How can we protect vulnerable members from cyberfraud?

“They stole $77,000. And that was all of my savings.”

Her voice was so soft I (Doug) had to lean in to hear her. “I’ve talked with the local police, the FBI and the Federal Trade Commission. The money is not recoverable. It is gone.”

This was a conversation I had not long ago with someone at church. This friend would like others to learn from her terrible experience.

Every year, tens of thousands of Americans lose their money to cyberfraud. The FBI reports that in 2025 losses reported to the Internet Crime Complaint Center exceeded $20 billion. Some of these victims are sitting in the pews of our churches.

They are not exclusively senior adults, but senior adults often are vulnerable because they may live alone and may become anxious when dealing with an unusual computer malware attack or sophisticated phishing scam.

In 2025, senior adults (age 60 and above) were scammed out of almost $8 billion, more than any other age group. The methods of the criminals that lurk on the Internet continue to evolve and often are one step ahead of law enforcement. But statistics alone cannot capture what this kind of loss feels like from the inside.

My friend (let’s call her Jane) and I agreed we would share her story, not only in hopes of warning other people, but perhaps providing a word of comfort for those who have gone through this terrible ordeal. Several weeks after she first told me about this theft, we met to talk and pray and reflect on it together. I don’t know when I’ve had a more significant conversation with someone about faith and life than at this moment.

Because Jane’s responses were so very thoughtful, what follows is an almost verbatim excerpt of our conversation — her words, I think, speak for themselves.

Jane, what advice would you give to someone who has been the victim of cyberfraud?

Give them a warm hug. Ask them if they need to talk about their experience. Ask them if they are aware of the resources available. And when they are ready, tell their story to as many people as they can.

What advice would you give to ministers whose members have been defrauded?

Ask them to become educated for the sake of their faith community. Become aware of resources that are helpful. Understand there is an emotional and spiritual impact on their members. Recommend the book: The Emotional Impact of Being Scammed and How to Recover by Cathy Wilson.

How do you feel in the wake of this fraud? How has this tested your faith?

I lost my self-confidence. I’ve experienced self-doubt, even shame. How could I have let them fool me? This incident has brought me to my knees; it has taken me to God. I’m learning how to be rightfully angry without becoming bitter. (I still believe) I will never be abandoned or forsaken.

Jane’s resilience is remarkable, and her counsel is wise. Pastoral care matters enormously in the wake of these crimes. But she was also clear: Awareness and preparation are the first line of defense.

With that in mind, I asked Steven Follis — whose background spans Amazon, Microsoft and Intel — to offer some practical guidance.

Here are his thoughts:

One afternoon during my sophomore year at Baylor University, I was walking between classes when my cell phone rang. It was my grandfather. The usual bubbly warmth of our chats was entirely missing, replaced with a voice tense with panic. “Steven, are you OK?!” he blurted out.

He explained that he had just hung up from a call with someone he thought was me. The caller had claimed I was arrested, needed immediate bail money wired over, and instructed him not to tell my parents. Just as my grandfather was on the very precipice of rushing to the bank, he paused, took a breath and decided to try my actual cell phone first.

I have never been more grateful for a second thought.

Whether targeting an individual at home or an employee at a major corporation, modern scammers rely heavily on “social engineering,” the act of manipulating human psychology rather than breaking through digital firewalls. They build fake trust or exploit intense fear to convince you to voluntarily hand over money, sensitive data or account access.

While these schemes have grown incredibly sophisticated, recognizing their common blueprints is half the battle. My grandfather’s experience is far from unique — it follows a recognizable pattern, as do most cyber scams.

Three of the most common scams to watch out for include:

• The “Grandchild in Trouble” scam. As my grandfather experienced, this tactic weaponizes emotional panic to bypass logic. Today, cybercriminals can even use artificial intelligence to clone a loved one’s voice or face from a short video clip found online, making the deception terrifyingly convincing.
• Tech support alerts. A loud warning suddenly blares from your computer screen, accompanied by a pop-up claiming your system is infected with viruses and providing an emergency “support” number. This is a play on fake authority. Legitimate tech companies like Microsoft or Apple never will put a phone number in a pop-up or cold-call you out of the blue to tell you your device is broken.
• Government or bank imposters. A caller or texter claims to be from the IRS, Medicare or your bank, warning that your account is compromised or that you owe an immediate fine. The dead giveaway here is always the requested currency. Legitimate organizations never will threaten you with immediate arrest, nor will they ever demand payment via wire transfers, prepaid debit cards, gift cards or cryptocurrency.

As our social circles and essential services move online, navigating the internet safely has become a fundamental life skill. Cybercriminals frequently target older adults, not due to any lack of intelligence, but because they intentionally exploit generational traits like politeness, deep trust and the natural learning curves of adapting to technologies that simply did not exist mere decades ago.

Protecting yourself is not about retreating from the digital world; it’s about developing the digital street smarts that shield your hard-earned assets. When a high-pressure message arrives, try this sequence before responding:

1. Pause and breathe. Scammers thrive on manufactured urgency. If a message demands immediate compliance, threatens account closure or insists on absolute secrecy, treat it as an immediate red flag. Step away from your screen or hang up the phone for 60 seconds to break the emotional spell.
2. Verify independently. Never rely on the contact details or links provided within a suspicious alert. Look up the official information yourself. If a text claims to be from your bank, call the number printed on the back of your physical debit or credit card. If it’s a frantic relative, call them — or another close family member — directly on their known, saved phone number.
3. Report and discuss. If you encounter a scam or accidentally click a wrong link, talk about it. Inform a tech-savvy loved one, a trusted friend or local authorities. Shedding any sense of embarrassment and sharing your experience is the single best way to protect your wider community so everyone can learn.

Beyond how we respond in the moment, there also are quiet, behind-the-scenes habits that dramatically reduce your vulnerability before a scammer ever contacts you. While social engineering tricks the human mind, weak or reused passwords remain the easiest entryway for criminals into our digital accounts. Interestingly, individual users are rarely targeted and “hacked” directly.

Instead, malicious actors compromise a vulnerable, lower-security platform (Website A), vacuum up its database of usernames and passwords, and then use automated software to rapidly try those identical combinations on thousands of other platforms in minutes, like banking portals or health care sites (Websites B/C/D). If you reuse the same password across multiple accounts, a single leak opens the door to your entire digital identity. Security researchers even maintain a database of email addresses known to have been hacked; if you see yours in this tool it would be best to change your password immediately.

Using a completely unique password for every single account effectively shrinks this “blast radius” of a hack. While managing dozens of passwords can feel cumbersome, modern password managers can automatically generate, store and fill complex credentials on your behalf.

And if the learning curve for a digital password manager feels a bit too steep, a simple paper notebook kept securely by your computer at home works beautifully, too. Both systems — the high-tech encrypted digital vault and the low-tech physical ledger — accomplish the exact same vital goal: keeping your accounts distinct, isolated and safe.

“There is one final, incredibly powerful tool you should activate on every website or app that offers it.”

In addition to implementing unique passwords, there is one final, incredibly powerful tool you should activate on every website or app that offers it: “Multi-Factor Authentication.”

Sometimes called two-step verification, MFA acts like a personal security guard for your digital life. When you log into a website using your traditional username and password, the platform pauses and sends a unique, temporary code to your mobile phone via text message or a specialized app. You must enter this code before gaining access.

Think of your password as the deadbolt on your front door and MFA as the security guard standing right inside. Even if a thief somehow steals or guesses your key, they still cannot get past the guard. Turning this on — especially for your primary email, banking apps and health care portals — creates a near-impenetrable barrier. Even if a cybercriminal on the other side of the world buys your leaked password, they don’t have physical possession of your mobile phone, instantly halting them in their tracks.

We often make the mistake of viewing cybersecurity as a lonely battle fought entirely between an individual and a screen. But as my grandfather proved to me that afternoon at Baylor, our absolute best defense isn’t a complex piece of software — it’s human connection. His saving grace wasn’t an antivirus program; it was the simple, intentional decision to pause, pick up the phone and talk to me.

Cybercriminals do not just hack technology; they hack human emotion. They count on isolation, they weaponize urgency, and they thrive on the secret hope that if you do fall for a trick, you will be too embarrassed to tell anyone. They win when we stay silent.

By implementing unique passwords (whether you secure them in an encrypted digital vault or a trusted paper ledger), turning on MFA and adopting a mandatory 60-second pause when a message feels frantic, you aren’t just completing a tedious IT checklist. You are building modern boundaries that preserve your hard-earned assets and your peace of mind.

Ultimately, cybersecurity isn’t a test you pass or fail, nor is it a skill reserved only for the tech-savvy. It is an ongoing practice of collective care. When we normalize talking about these scams, check in on our neighbors and actively remove the stigma of being targeted, we replace digital isolation with a human safety net of shared awareness.

Protect your tools, trust your instincts, and never hesitate to verify. We are all safer when we look out for one another.

This article is not a screed against technology. However, it is a reminder that bad actors lurk in the shadows. The internet is now part of our lives, but like driving a car at 70 mph on the interstate, we must keep our eyes on the road — always!

In that spirit, these recent words from Pope Leo in his epistle Magnificent Humanity are particularly timely:

In this era of digital transformation, I see in (Nehemiah) a striking parable of our own vocation, which is not to be passive spectators of social and cultural fractures, nor mere commentators on what is crumbling, but men and women prepared to enter the construction sites of history — research laboratories, technology companies, schools, the media, institutions and local communities — in order to rebuild what has collapsed and protect what is threatened. Like Nehemiah, we too are called to unite listening and courage, prayer and responsibility, so that, even when a technocratic mentality or partisan interests seem to prevail, the human city may become a more fitting place to live.

 

Doug Haney serves as executive director of Polyphony Music Resources. He served churches for almost four decades as a church musician, including 19 years as minister of music at Wilshire Baptist Church in Dallas. Most recently, he was interim minister of music at First Baptist Church in Asheville, N.C.

Steven Follis is a senior product manager at Twilio, a communications technology company that powers text messages, phone calls and other digital communications delivered through apps and websites. He serves on the boards of Polyphony Music Resources and Baptist News Global and is a deacon at St. John’s Baptist Church in Charlotte, N.C.