A Note Before We Start
This handbook is for anyone who handles church payroll. If you are not an IT director, CISO, or security professional, you are in the right place.
Most cybersecurity advice assumes you have a budget, a team, and plenty of time. In reality, you probably handle payroll along with many other urgent jobs. This guide is made for your situation.
We have kept jargon to a minimum. When we use terms like MFA, BEC, or FICA, we explain them the first time we use them. The threat is real, but you do not need to be a security expert. You just need to make a few key decisions, write them down, and stick to them.
Why Payroll, Why Churches, Why Now
If you have ever wondered why a cyberattack might target a small church, it is because attackers go after groups, not just single organizations.
Attackers are not targeting churches for personal reasons. They focus on churches as a group because:
- Hold valuable data (employee Social Security numbers, addresses, dates of birth, bank account numbers)
- Spend almost nothing on security
- Often run on volunteer or part-time finance staff who are stretched thin
- Maintain a culture of trust, which increases the likelihood of successful social engineering attacks, such as urgent requests appearing to come from the pastor
This is not about right or wrong. It is simply how attackers think. That is why a Medium analysis of church cybersecurity (Olusanya, 2025) found thatmore than 70% of churches have been targeted by a cyberattack.
Payroll and HR data are often stolen instead of donor records because payroll PII (personally identifiable information) is worth more when resold. IBM’s 2025 Cost of a Data Breach Report says that employee PII accounts for 40% of all breached records and costs about $178 per record to remediate. For a church with 25 staff, that is almost $5,000 in remediation costs if payroll files leak, not counting legal fees, notification costs, or the time spent handling calls.
Recent changes have increased the urgency of payroll security. Two major developments in the past two years are:
- Ransomware against small organizations has exploded. BDO’s 2025 Nonprofit Cybersecurity Report found weekly cyberattacks on nonprofits rose 30% in a single year. NetHope reported a 241% increase in attacks on the sector between 2024 and 2025.
- AI has made phishing emails much more convincing. The old “Dear Friend, I am Prince…” messages are gone. Now, phishing emails are well-written, can mimic your pastor’s style, and mention real events at your church, often using information from your website or social media. Because of this, the risks have changed, and small organizations that have used the same practices for years now face new threats.
