404 Network Ninjas

IT Solutions

Why Scammers Love Churches and Nonprofits (And How to Stop Being an Easy Target)

By Nick Cappello
Why Scammers Love Churches and Nonprofits (And How to Stop Being an Easy Target)

If you run a nonprofit or a church, I want you to hear this clearly: you are not too small, too kind-hearted, or too under-the-radar to be a target. If anything, you’re a more attractive one, and it took me a while working with organizations like yours to understand exactly why.

Nonprofits and congregations tend to run lean. Small staff, volunteers doing double duty, an office manager who also handles the books, a pastor who also approves invoices. That’s not a criticism — it’s just how these organizations survive on tight budgets, doing more good with less than almost anyone else. But scammers know that structure well, and they know exactly what it means: fewer checks between “someone asked for money” and “money got sent.”

The scam that works embarrassingly often

The most common one I see isn’t clever. An email arrives that looks like it’s from the pastor, the executive director, or the board chair, asking someone to “quickly” buy gift cards, wire funds, or update a vendor’s banking details before an important meeting. It’s urgent. It’s framed as a small, reasonable favor. And it’s designed specifically to hit someone who trusts leadership and doesn’t want to seem difficult by questioning it.

That’s the whole con. Not sophisticated malware — just someone hoping your team’s culture of trust and helpfulness works against you, one time, for one wire transfer.

What actually helps, without turning your office cold

You don’t need to turn a warm, trust-based organization into a fortress. You need one or two simple habits that don’t cost anything: any request involving money or account changes gets a phone call to confirm, using a number you already have on file — never one from the suspicious email itself. That single habit stops the vast majority of these attempts cold, because the scammer’s entire plan depends on nobody double-checking.

Beyond that: basic email protections, a real backup for your donor and financial records, and a little bit of specific training for whoever handles your money — not a generic corporate cybersecurity seminar, but something that actually reflects how a nonprofit or a small church office really operates day to day.

Your mission deserves the money you raise for it going where you intended, not into a scammer’s account because someone was trying to be responsive to what looked like an urgent ask from leadership. If you want a straightforward, honest look at where your organization is exposed, we work with nonprofits and congregations specifically because this is a different problem than a typical business faces, and it deserves a different kind of answer.