TL;DR: Five attack patterns are responsible for nearly every confirmed church cyber incident we have reviewed in 2025: staff email account takeover, vendor email compromise, VIP spoofing of pastors and executives, church management system credential theft, and ransomware. The independent data lines up with what church-focused IT firms are reporting in the field, and the financial stakes are no longer abstract. This guide walks through each attack, the evidence behind it, and the controls that actually move the needle.
What You Need to Know About Church Cyberattacks in 2025:
Business email compromise alone drove $3.046 billion in reported U.S. losses in 2025, second only to investment fraud, per the FBI Internet Crime Complaint Center’s 2025 Annual Report.
Incidents against religious, civic, and social organizations surged 555% year over year in the first seven months of 2025, per Blackpoint Cyber’s August 2025 report.
The five attack patterns we cover here come directly from Enable Ministry Partners’ September 2025 field summary, the most credible church-specific source currently published.
Real church losses in 2025 included a $1.75 million wire fraud at St. Ambrose Catholic Parish and a ransomware breach at First Baptist Church of Hammond affecting 5,217 people.
Multi-factor authentication, out-of-band verification of financial requests, and tested offline backups defend against most of what we describe here.
These attacks are predictable and defensible. What is not defensible is treating cybersecurity as someone else’s problem.
What are the five types of cyberattacks targeting churches in 2025? The five confirmed attack types are staff email account takeover, vendor email compromise, VIP spoofing of church leaders, church management system credential theft, and ransomware. Each follows a documented pattern, and together they account for the overwhelming majority of church cyber incidents reported by Enable Ministry Partners and tracked independently by the FBI Internet Crime Complaint Center in 2025.
We cover the broader posture in our guide to cybersecurity and data stewardship for churches, and this post drills into the five specific attack patterns church leaders most need to recognize.
Table of Contents
Why Churches Have Become a Primary Target
Attack One: Staff Email Account Takeover (Church Staff BEC)
Attack Two: Vendor and Partner Email Compromise
Attack Three: VIP Spoofing of Pastors and Executives
Attack Four: Church Management System Account Compromise
Attack Five: Ransomware
What Actually Reduces the Risk
Frequently Asked Questions
Key Takeaways
Sources and References
Where We Go From Here
Why Churches Have Become a Primary Target
Churches are no longer collateral damage in untargeted phishing waves. They are now selected. Blackpoint Cyber’s August 2025 report tracked a 555% year-over-year jump in confirmed incidents targeting “Institutions & Organizations,” the industry classification that includes religious organizations. BDO’s 2025 nonprofit cybersecurity briefing reported a 30% year-over-year increase in weekly cyberattacks against nonprofits in 2024, and an average breach cost approaching $2 million when recovery, legal exposure, and reputational damage are counted.
The targeting logic is straightforward. Churches hold giving records, member directories, counseling notes, and payment credentials. Staff and volunteers are wired to trust requests that sound pastoral or urgent. Budgets for security tooling are thin, and the same person who runs ChMS often also runs payroll, the livestream, and the office network. Enable Ministry Partners summarized the dynamic in their September 2025 report: attackers “understand our vernacular, business processes, and the overall trusting nature of our staff and lay leaders.” That is the operating environment we work in now.
Key Point: Church cybersecurity is no longer a question of whether a congregation is large enough to be attacked. It is a question of whether the congregation is prepared for the attacks that are already underway.
How Does Staff Email Account Takeover Work (Church Staff BEC)?
An attacker captures a staff member’s email username, password, and in many cases the multi-factor authentication code, then logs in directly to the inbox and operates from inside it. Enable Ministry Partners lists this as the number one confirmed attack pattern they responded to in 2025. Once inside, the attacker reads recent email threads, identifies banking and vendor relationships, and then sends instructions to banks or congregants from the legitimate mailbox.
Because the email actually comes from the staff member’s address, traditional spoofing filters do nothing. The FBI’s 2025 IC3 Annual Report recorded $3.046 billion in business email compromise losses across 24,768 complaints, with 86% of those losses moving by wire transfer or ACH. Churches sit inside that count, and the IC3 figure is widely understood to undercount because most victims never file.
Key Point: If an attacker is inside a real church inbox, no email-based filter will save us. The only durable defenses are MFA with number matching, conditional access policies, and out-of-band verification of any financial instruction.
How Does Vendor and Partner Email Compromise Target Churches?
The attacker compromises a contractor, mission trip coordinator, landscaper, or security vendor, then sends the church a routine-looking invoice with new banking details. This is exactly what happened at St. Ambrose Catholic Parish, which lost $1.75 million after attackers monitored email between the parish and its construction contractor, then inserted new wire instructions at the moment a real payment was due.
No filter caught it because the message routing was legitimate. Enable Ministry Partners reports vendor compromise nearly always ends in financial loss for the targeted church. The pattern is also a useful reminder that vendor security questions belong in every procurement conversation. We covered the broader vendor-selection discipline in our piece on how to evaluate church management software without getting sold, and the same out-of-band verification principle applies to any vendor handling money or member data.
Key Point: Any change to a vendor’s banking instructions must be verified by phone, on a number we already have on file, before a single dollar moves. Email confirmation of an emailed change is not verification.
How Does VIP Spoofing of Pastors and Executives Work?
Staff and members receive a message that appears to come from the senior pastor, executive pastor, or business administrator, often by text. The request is small at first: “Are you available? I need a quick favor.” Once the target engages, they are asked to buy gift cards and send the codes.
Enable Ministry Partners notes this pattern works far too often in church settings. The FBI’s 2025 IC3 report confirms phishing and spoofing as the single most reported complaint category, with 191,561 reports nationally. Religion Unplugged’s August 2025 reporting documented church teams experiencing up to 34% failure rates in phishing simulations, among the highest of any sector. AI now makes this attack worse. The IC3 report’s first dedicated section on artificial intelligence documented voice cloning being layered into business email compromise, with follow-up calls that sound like a real CFO or pastor reinforcing a written request.
Key Point: A standing policy that no leader will ever ask staff or congregants to buy gift cards, by text or email, defangs this attack almost entirely once it is communicated.
How Does Church Management System Account Compromise Happen?
A staff member or lay leader with broad access has their credentials stolen, often through password reuse from a breached third-party site. The attacker logs in and exports the directory. The damage is not just the data loss. The attacker now holds verified contact information for every member of the congregation and uses it to launch targeted scams against congregants in the church’s name. The reputational fallout often outlasts the technical incident by months.
Community IT’s 2025 Nonprofit Cybersecurity Incident Report documented 472 suspected and 32 confirmed account compromises across its nonprofit clients in 2024, with brute-force attempts and credential stuffing as the dominant access methods. The pattern is identical to what church-focused responders are seeing.
There is also a structural issue underneath this attack. Churches commonly hold the same identifying information in three or four systems that do not talk to each other, which multiplies the surfaces an attacker can hit. We unpacked that pattern in why your church tech stack isn’t broken, it’s built this way, and consolidating the data picture is part of the cybersecurity story too.
Key Point: MFA on every ChMS account, role-scoped permissions so no single login exports the entire directory, and quarterly access reviews are the controls that actually reduce this risk.
What Is Ransomware and How Does It Target Churches?
Attackers gain access through an unpatched vulnerability or a phished credential, exfiltrate data first, encrypt the network second, and then demand payment in cryptocurrency. Many groups in 2025 now skip encryption entirely and run extortion-only attacks.
The most prominent 2025 church case was First Baptist Church of Hammond in Indiana, where the Rhysida ransomware group demanded approximately $594,000 in July and ultimately compromised the personal data of 5,217 people. The General Council on Finance and Administration of the United Methodist Church publicly noted in October 2025 that the LockBit group had also recently breached Relentless Church in South Carolina. Across the broader sector, Blackpoint Cyber tracked 109 institutions and organizations posted to ransomware data leak sites in the first seven months of 2025, a 23.9% increase over 2024. Aprio’s nonprofit briefing documented the Salvation Army losing names, Social Security numbers, and driver’s license numbers to the Chaos ransomware group in May 2025.
Key Point: Tested, offline backups and a written incident response plan are the difference between ransomware as a weekend recovery and ransomware as an extinction event. Paying the ransom does not reliably get the data back.
What Controls Actually Reduce Church Cybersecurity Risk?
Four controls do most of the work across every credible source we reviewed:
Multi-factor authentication with number matching on every staff and lay leader account, including ChMS and giving platforms.
Out-of-band verification for every change to banking instructions, every wire transfer, and every unusual request from leadership.
Tested, offline backups of email, ChMS data, financial records, and critical files, restored on a schedule so we know they actually work.
Security awareness training with phishing simulations run at least quarterly, including for volunteers with system access.
These controls are not glamorous, and they are not expensive at the scale of most church budgets. The budget conversation usually reveals where the real bottleneck is, and we have written separately about why your church’s technology budget reveals more than you think.
Frequently Asked Questions
Are small churches really being targeted, or is this only a large-church problem?
Small churches are being targeted at high rates. Blackpoint Cyber’s 2025 data shows attackers moving from “big game hunting” toward mid-tier and small targets, precisely because soft targets carry less law enforcement attention. The FBI’s 2025 IC3 data on business email compromise does not stratify by victim size, but church-focused IT firms report that congregations under 500 in attendance are now common BEC victims.
Does cyber insurance cover these losses?
It depends entirely on the policy. Standard errors-and-omissions coverage frequently excludes social engineering losses, which is the category most church BEC incidents fall under. Cyber-specific policies often require documented controls such as MFA before they pay claims. We recommend reviewing both the existing policy and the application questions with an insurance broker who works specifically with cyber risk.
How long does a typical recovery take after a ransomware attack on a church?
Operational recovery commonly runs three to eight weeks even when backups exist, because rebuilding identity systems, validating data integrity, and notifying affected individuals all take time. Without tested backups, recovery can extend beyond six months, and in some cases the church never fully recovers operationally before donor confidence erodes.
What does multi-factor authentication actually prevent?
Properly configured MFA prevents the vast majority of credential-stuffing and password-reuse attacks. It also prevents most basic phishing attacks from succeeding. It does not prevent MFA fatigue attacks where users approve a flood of push notifications, which is why number matching, where the user types a code displayed on screen, is now the recommended configuration.
Are denominational offices providing cybersecurity guidance?
Some are. The General Council on Finance and Administration of the United Methodist Church published October 2025 guidance on cybersecurity awareness, and several denominational technology offices now offer assessments. Coverage is uneven across denominations, and most congregations still need to source guidance externally.
Should we pay a ransom if attacked?
Independent security guidance from the FBI and most insurers is to avoid payment. The 2025 IC3 report does not endorse payment, and BDO’s nonprofit briefing notes that very few organizations that paid received complete data restoration. Payment also marks the organization as willing to pay, which raises the probability of future targeting.
What is the single most cost-effective control we can implement this month?
Enabling multi-factor authentication on every staff and lay leader account, including ChMS, email, giving platform, and any financial systems. The cost is generally zero with existing platforms, and the risk reduction is the largest of any single control available to a church under significant budget pressure.
Key Takeaways
The five attacks confirmed against churches in 2025 are staff email takeover, vendor email compromise, VIP spoofing, ChMS account compromise, and ransomware. All five are documented by independent reporting and church-focused IT firms.
Business email compromise drove $3.046 billion in U.S. losses in 2025, per the FBI IC3 Annual Report, and 86% of those losses moved by wire or ACH.
Religious and civic organizations saw a 555% year-over-year increase in confirmed incidents in the first seven months of 2025, per Blackpoint Cyber.
Real 2025 church losses include $1.75 million at St. Ambrose Catholic Parish and 5,217 people affected by the ransomware breach at First Baptist Church of Hammond.
Multi-factor authentication, out-of-band verification of financial requests, tested offline backups, and quarterly phishing simulations defend against most of what attackers are using.
Cybersecurity is a stewardship issue, not a technology issue. Treating it as IT plumbing is what produces the conditions these attacks rely on.
Sources and References
FBI Internet Crime Complaint Center, 2025 Annual Report press release (April 2026)
Rexxfield analysis of BEC statistics in the FBI IC3 2025 Annual Report (April 2026)
Enable Ministry Partners, “Top 5 Cyber Threats Churches Face in 2025” (September 2025)
Blackpoint Cyber, “When Good Causes Become Big Targets” (August 2025)
Comparitech reporting on First Baptist Church of Hammond ransomware breach (July 2025)
Church Tech Today reporting on St. Ambrose Catholic Parish BEC case (January 2026)
GCFA, “October Is Cybersecurity Awareness Month” (October 2025)
Religion Unplugged, “Email Phishing Scams Increasingly Target Churches” (August 2025)
BDO, “The Crucial Role of Cybersecurity for Nonprofit Organizations in 2025” (February 2025)
Community IT, 2025 Nonprofit Cybersecurity Incident Report (May 2025)
Aprio, “Cybersecurity Risk Management for Nonprofits” (February 2026)
Where We Go From Here
The five attack patterns above are now the working baseline of what every church leadership team should be able to recognize, prevent, and respond to. None of them are exotic, and none of them are unaffordable to defend against. The next question is usually where to start, which controls to sequence first, and how to bring the rest of the staff and lay leadership along without creating fear.
That is the conversation we work through in our broader guide to cybersecurity and data stewardship in ministry settings. If your ministry is working through how to harden against these specific attacks, we would be glad to think it through with you. We offer no-pressure consultations where we listen first, then share what we have learned helping ministries navigate the same questions.
