Information Technology
Technical Resources for Parishes
AOS Guardian
Vendors offering AOS-Guardian or Equivalent Platforms
- CRD Solutions - 425) 329-6414 or email info@crdsolutions.org
- O'Brien Business GRP Corp - (425)233-6994 or Email: techsupport@obrienbusinessgroup.com
- KellyCreate - (360) 920-3858 or Email: michelle.jones@kelleycreate.com
Cybersecurity Threats Escalate for Catholic Parishes and Schools in Western Washington
July 2025 | Seattle, WA — Catholic parishes across Western Washington are facing a growing wave of cybersecurity threats, with phishing and token theft attacks emerging as particularly dangerous vectors. These incidents are not only compromising sensitive data but also threatening the financial and operational stability of faith communities.
A New Era of Cyber Threats
Recent cybersecurity incident reports reveal a sharp increase in business email compromise (BEC) and token theft attacks, even among organizations that have implemented multi-factor authentication (MFA). In many cases, attackers are bypassing MFA by stealing session tokens through sophisticated phishing campaigns.
These tokens, once stolen, allow attackers to impersonate legitimate users without needing passwords or MFA codes. This method has proven especially effective in environments where legacy systems or insufficient cybersecurity training leave gaps in defense.
Why Faith-Based Institutions Are Vulnerable
Parishes and schools often operate with limited IT resources and outdated infrastructure. Common vulnerabilities include:
· Unsecured email systems that are easily spoofed.
· Lack of cybersecurity training among staff and volunteers.
· Use of legacy software that does not support modern security protocols.
· Inadequate backup and recovery plans in the event of a breach.
Catholic Schools: A Growing Target
Catholic schools in the region are also increasingly vulnerable. According to the 2025 CIS MIS-ISAC K-12 Cybersecurity Report, attacks on the education sector rose by 224% in 2024. These attacks are not only more frequent but also more sophisticated, often using AI-generated phishing emails, cloned portals, and fake financial aid forms to deceive staff and students.
Cybersecurity leaders in the region emphasize that schools are attractive targets due to the sensitive data they hold—student records, financial information, and login credentials—and the disruption a successful attack can cause canceled classes and lost learning time.
Phishing: The Gateway to Exploitation
Phishing remains the most common entry point for attackers. These scams often impersonate trusted figures—such as pastors or diocesan officials—and request urgent financial transactions or login credentials. In some cases, attackers have successfully redirected parish donations or payroll funds to fraudulent accounts.
The emotional and spiritual trust that parishioners place in their church leaders makes these communities especially susceptible to social engineering tactics. As one cybersecurity expert noted, “These attacks rely on emotion—urgency, fear, or trust—to bypass rational scrutiny.”
Phishing is a type of cyberattack where attackers try to trick people into giving away sensitive information—like passwords, credit card numbers, or access tokens—by pretending to be someone they trust.
🔍 How Phishing Works
Phishing usually happens through:
- Emails that look like they’re from a trusted source (e.g., a bank, employer, or even a parish leader).
- Fake websites that mimic real ones to steal login credentials.
- Text messages or phone calls asking for urgent action.
🎯 Common Tactics
- Urgency or fear: “Your account will be locked unless you act now!”
- Impersonation: “This is Father John. Can you send me the gift card codes?”
- Links to fake login pages: These pages look real but are designed to steal your username and password.
🛡️ How to Protect Yourself
- Don’t click suspicious links—hover over them to see where they really go.
- Verify requests—especially those involving money or sensitive info.
- Use multi-factor authentication (MFA)—and be cautious even with MFA, as attackers can steal session tokens.
- Report phishing attempts to your IT team or email provider.
Local Impact and Response
While specific incidents in Western Washington have not all been made public, cybersecurity firms and diocesan IT departments confirm that several parishes have experienced attempted or successful breaches in the past year. The Archdiocese of Seattle has reportedly increased its investment in cybersecurity awareness training and is encouraging parishes to adopt stronger email authentication protocols and endpoint protection tools.
Recent Exploits Involving Paycom and Token Theft
In early 2025, several archdiocese schools using Paycom reported incidents where attackers exploited session token theft to gain unauthorized access to employee accounts. These attacks typically began with phishing emails that tricked users into logging into fake Paycom portals. Once credentials and session tokens were captured, attackers bypassed multi-factor authentication and accessed employee dashboards. In many cases, they redirected direct deposit information, rerouting paychecks to fraudulent bank accounts before the breach was detected. The incidents highlight the growing threat of token-based attacks, even in systems with MFA, and underscore the need for phishing-resistant authentication and vigilant monitoring of payroll systems.
Recommendations for Parishes and School
A Call for Vigilance
As cybercriminals become more sophisticated, Catholic parishes and schools must adapt quickly to protect their communities. The spiritual and educational missions of the Church depend not only on faith but also on the security of the systems that support them.
Additional Technical Information:
🔐 What Is a Session Token?
A session token is a small piece of data that a website or application uses to identify and authenticate a user after they log in. Instead of asking for your username and password every time you click a link or load a new page, the system gives you a token—like a temporary ID badge—that proves you're already logged in.
🧩 How It Works:
- You log in with your credentials.
- The server verifies your identity and issues a session token.
- This token is stored in your browser (usually as a cookie or in local storage).
- Every time you interact with the site, your browser sends the token to prove who you are.
⚠️ Why It’s a Security Risk:
If an attacker steals your session token—for example, through a phishing attack or malicious browser extension—they can impersonate you without needing your password or MFA code. This is how many recent attacks, including those involving Paycom, have bypassed even strong security measures.
How To - Implement Phishing-Resistant MFA (e.g., Hardware Security Keys)
What It Is: Unlike traditional MFA (like SMS codes or app-based prompts), phishing-resistant MFA uses physical devices—such as USB or NFC security keys—that must be present to log in.
Why It’s Safer: Hardware keys cannot be tricked by fake login pages. They only work with legitimate websites, making them highly resistant to phishing and token theft.
How It Works: When logging in, the user plugs in the key or taps it on their device. It verifies the website’s identity before allowing access.
Who Should Use It: Ideal for staff with access to sensitive systems, such as finance, student records, or email administration.
Examples of Hardware Keys: YubiKey, Google Titan, SoloKey.
Bonus: Many keys support multiple accounts and services, including Google Workspace, Microsoft 365, and password managers.
How To - Educate Staff and Volunteers on Recognizing Phishing and Social Engineering
Phishing Awareness:
- Teach staff to inspect email addresses carefully—look for subtle misspellings or unusual domains.
- Encourage them to hover over links before clicking to see where they really lead.
- Remind them: legitimate organizations never ask for passwords or sensitive info via email.
Social Engineering Tactics:
Attackers may impersonate trusted figures (e.g., pastors, principals, IT staff) to create a false sense of urgency.
Common red flags: requests for gift cards, wire transfers, or login credentials—especially if the tone feels “off.”
Training Tips:
- Use realistic phishing simulations to test and reinforce learning.
- Offer short, regular training sessions—not just once a year.
- Encourage a “report, don’t ignore” culture: better to report a suspicious message than to assume it’s safe.
- Empower, Don’t Shame:
- Make it safe for staff and volunteers to ask questions or admit mistakes.
- Celebrate successful phishing catches to reinforce good habits.
How To - Audit and Update Legacy Systems to Support Modern Security Standards
Why It Matters:
- Legacy systems often lack support for modern encryption, multi-factor authentication, and security patches.
- These outdated systems are prime targets for attackers looking for easy entry points.
Audit Checklist:
- Identify all systems and software in use—especially those handling email, finances, student records, or donor databases.
- Check for end-of-life software (e.g., Windows 7, old versions of Office or email servers).
- Review user access levels—remove or limit access for inactive or unnecessary accounts.
Update Priorities:
- Upgrade to cloud-based platforms with built-in security (e.g., Microsoft 365, Google Workspace for Education).
- Ensure all systems support encryption at rest and in transit.
- Replace unsupported hardware and software with vendor-supported alternatives.
- Ongoing Maintenance:
Schedule regular system reviews (at least annually).
- Apply security patches and updates promptly.
- Document all changes and maintain an IT asset inventory.
- Budget-Friendly Tip:
- Look into nonprofit discounts from major tech providers (e.g., TechSoup, Microsoft, Google) to reduce upgrade costs.
How To - What Are SPF, DKIM, and DMARC—and Why Do They Matter?
One of the most effective ways to protect against email spoofing and phishing is by using email authentication protocols:
- SPF (Sender Policy Framework): Verifies that the email is sent from an authorized server.
- DKIM (DomainKeys Identified Mail): Adds a digital signature to emails, proving they haven’t been altered in transit.
- DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving servers what to do if an email fails SPF or DKIM checks—and provides reports on suspicious activity.
Together, these protocols help ensure that emails claiming to come from your parish or school are actually legitimate. Implementing them can significantly reduce the risk of attackers impersonating trusted staff or clergy.
Establish Incident Response Plans and Conduct Regular Security Drills
Why It’s Important:
- A well-prepared response can minimize damage, reduce downtime, and protect sensitive data during a cyber incident.
- Drills help ensure that everyone knows their role and can act quickly under pressure.
Key Elements of an Incident Response Plan:
- Roles and responsibilities: Who does what during an incident (e.g., IT lead, communications, legal, leadership)?
- Detection and reporting: How to recognize and report suspicious activity.
- Containment and recovery: Steps to isolate affected systems and restore operations.
- Communication protocols: Who needs to be informed (e.g., staff, parishioners, parents, law enforcement)?
- Post-incident review: Analyze what happened, what worked, and what needs improvement.
Security Drills:
- Conduct simulated phishing attacks to test staff awareness.
- Run tabletop exercises where teams walk through a mock cyberattack scenario.
- Review and update the plan after each drill to reflect lessons learned.
Documentation and Accessibility:
- Keep the plan written, up-to-date, and easily accessible—both digitally and in print.
- Ensure key contacts and emergency procedures are clearly listed.
- Bonus Tip:
- Partner with your archdiocese IT team or a local cybersecurity consultant to help design and evaluate your plan.
How To - Free Security Awareness Resources
- Cybersecurity & Infrastructure Security Agency (CISA)
- Website: cisa.gov
- Offers free toolkits, posters, videos, and training modules.
- Great for building a basic awareness program for staff and volunteers.
- Look for their “Stop.Think.Connect.” campaign materials.
2. National Cybersecurity Alliance (NCA)
- Website: staysafeonline.org
- Provides free tip sheets, infographics, and training guides.
- Especially useful during Cybersecurity Awareness Month (October).
3. Google for Nonprofits
- Website: google.com/nonprofits
- Offers free access to Google Workspace and security best practices.
- Includes admin tools to enforce MFA and monitor suspicious activity.
4. Microsoft Security for Nonprofits
- Website: nonprofit.microsoft.com
- Offers free or discounted Microsoft 365 licenses with built-in security tools.
- Includes security training videos and admin guides.
5. KnowBe4 Free Tools
- Website: knowbe4.com/free-tools
- Offers free phishing tests, password tools, and awareness posters.
- Paid plans are available, but many tools are free and easy to use.
6. TechSoup
- Website: techsoup.org
- Offers discounted software, including security tools and training.
- Occasionally hosts free webinars on cybersecurity for nonprofits.
Parish & School Resources
Vendors offering AOS-Guardian or Equivalent Platforms
- CRD Solutions - 425) 329-6414 or email info@crdsolutions.org
- O'Brien Business GRP Corp - (425)233-6994 or Email: techsupport@obrienbusinessgroup.com
- KellyCreate - (360) 920-3858 or Email: michelle.jones@kelleycreate.com
Cybersecurity Threats Escalate for Catholic Parishes and Schools in Western Washington
July 2025 | Seattle, WA — Catholic parishes across Western Washington are facing a growing wave of cybersecurity threats, with phishing and token theft attacks emerging as particularly dangerous vectors. These incidents are not only compromising sensitive data but also threatening the financial and operational stability of faith communities.
A New Era of Cyber Threats
Recent cybersecurity incident reports reveal a sharp increase in business email compromise (BEC) and token theft attacks, even among organizations that have implemented multi-factor authentication (MFA). In many cases, attackers are bypassing MFA by stealing session tokens through sophisticated phishing campaigns.
These tokens, once stolen, allow attackers to impersonate legitimate users without needing passwords or MFA codes. This method has proven especially effective in environments where legacy systems or insufficient cybersecurity training leave gaps in defense.
Why Faith-Based Institutions Are Vulnerable
Parishes and schools often operate with limited IT resources and outdated infrastructure. Common vulnerabilities include:
· Unsecured email systems that are easily spoofed.
· Lack of cybersecurity training among staff and volunteers.
· Use of legacy software that does not support modern security protocols.
· Inadequate backup and recovery plans in the event of a breach.
Catholic Schools: A Growing Target
Catholic schools in the region are also increasingly vulnerable. According to the 2025 CIS MIS-ISAC K-12 Cybersecurity Report, attacks on the education sector rose by 224% in 2024. These attacks are not only more frequent but also more sophisticated, often using AI-generated phishing emails, cloned portals, and fake financial aid forms to deceive staff and students.
Cybersecurity leaders in the region emphasize that schools are attractive targets due to the sensitive data they hold—student records, financial information, and login credentials—and the disruption a successful attack can cause canceled classes and lost learning time.
Phishing: The Gateway to Exploitation
Phishing remains the most common entry point for attackers. These scams often impersonate trusted figures—such as pastors or diocesan officials—and request urgent financial transactions or login credentials. In some cases, attackers have successfully redirected parish donations or payroll funds to fraudulent accounts.
The emotional and spiritual trust that parishioners place in their church leaders makes these communities especially susceptible to social engineering tactics. As one cybersecurity expert noted, “These attacks rely on emotion—urgency, fear, or trust—to bypass rational scrutiny.”
Phishing is a type of cyberattack where attackers try to trick people into giving away sensitive information—like passwords, credit card numbers, or access tokens—by pretending to be someone they trust.
🔍 How Phishing Works
Phishing usually happens through:
- Emails that look like they’re from a trusted source (e.g., a bank, employer, or even a parish leader).
- Fake websites that mimic real ones to steal login credentials.
- Text messages or phone calls asking for urgent action.
🎯 Common Tactics
- Urgency or fear: “Your account will be locked unless you act now!”
- Impersonation: “This is Father John. Can you send me the gift card codes?”
- Links to fake login pages: These pages look real but are designed to steal your username and password.
🛡️ How to Protect Yourself
- Don’t click suspicious links—hover over them to see where they really go.
- Verify requests—especially those involving money or sensitive info.
- Use multi-factor authentication (MFA)—and be cautious even with MFA, as attackers can steal session tokens.
- Report phishing attempts to your IT team or email provider.
Local Impact and Response
While specific incidents in Western Washington have not all been made public, cybersecurity firms and diocesan IT departments confirm that several parishes have experienced attempted or successful breaches in the past year. The Archdiocese of Seattle has reportedly increased its investment in cybersecurity awareness training and is encouraging parishes to adopt stronger email authentication protocols and endpoint protection tools.
Recent Exploits Involving Paycom and Token Theft
In early 2025, several archdiocese schools using Paycom reported incidents where attackers exploited session token theft to gain unauthorized access to employee accounts. These attacks typically began with phishing emails that tricked users into logging into fake Paycom portals. Once credentials and session tokens were captured, attackers bypassed multi-factor authentication and accessed employee dashboards. In many cases, they redirected direct deposit information, rerouting paychecks to fraudulent bank accounts before the breach was detected. The incidents highlight the growing threat of token-based attacks, even in systems with MFA, and underscore the need for phishing-resistant authentication and vigilant monitoring of payroll systems.
Recommendations for Parishes and School
A Call for Vigilance
As cybercriminals become more sophisticated, Catholic parishes and schools must adapt quickly to protect their communities. The spiritual and educational missions of the Church depend not only on faith but also on the security of the systems that support them.
Additional Technical Information:
🔐 What Is a Session Token?
A session token is a small piece of data that a website or application uses to identify and authenticate a user after they log in. Instead of asking for your username and password every time you click a link or load a new page, the system gives you a token—like a temporary ID badge—that proves you're already logged in.
🧩 How It Works:
- You log in with your credentials.
- The server verifies your identity and issues a session token.
- This token is stored in your browser (usually as a cookie or in local storage).
- Every time you interact with the site, your browser sends the token to prove who you are.
⚠️ Why It’s a Security Risk:
If an attacker steals your session token—for example, through a phishing attack or malicious browser extension—they can impersonate you without needing your password or MFA code. This is how many recent attacks, including those involving Paycom, have bypassed even strong security measures.
How To - Implement Phishing-Resistant MFA (e.g., Hardware Security Keys)
What It Is: Unlike traditional MFA (like SMS codes or app-based prompts), phishing-resistant MFA uses physical devices—such as USB or NFC security keys—that must be present to log in.
Why It’s Safer: Hardware keys cannot be tricked by fake login pages. They only work with legitimate websites, making them highly resistant to phishing and token theft.
How It Works: When logging in, the user plugs in the key or taps it on their device. It verifies the website’s identity before allowing access.
Who Should Use It: Ideal for staff with access to sensitive systems, such as finance, student records, or email administration.
Examples of Hardware Keys: YubiKey, Google Titan, SoloKey.
Bonus: Many keys support multiple accounts and services, including Google Workspace, Microsoft 365, and password managers.
How To - Educate Staff and Volunteers on Recognizing Phishing and Social Engineering
Phishing Awareness:
- Teach staff to inspect email addresses carefully—look for subtle misspellings or unusual domains.
- Encourage them to hover over links before clicking to see where they really lead.
- Remind them: legitimate organizations never ask for passwords or sensitive info via email.
Social Engineering Tactics:
Attackers may impersonate trusted figures (e.g., pastors, principals, IT staff) to create a false sense of urgency.
Common red flags: requests for gift cards, wire transfers, or login credentials—especially if the tone feels “off.”
Training Tips:
- Use realistic phishing simulations to test and reinforce learning.
- Offer short, regular training sessions—not just once a year.
- Encourage a “report, don’t ignore” culture: better to report a suspicious message than to assume it’s safe.
- Empower, Don’t Shame:
- Make it safe for staff and volunteers to ask questions or admit mistakes.
- Celebrate successful phishing catches to reinforce good habits.
How To - Audit and Update Legacy Systems to Support Modern Security Standards
Why It Matters:
- Legacy systems often lack support for modern encryption, multi-factor authentication, and security patches.
- These outdated systems are prime targets for attackers looking for easy entry points.
Audit Checklist:
- Identify all systems and software in use—especially those handling email, finances, student records, or donor databases.
- Check for end-of-life software (e.g., Windows 7, old versions of Office or email servers).
- Review user access levels—remove or limit access for inactive or unnecessary accounts.
Update Priorities:
- Upgrade to cloud-based platforms with built-in security (e.g., Microsoft 365, Google Workspace for Education).
- Ensure all systems support encryption at rest and in transit.
- Replace unsupported hardware and software with vendor-supported alternatives.
- Ongoing Maintenance:
Schedule regular system reviews (at least annually).
- Apply security patches and updates promptly.
- Document all changes and maintain an IT asset inventory.
- Budget-Friendly Tip:
- Look into nonprofit discounts from major tech providers (e.g., TechSoup, Microsoft, Google) to reduce upgrade costs.
How To - What Are SPF, DKIM, and DMARC—and Why Do They Matter?
One of the most effective ways to protect against email spoofing and phishing is by using email authentication protocols:
- SPF (Sender Policy Framework): Verifies that the email is sent from an authorized server.
- DKIM (DomainKeys Identified Mail): Adds a digital signature to emails, proving they haven’t been altered in transit.
- DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving servers what to do if an email fails SPF or DKIM checks—and provides reports on suspicious activity.
Together, these protocols help ensure that emails claiming to come from your parish or school are actually legitimate. Implementing them can significantly reduce the risk of attackers impersonating trusted staff or clergy.
Establish Incident Response Plans and Conduct Regular Security Drills
Why It’s Important:
- A well-prepared response can minimize damage, reduce downtime, and protect sensitive data during a cyber incident.
- Drills help ensure that everyone knows their role and can act quickly under pressure.
Key Elements of an Incident Response Plan:
- Roles and responsibilities: Who does what during an incident (e.g., IT lead, communications, legal, leadership)?
- Detection and reporting: How to recognize and report suspicious activity.
- Containment and recovery: Steps to isolate affected systems and restore operations.
- Communication protocols: Who needs to be informed (e.g., staff, parishioners, parents, law enforcement)?
- Post-incident review: Analyze what happened, what worked, and what needs improvement.
Security Drills:
- Conduct simulated phishing attacks to test staff awareness.
- Run tabletop exercises where teams walk through a mock cyberattack scenario.
- Review and update the plan after each drill to reflect lessons learned.
Documentation and Accessibility:
- Keep the plan written, up-to-date, and easily accessible—both digitally and in print.
- Ensure key contacts and emergency procedures are clearly listed.
- Bonus Tip:
- Partner with your archdiocese IT team or a local cybersecurity consultant to help design and evaluate your plan.
How To - Free Security Awareness Resources
- Cybersecurity & Infrastructure Security Agency (CISA)
- Website: cisa.gov
- Offers free toolkits, posters, videos, and training modules.
- Great for building a basic awareness program for staff and volunteers.
- Look for their “Stop.Think.Connect.” campaign materials.
2. National Cybersecurity Alliance (NCA)
- Website: staysafeonline.org
- Provides free tip sheets, infographics, and training guides.
- Especially useful during Cybersecurity Awareness Month (October).
3. Google for Nonprofits
- Website: google.com/nonprofits
- Offers free access to Google Workspace and security best practices.
- Includes admin tools to enforce MFA and monitor suspicious activity.
4. Microsoft Security for Nonprofits
- Website: nonprofit.microsoft.com
- Offers free or discounted Microsoft 365 licenses with built-in security tools.
- Includes security training videos and admin guides.
5. KnowBe4 Free Tools
- Website: knowbe4.com/free-tools
- Offers free phishing tests, password tools, and awareness posters.
- Paid plans are available, but many tools are free and easy to use.
6. TechSoup
- Website: techsoup.org
- Offers discounted software, including security tools and training.
- Occasionally hosts free webinars on cybersecurity for nonprofits.
Commercial (Paid) Security Awareness Training
Free - Security Awareness (Amazon)
Free FTC.GOV - Small Business Cyber Guide
Free Adobe - Security Awareness Training - YouTube Episodes
Scan this QR code or CLICK THIS LINK to contribute to the survey, exploring the viability of hosting a Spring 2025 Cyber Summit, for technology leaders across the Archdiocese of Seattle.
Avoiding Phishing Emails Click to Open/Download