As mentioned in our previous update, we’ve seen a large uptick in fraudsters tricking church admins into adding a fraudulent email address to the profile of another user with access to the people in their church database, allowing the fraudster access to your entire church database.
To help prevent these kinds of scams, we quickly implemented a change that prevented admins from editing the login information for these users. We heard from many of you that this change was too large, too fast, and prevented you from carrying out essential updates. As a result of your feedback, we’ve implemented some improvements.
If you have permission to edit a profile belonging to someone who has access to view your congregation’s data, you will see a warning about potential scams and be asked to verify that the source of the information is legitimate. You have the ability to update email addresses and phone numbers again, but will also need to be on the lookout for potential scams to protect your church’s data. Once congregants' data is out there on the dark web, there is no getting it back.
As much as possible, we would also encourage you to follow a few other best practices:
- Ask everyone with access to view your congregation's data to manage their own login information directly.
- Have admins enable two-step verification (2SV) on their accounts.
- Limit permissions to people who need them and regularly audit who can access your data.
We appreciate all of your feedback and support as we work to protect you and your congregations, and we’ll continue to be vigilant on your behalf.
As usual, if you have any additional feedback or questions, please don’t hesitate to reach out to our Support Team.
❤️
~ The People Team ~