Although Planning Center tries to ensure your account is protected from those with malicious intent, any publicly accessible website is susceptible to cyberattacks. Awareness and continued vigilance is the key to avoiding attacks like this. With the guidelines below, your team can prevent scammers from taking advantage of your congregants.
Consider requiring anyone with access to the database to use two-step verification.
Those with the highest level of access to your database have a responsibility to help keep your account secure. The sections below explain how to keep each product secure.
Any manager can give access to the directory, and they can limit what's visible. Coach your managers on what to look for before granting directory access. Here are some considerations for managers when determining access privileges:
How old is the profile?
Is there any other activity on their profile?
Does this profile belong to someone actively involved in your church?
Consider implementing criteria for directory access, such as attendance for a certain number of months, membership status, or attendance in person for a specified amount of time.
If someone is not who they say they are, mark them inactive. You could add a custom inactive reason or a nickname like "SCAMMER" to the profile, so if they reactivate their profile, you'll have an immediate indicator that this is not a legitimate profile. If you delete them, you won't have a record of their scam attempt.
When someone requests to join a group, group leaders are responsible for ensuring they know the person joining the group. If they don't know a person, they can ask their group members to verify a person's identity before giving them access to the group.
Likewise, if a group leader can search the database to add a person to their group, make sure they understand that the information they can access is confidential and not to be shared with other people.
Security is essential, especially when checking in children. Check-Ins has boundaries that help your children stay secure when they are in the classroom and when they are picked up from the classroom. Check out this article on Security in Check-Ins.
Giving has specific permissions based on the information a person needs to see to run reports, enter checks, or manage donations to your church. Because the information in Giving is so sensitive, Giving has a system log that allows Administrators to see the changes. Additionally, only people with Giving permissions can access donation information, including Giving activity in People.
Check out the following articles to see how security is handled in Giving.
Scammers have a few different methods through which they attempt to access the contact information of others at your church. If they can access the directory or database, the scammer saves as many names, phone numbers, and email addresses of your congregation as possible. They use this information to contact people in your congregation, pretending to be the lead pastor or a key staff member with an "urgent" request for money, usually through gift cards to Amazon, Google, or iTunes. They scammer will continue to contact your congregation until no more money is left to be made.
Unfamiliar with gift card scamming? Check out this video.
Here are some common scamming methods and some ideas to ensure scammers don't gain access to this information.
This scammer creates a profile through Church Center, a People form, a Registrations signup, or some other way, and requests access to the directory. Once access is granted, the scammer emails directory members pretending to be the church pastor, asking for gift cards.
. Preventing This Scam
Verify the Person's Identity
If you're unsure about someone trying to join a group, gain access to the directory, or change their email address, ask other leaders at your church to verify who the person is. If no one recognizes the person, email the person asking them a few questions, like these:
Who recommended our church to you?
How did you find our church?
How long have you been attending?
Would you like to attend a meet and greet with a pastor?
If they mention someone's name, follow up with the referred person to verify that the person knows them.
Review for Legitimate Information
Before granting access to a list of people, review the list for any suspicious email addresses or names.
Check Database Activity
If giving directory access to a list, consider adding conditions to the list that only find people with certain activities or membership types so that you can be sure you are only giving directory access to people involved in your church in some way.
Keep Your Database Up-to-Date
Inactivate any profiles that are not actual people at your church.
This scammer creates a fake email that looks like it belongs to someone you may know in real life. They then write to the church requesting that the email address in that congregant's profile be updated to the fake email the scammer uses. Once the email address is updated, the scammer resets the account password and logs into Church Center.
. Preventing This Scam
Train all administrators to verify someone's identity before changing an email address or phone number. Administrators should encourage church members to make the change on Church Center themselves, use a form, or email/call with the original contact information to verify the changes that should be made.
Ensure that the only people with access to your directory and database actually need it to do their job.
Request anyone with database access to enable two-step verification. This prevents scammers from logging in, even if they request a new account password, because two-step verification requires an access code sent directly to the account holder's device.