For years, emails impersonating Rev. Jason Meyers, lead minister at Metropolitan United in Toronto, have been circulating in the congregation, asking members to purchase gift cards. Then in March, scammers targeted a large portion of Metropolitan’s members with text messages, ostensibly from Meyers. Scammers often request gift cards because they’re untraceable and quick to cash out. A working theory is that fraudsters got access to congregants through the church’s public Facebook page and then used various online sources to find their email addresses and phone numbers.
While some church members reached out to Meyers directly to report the scam, others engaged, including one senior who uses a walker. Luckily, she misunderstood the ask, purchased greeting cards instead and brought them over to the church.
You may unsubscribe from any of our newsletters at any time.
“It was heartbreaking,” says Meyers. “The fact that this lovely lady, when she thought the minister asked for something, dragged herself out of bed and went down to Shoppers [Drug Mart].”
The sense of trust that makes churches warm, caring communities is being exploited across Canada through email scams and data breaches. “Religious institutions are often high-trust environments, where deep relationships are formed by shared values, worldview and mission, creating strong community ties,” says Randy Purse, senior cybersecurity adviser at Rogers Cybersecure Catalyst. “Because of this, it also provides a unique angle to cybercriminals who prey on trust and generosity, sometimes impersonating religious leaders or staff to scam community members.”
Additionally, churches are full of seniors, who can be vulnerable to phishing scams due to a lack of digital literacy. In 2024, the Canadian Anti-Fraud Centre reported $638 million lost to all kinds of fraud, including cybercrime, which makes up most fraud cases across all age groups. Seniors over 60 years old lost $58 million to cybercrime specifically, with a significant number of cases attributed to phishing scams, where someone will impersonate a trusted entity to trick individuals into parting with sensitive information or money.
With the increase of phishing attempts in churches, some are fighting back by educating their congregations and creating digital safeguards.
Increased awareness is key, because scams like the kind that targeted Metropolitan United are becoming more believable.
Katie Gibson, the director of the Catalyst Cyber Clinic, says cybercriminals are now using artificial intelligence to create shockingly personalized, convincing requests — not just emails, but texts or other communications. “And they can easily target many more people. These phishing messages can trick even very sophisticated recipients,” says Gibson.
In April, Mark Paetkau, a member of the regional Approvals Working Group at Pacific Mountain Regional Council, received an email from someone pretending to be Pacific Mountain executive minister Treena Duncan. “Good morning! I hope you are available today. I have a favor I could use your help with,” the email read.
Paetkau says the email address looked similar to Duncan’s real address, so he responded. “When you receive an email from the executive minister, you’re disposed to respond with alacrity,” says Paetkau.
Unlike more obvious phishing emails, the note didn’t ask for anything right away. It wasn’t until Paetkau received a second email, requesting gift cards, that he began to question it. He then called Duncan, who confirmed it was a scam.
In another case, a retired volunteer received an email impersonating Duncan, claiming that the executive minister was doing a fundraiser for women with cancer and requesting $1,500 in gift cards. The volunteer was on his way to purchase the cards when he decided to call Duncan.
More on Broadview:
- My company cut DEI. Do I stay?
- A funny novel about religion
- The toll of war is inescapable in Ukraine, but the country remains unbowed
Purse says clergy need to be proactive by reporting ongoing scams and telling their congregations they will never ask for donations personally.
Earlier in April, Duncan sent out an email to the Region’s newsletter list addressing phishing emails purporting to be from her and educating the Region on how to identify these sorts of scams.
To mitigate financial risk to their members, religious institutions should also use organization-specific email addresses to improve their legitimacy and security. “Use official institution domains with proper email authentication, enforce two-factor authentication for staff accounts (using an authenticator app, phone number or alternate email address) and regularly remind staff to be on guard against phishing and other impersonation scams,” says Purse.
Ransomware attacks, a cybercrime where malicious software encrypts a computer system, are another vulnerability churches face.
In December 2022, hackers accessed the data of Highlands United in Vancouver and destroyed five years’ worth of financial records. Although Highlands didn’t lose any confidential information, the police’s cybercrime investigation couldn’t say for certain the full extent of the information that was compromised. “We had to recreate five to seven years of financial history from scratch,” says Rev. Will Sparks, minister of congregational development.
Religious institutions are increasingly relying on digital technologies and third-party services to support their IT needs. However, in using these services, churches need to be more aware of the information they store, particularly information on donors and attendees, to ensure it’s properly safeguarded. “Many congregations depend on volunteers, and smaller institutions lack dedicated IT support. So even basic cybersecurity measures can slip through the cracks,” says Purse.
Religious institutions should have anti-virus and anti-malware security systems to monitor and detect threats. They should also apply security controls to ensure only necessary access to files. Further, Purse says they should develop a cybersecurity incident response plan, ensure they have a record of all critical hardware and data, and create backups of their operating systems.
Digital threats are only becoming more advanced. And scams are more than just that — they aim to exploit the very foundation on which religious institutions are built. “When a person that is being mimicked is the minister, people feel honoured to be asked for help,” says Duncan. “[Scammers] play on that. It’s the key element.”
***
This article first appeared in Broadview’s September/October 2025 issue with the title “A Matter of Trust.”
Prarthana Pathak is a freelance journalist in Brampton, Ont.
Thanks for reading
Will you help support United Church reporting?
Broadview is the only media organization dedicated to telling the stories of The United Church of Canada — its big decisions, perspectives and the faithful people and communities at its core. But this essential work depends on you.Make a tax-deductible gift today — 100% of your donation goes directly to supporting United Church coverage.
With gratitude,
