Throughout 2025, Enable has observed the continuation of the trend of churches being actively targeted by cyber attackers who have proven they know the church market and aren’t shy about exploiting churches. They understand our vernacular, business processes, and the overall trusting nature of our staff and lay leaders. They are leveraging this knowledge to destroy church reputations and steal money from church accounts and, in some cases, directly from congregants.

The 5 most common attacks we’ve seen churches fall victim to in 2025 are:

1.        Church Staff Business Email Compromise (Account Takeover) – An attacker successfully tricks a church staffer into providing their username, password, and even an MFA code.  This allows the attacker to log directly into the user’s email account and send/receive email from their mailbox. The attacker normally will hide their activity while engaging directly with banks, vendors, and church congregants, all while the user has no idea this nefarious activity is taking place right under their nose.

2.        Vendors/Partners with Business Email Compromise (Account Takeover) – Similar to the above situation, an attacker successfully takes over a trusted vendor’s email account and begins communicating false information to the church. This situation nearly always ends in financial loss to the church as funds are wired to the attacker’s bank account after manipulating the church to redirect the funds to a new account. We’ve seen many vendors in multiple industries fall victim to this scheme, e.g., mission trip planning organizations, construction companies, security vendors, and landscapers, etc.

3.        VIP Spoofing (Lead Pastor, Executive Pastor, Business Administrator, etc.) – Church staff and congregants begin receiving convincing emails or text messages purporting to be from a key leader at the church. When folks reply and engage with the attacker, they are often coerced into sending the attacker pictures and codes from gift cards. This is very common and works way too often.

4.        Church Management System account compromise - Staff or lay-leaders with access to contact information for all congregants in the church management system have their logins successfully stolen and compromised. Once the attacker is able to log in to the Church Management System, they have full access to the information available to that staff person or leader. This can include information about and full contact information for everyone at the church. Attackers can quickly steal the full directory of contact information for everyone in the church. The attacker is then equipped to launch targeted attacks against individual church congregants.

5.        Ransomware – An attacker gains access to a computer in the environment, often through an unpatched security vulnerability. All data on the servers and workstations is then stolen, encrypted, and made inaccessible to the church without paying a ransom. If you refuse to pay, the attackers threaten to release all the information they stole, further compromising the church and its congregants.

These types of common attacks are avoidable. To protect themselves, however, churches must take intentional steps to ensure that their systems, data, and people are as protected as possible. This will require a focused plan that includes proper training, awareness, processes, and tools. Institution of such a plan does not happen automatically or easily; it costs time, effort, and money.  

Churches carry the mandate of responsible stewardship; they have to balance the costs and benefits of any expenditures they make. While they do not want to succumb to manipulative fearmongering and spend time, effort, and money needlessly, they need to make sure that they have been responsible in stewarding the resources under their care, funds, data, people, etc.

Enable Ministry Partners has been assisting churches to utilize technology to enable ministry and expand the Kingdom for 25 years.  We understand the trade-offs involved in deploying technology to support ministry and protect the church in this age of cybercrime and security threats.  If you have questions about your churches status or wish to receive a complimentary review of your current efforts, please do not hesitate to reach out to us at info@enable.email.