AI and Church Security in 2026: Why Your Passwords Aren't Enough Anymore
For the last decade, my security advice for organizations was fairly consistent. In the last year—and especially this past week—the ground has shifted.
I regularly hear people ask, “Who’s going to attack my little church? No one cares. There’s nothing to steal!” This misses the point. No one is attacking just your church. Instead, hackers are attacking thousands of organizations at once, automated by a new generation of "Agentic" AI.
The Claude Mythos Era
The arrival of a new generation of AI, specifically Anthropic’s "Claude Mythos," has fundamentally changed the stakes. This AI has demonstrated a remarkable ability to find exploits in hardware and software that have survived decades of human scrutiny.
In plain English: AI can now find ways to hack you that are substantially beyond human capability. As these tools automate the process, attacks become infinitely faster, more persistent, and more personalized.
Before we move to solutions in my next article, let me lay out four realistic scenarios of the problems your church will face in the next 3-5 years.
Scenario 1: The Pastor’s (AI) Voice
Your church bookkeeper receives an email from the Pastor asking to pay a $5,000 invoice via a link. Surprised, the bookkeeper calls the Pastor. The Pastor picks up and confirms the request. Satisfied, the bookkeeper clicks the link and sends the payment.
The Reality: The email was AI-generated, and the voice on the phone was a Deepfake, trained on your church’s YouTube livestream videos. A single hacker launched this attack on 1,000 churches simultaneously while drinking coffee.
Scenario 2: The "eSIM Swap"
Your church bank account has Multi-Factor Authentication (MFA) enabled. When you log in, the bank texts you a code. You feel safe.
The Reality: An AI-powered bot, having already scraped your personal data, calls your phone company. It impersonates you, claims your phone was stolen, and tricks a customer service rep into "porting" your eSIM to the hacker’s device. 10 minutes later, they intercept your bank’s text code and drain the account.
Scenario 3: The "Password Variation" Trap
Your church uses variations of the same password: Churchname1, Churchname1!, Churchname2026.
The Reality: A minor website you forgot you had an account for is hacked. That password is sold on the dark web. An AI bot buys it, realizes it's a "base" password, and spends the next 15 seconds testing every possible variation against your Planning Center, QuickBooks, and Facebook accounts. It gets a hit in seconds.
Scenario 4: The Silent Network Resident
An AI discovers a "Zero-Day" exploit in your office's older Wi-Fi router—a vulnerability no human had ever noticed.
The Reality: The AI doesn't just "break" things; it installs a tiny, "Agentic" program on your network. It doesn't act like a traditional virus; it stays silent for months, watching your traffic and gathering passwords. Eventually, it "phones home" with a master key to your entire digital life.
Summary
These aren't sci-fi scripts. These are evolutions of tactics that became common in 2025. As AI becomes more autonomous, these attacks will become the "new normal" for community churches.
In my next article, I’ll explore the Three-Layer Defense—the best practices and new solutions that can protect your organization from these threats.
If you want to talk through ways to protect your organization now, reach out to us at Capital Hope Media. We specialize in manageable solutions for typical, community churches.
