How to Spot a Church Email Scam and Phishing Attempts in 2025

Updated Guide for the St. Matthew’s Community

Short Summary: If you get an odd email or text from clergy or a church staff member asking for gift cards, urgent help, or personal information, it's almost certainly a scam. Don't respond, and always check with the church office if you're unsure.

Scam emails are not new, but they are getting more convincing. With AI-generated text, more sophisticated spoofing tools, and new tactics like QR code phishing, even careful people can be fooled. Churches, nonprofits, and faith-based communities are often targeted because scammers assume our members are kind, generous, and willing to help quickly.

This updated guide will help you stay safe and protect your information.

How to Recognize a Church Email Scam

Phishing

Phishing happens when someone sends a fake message pretending to be a trusted person or organization, and their goal is to trick you into sharing personal information, clicking a harmful link, or sending money.

Common goals:

• Steal passwords

• Install malware

• Gain access to your accounts

• Trick you into sending gift cards or money

Email Scam: Spoofing

Email spoofing happens when a scammer uses an email address or display name that looks like it belongs to someone you trust. The sender name may say “Fr. Rob” or “St. Matthew’s,” but the real email address is completely different.

Example:

From: Fr. Rob Merola

Email: stmatthews.help@gmail.com

This is not his address.

Example of a real email scam sent to St. Matthew's:

Subject: “Do you have a moment?”

Body: “I have a request I need you to handle discreetly. I’m currently busy in a prayer session, no calls — just reply my email.”

Signed: 

Reverend Rob Merola

Priest-in-Charge

Saint Mathew’s Episcopal Church

Notice the spelling errors, and remember that St. Matthew's clergy or staff would NEVER email or text a request like this.

Spear Phishing and “Whaling”

These scams target specific individuals. They may reference real church events, ministry work, or upcoming meetings to feel more believable. People who handle finances or make purchasing decisions are especially at risk.

New Types of Scams to Watch For in 2025

Fake Urgent Requests From Church Leaders

Church communities are frequently targeted. Scammers send messages that look like they are from clergy or staff and ask for help quickly.

Examples include:

“I am in a meeting and cannot talk. Can you buy gift cards for a family in need?”

“I need your help urgently. Please respond.”

If a message asks for money, gift cards, wire transfers, secrecy, or immediate action, stop and verify.

Shared File Scams

You might get an email that says you have been invited to view a document, such as Church Budget 2025.xlsx. The link leads to a fake login page designed to steal your password.

QR Code Phishing

Scammers now include QR codes in emails. These codes might be labeled as “view secure document,” “access your benefits,” or “confirm delivery,” but they lead to harmful websites.

AI Generated Messages

It used to be easy to spot scams because the grammar was poor. Now scammers use AI tools to create messages that read smoothly and sound professional, so grammar is no longer a reliable warning sign.

Legitimate Hacked Accounts

Sometimes the email truly does come from a real person’s account because their account has been hacked. These are especially dangerous because everything looks authentic at first glance.

Common Scam Tactics

Scammers may:

• Pretend to be a church leader using a free email address such as rev.rob.parish@gmail.com

• Use urgent language such as “I need your help urgently”

• Ask for gift cards or money

• Send suspicious links or attachments

• Mimic real domain (website) names such as @SaintMatthewsVA.org, @stmttsVA.com instead of @stmtts.org

These tricks are especially effective on smartphones, where it is harder to see the full email address.

Spot the Red Flags: A Checklist

✅ Do not reply, click, or download anything.

✅ Call the church office at 703-430-2121.

✅ Check your antivirus and email security settings.

✅ Update your passwords if you interacted with the message in any way.

What To Do If You Have Been Targeted

• Call or email the church office at 703-430-2121.

• If the message came from a Gmail address, you can report it here: https://support.google.com/mail/answer/8253

• Report fraud to the Federal Trade Commission at: https://reportfraud.ftc.gov

• Report internet-based scams, impersonation attempts, or financial fraud to the Internet Crime Complaint Center (IC3) :https://www.ic3.gov

Help Us Spread the Word

Scam emails can fool anyone. These messages are especially dangerous for those who are less comfortable with technology or who may not be familiar with common warning signs.

Please share this updated guide with friends or family members. A simple conversation or forwarded link could prevent someone from becoming a victim.

Our goal is to keep our church and community informed, safe, and connected.

Trusted Resources to Learn More or Report Scams

1. Federal Trade Commission (FTC) – Recognize and Avoid Phishing https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

2. Report Fraud to the FTC https://reportfraud.ftc.gov

3. Google – How to Spot and Report Phishing in Gmail https://support.google.com/mail/answer/8253

4. Federal Communications Commission (FCC) – Scam Glossary https://www.fcc.gov/scam-glossary

5. The Episcopal Church – Safe Church Cybersecurity Awareness https://www.episcopalchurch.org/safe-church-resources(Search for “cybersecurity” or “fraud awareness”)

6. National Cybersecurity Alliance – Phishing Resources https://staysafeonline.org/resources/phishing