Secure Your Account

Created on:
Updated on:

Although Planning Center tries to ensure your account is protected from those with malicious intent, any publicly accessible website is susceptible to cyberattacks. Awareness and continued vigilance is the key to avoiding attacks like this. With the guidelines below, your team can prevent scammers from taking advantage of your congregants.

Tip

Consider requiring anyone with access to the database to use two-step verification.

How Administrators Help with Security

Those with the highest level of access to your database have a responsibility to help keep your account secure. The sections below explain how to keep each product secure.

People Managers and Editors

Any manager can give access to the directory, and they can limit what's visible. Coach your managers on what to look for before granting directory access. Here are some considerations for managers when determining access privileges:

  • How old is the profile?

  • Is there any other activity on their profile?

  • Does this profile belong to someone actively involved in your church?

Consider implementing criteria for directory access, such as attendance for a certain number of months, membership status, or attendance in person for a specified amount of time.

Mark as Inactive Instead of Deleting

If someone is not who they say they are, mark them inactive. You could add a custom inactive reason or a nickname like "SCAMMER" to the profile, so if they reactivate their profile, you'll have an immediate indicator that this is not a legitimate profile. If you delete them, you won't have a record of their scam attempt.

Group Administrators and Leaders

When someone requests to join a group, group leaders are responsible for ensuring they know the person joining the group. If they don't know a person, they can ask their group members to verify a person's identity before giving them access to the group.

Likewise, if a group leader can search the database to add a person to their group, make sure they understand that the information they can access is confidential and not to be shared with other people.

Check-Ins Editors

Security is essential, especially when checking in children. Check-Ins has boundaries that help your children stay secure when they are in the classroom and when they are picked up from the classroom. Check out this article on Security in Check-Ins.

Giving Administrators

Giving has specific permissions based on the information a person needs to see to run reports, enter checks, or manage donations to your church. Because the information in Giving is so sensitive, Giving has a system log that allows Administrators to see the changes. Additionally, only people with Giving permissions can access donation information, including Giving activity in People.

Check out the following articles to see how security is handled in Giving.

Common Scams

Scammers have a few different methods through which they attempt to access the contact information of others at your church. If they can access the directory or database, the scammer saves as many names, phone numbers, and email addresses of your congregation as possible. They use this information to contact people in your congregation, pretending to be the lead pastor or a key staff member with an "urgent" request for money, usually through gift cards to Amazon, Google, or iTunes. The scammer continues to contact your congregation until no more money is left to be made.

Here are some common scamming methods and some ideas to ensure scammers don't gain access to this information.

Pretending to Be a Member

This scammer creates a profile through Church Center, a People form, a Registrations signup, or some other way and requests access to the directory. Once access is granted, the scammer emails or texts directory members pretending to be the church pastor, asking for gift cards.

. Preventing This Scam

  • Enable Privacy Mode

    Privacy mode is enabled by default and makes your church's contact information inaccessible to the scammer and eliminates the possibility of them impersonating other church members or leaders.

  • Verify the Person's Identity

    If you're unsure about someone trying to join a group, gain access to the directory, or change their email address, ask other leaders at your church to verify who the person is. If no one recognizes the person, email the person asking them a few questions like these:

    • Who recommended our church to you?

    • How did you find our church?

    • How long have you been attending?

    • Would you like to attend a meet and greet with a pastor?

    If they mention someone's name, follow up with the referred person to verify that the person knows them.

  • Review for Legitimate Information

    Before granting access to a list of people, review the list for any suspicious email addresses or names.

  • Check Database Activity

    If giving directory access to a list, consider adding conditions to the list that only find people with certain activities or membership types so that you can be sure you are only giving directory access to people involved in your church in some way.

  • Keep Your Database Up-to-Date

    Inactivate any profiles that are not actual people at your church.

Impersonating a Member or Leader

This scammer creates a fake email that looks like it belongs to someone you may know in real life, like centervillepastorjoe@gmail.com. They then write to the church requesting that the email address in that person's profile be updated to the fake email the scammer uses. Once the email address is updated, the scammer accesses the victim's Church Center account to view the directory or resets the victim's account password to access Planning Center and harvest information.

. Preventing This Scam

  • Train all administrators to verify someone's identity before changing an email address or phone number. Administrators should encourage church members to make the change on Church Center themselves, use a form, or email/call with the original contact information to verify the changes that should be made.

  • Ensure that the only people with access to your directory and database actually need it to do their job.

  • Request anyone with database access to enable two-step verification. This prevents scammers from logging in, even if they request a new account password, because two-step verification requires an access code sent directly to the account holder's device.

Was this article helpful?
1 out of 1 found this helpful