Common Scams That Target Churches — How To Protect Yours

Churches are uniquely vulnerable to scams because church culture is built on trust, generosity, and a willingness to help. Scammers know this and exploit it deliberately. Here are the most common scams we see targeting churches — and what to do about them.

Copyright Trolls: "You Owe Us Money for That Image"

The email looks professional. It comes from a law firm or a licensing agency. It claims that an image on your church website or music on a video is being used without a license, and that you owe hundreds — sometimes thousands — of dollars in damages. There may be a deadline. There may be legal-sounding threats.

This is almost always a scare tactic, not a legitimate legal action. These operations send mass emails hoping that someone will panic and pay without asking questions. The "damages" are inflated, the deadlines are fabricated, and the goal is to get you to write a check before you think it through.

One of the easiest ways to determine if one of these emails is fake is to inspect the actual email address the email came from.

What to do:

- Do not pay. Payment is not an admission of guilt, but it does invite more demands.
- If the image is on your site and you do not own it or have a license for it, remove it immediately. That is the end of your exposure in most cases.
- Do not respond to the email, call any phone number listed in the email, or click any links.
- If you use ChurchTrac, forward the entire email — including the message body — to copyright@churchtrac.com. ChurchTrac can help you assess the situation and respond appropriately.

The best long-term protection is simple: only use media you own or have a verified license for. ChurchTrac users already have a head start — ChurchTrac includes a built-in collection of Igniter Media images, license included, free to use on your church website. You can also subscribe to Igniter directly for a broader library. Another increasingly popular option is AI-generated images, which you are generally free to create and publish without licensing concerns.

Social Engineering: The Gift Card Scam and the Directory Grab

This common church scam works in two stages — and it starts long before anyone asks for a gift card.

Stage one: The directory grab

Someone sends an email or text to the church office. It appears to come from the pastor, an elder, or another trusted leader. The request is simple and sounds reasonable: "Can you send me the church directory? I need to reach some folks." The name is right. The tone feels familiar. The directory goes out.

Stage two: The gift card blast

Now the scammer has a list of church members with contact information. Emails and text messages go out impersonating the pastor: "I am in a bind and need your help. Can you purchase a few gift cards and send me the codes? I will explain everything later. Please keep this between us for now."

The secrecy is a red flag. So is the urgency. So is any request for gift cards — no legitimate emergency is solved with iTunes or Amazon gift cards.

What to do:

- Verify any unusual request by calling the person directly — using a phone number you already have for them, not one provided in the email.
- Never send a membership directory, contact list, or any personal member data based on an email request alone, regardless of who it appears to be from.
- Train your staff and volunteers to recognize this pattern. The people most likely to be targeted are the ones most eager to be helpful.
- If you use ChurchTrac to generate reports containing member contact information, ChurchTrac will prompt you with a warning before generating the report, reminding you to verify the request through a known phone number before proceeding.
- Report suspected social engineering attempts to your church leadership immediately so others can be warned.

Phishing and Fake Password Reset Emails

You receive an email that appears to come from your bank, your email provider, or another familiar service (like ChurchTrac), asking you to verify your account or reset your password. The link leads to a convincing fake login page designed to capture your credentials. These emails can be sophisticated — correct logos, familiar sender names, even a domain that looks nearly right at a glance.

Your email account is the most critical target. Whoever controls your email can trigger "forgot my password" resets on virtually every other service tied to that address — your bank, your giving platform, your church management software, your social media accounts. Losing email access is not just one breach; it is a master key to everything else.

For the record: ChurchTrac will never send you an unsolicited request to update your password. If you receive an email claiming to be from us asking you to do so, do not click anything — delete it. 

Other Scams That Target Churches

Here are some other common scams we see target— Including overpayment checks and fake wire transfer requests.

Fake vendor invoices

A scammer spoofs a vendor your church already does business with — your HVAC company, your AV supplier, your lawn service — and submits an invoice with slightly different banking details. Always verify any change in payment instructions with a direct phone call to the vendor before sending money.

Fake wire transfer requests

An email appears to come from the pastor or a board member asking staff to urgently wire money for a mission trip emergency, a surprise gift, or another time-sensitive reason. Legitimate financial requests do not come through email alone. Require a secondary verification step for any wire transfer.

Overpayment check scams

Someone writes your church a generous check, then contacts you saying it was larger than intended and asks you to refund the difference. The original check later bounces. Never refund an overpayment until the original check has fully cleared — which can take weeks.

Fake grant offers

Your church has been selected to receive a significant faith-based grant. You just need to pay a processing fee to claim it. Real grants do not require upfront fees.

Domain and compliance notices

Emails designed to look like official notices from ICANN, your state government, or a regulatory body claim that your domain registration, annual report filing, or website compliance requires immediate payment. Most of these are either private companies charging for services you do not need, or outright fraud. Verify anything that looks like a government notice directly through official government websites.

Directory and SEO listing invoices

You receive an invoice or official-looking notice saying your church website must be submitted to a national directory, or that your search engine listing requires renewal. These are not obligations. Discard them.

Ransomware via phishing

A staff member clicks a link in a convincing email, and malware encrypts your church's files — including membership records and financial data. Attackers then demand payment to restore access. The best defenses are regular offsite backups, staff training on phishing awareness, and never paying the ransom.

Your Church Is a Target — Regardless of Size or Location

One of the most common misconceptions we hear is that a small or rural church does not need to worry about internet security. 

Scammers are not driving through your town looking for targets. They are running automated operations from anywhere in the world, casting the widest net possible.

Scammers don't care about your church's

• Membership Size
• Physical Location
• Denomination

What matters is that you have an email address, a website, a bank account, and people who are inclined to be helpful.

The good news is that most of these scams are entirely preventable with awareness and a few simple habits. To help you get started, ChurchTrac has put together a security checklist specifically for protecting your account and your church's data.