FB-ISAO Current Threat Level

This threat level statement is current as of 31 March 2025.

Threat Levels Remain at Elevated

FB-ISAO recognizes that during a time of such political divisiveness, observations and assessments may be seen as supportive of one political idea or another. FB-ISAO, and our working groups, strive to be apolitical and unbiased in all of our efforts.

The FB-ISAO Cyber Threat Intelligence and Operational Resilience (together, the Threat and Incident Response) working groups actively monitor and share information, reports, and perspective regarding our threat environment. In addition to our continued observance of a broad array of general threats and hostility to people and places of faith, we have reviewed the ongoing events and threats relating to the ongoing conflict in Israel and Gaza and the related activities internationally and domestically. Based on that assessment, we have determined to maintain both the Physical and Cyber Threat Levels at “ELEVATED.”

We continue to have concerns over the widespread acts of hostility and open threats to faith-based organizations based on their religious identity and political beliefs – (including antisemitism, islamophobia, anti-Christian, anti-Hindu and anti-Sikh sentiment, etc.), which can be heightened in this period of major holidays for many religions around the world.

Religiously targeted acts of violence such as arson, vandalism, and low-level attacks including swatting and bomb threats continue to occur. Globally, there has also been a renewed proliferation of vehicle ramming attacks, several surrounding religious events and celebrations. With the change of the U.S. Presidential Administration, we have seen new authority for ICE agents to enter houses of worship, protestors be detained (sometimes under vague allegations), and a federal government workforce put on edge, which includes a scale back of personnel who were charged with protecting the homeland. In this environment we’ve seen increased threats to prominent figures such as judges and corporate executives, support to those who have conducted attacks, and public rhetoric approving of acts of violence, which all suggest an increasing acceptance across society of violence to solve issues.

Additionally, the TIG is closely monitoring common cyberattacks seen in all communities including hacktivism, Business Email Compromise (BEC) and ransomware. We do not see a significant change to the general threat landscape relative to FBOs. However, as some FBOs or personnel associated with them, take on public positions supportive of one political ideology or issue, during heightened tensions, there could be increased instances of disruptive attacks such as defacements or DDoS attacks. FB-ISAO has no specific threat information, but encourages organizations to consider the public positions, potential threats, and ability to mitigate and respond to attacks.

• The Physical Threat Level is “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal. We are also closely monitoring events and are considering an escalation to “SEVERE,” meaning that an event is highly likely, but decided to not escalate to that level at this time.
• The Cyber Threat Level is “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal.

And while we recognize that the FB-ISAO threat level has been at the ELEVATED for quite some time, we do not see the current level of threats and incidents as a permanent “new normal” but assess that the combination of global geopolitical tensions, combined with domestic unrest make it more likely that the threat level will remain elevated for the foreseeable future. FB-ISAO will continue to closely monitor events and threats and if we assess that there is a high likelihood of an increase in physical or cyber threats, or if we see a decrease in tensions, we will make appropriate revisions to this threat assessment.  

As a result of the wide dissemination of mis-, dis-, and mal-information internationally and here in the U.S., members are encouraged to avoid idle speculation, not overreact to hearsay, memes, unsubstantiated rumors presented as facts, personal emotions and biases, seek a wide and diverse array of information sources, and calmly and rationally assess substantiated facts and respond accordingly. This point was demonstrated the week of March 17, 2025 when multiple healthcare industry associations released a bulletin referencing a potential coordinated attack on U.S. hospitals, which multiple intelligence agencies quickly dismissed as having a lack of “credible information supporting or corroborating the claims.”

PHYSICAL THREAT: The TIG has determined to maintain the Physical Threat Level at “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific credible threats, but there is concern that an event is more likely than normal. We are also closely monitoring events and are considering an escalation to “SEVERE,” meaning that an event is highly likely, but decided to not escalate to that level at this time.

Civil Unrest. Coming off a U.S. Presidential election cycle, there remain multiple topics which continue to fuel divisiveness across American society which can increase the threat to faith-based communities and houses of worship. Before addressing a few specific areas, it is important to understand these threats within the context of the general threat environment within the U.S.

Examples of incidents which have occurred within the past six months that highlight the national tone:

• A healthcare executive was murdered in New York City, which garnered an alarming amount of support from across the internet.
• Individuals have taken to torching Tesla dealerships and vandalizing vehicles in response to Elon Musk’s actions with DOGE which has been labeled as domestic terrorism.
• U.S. Marshals have warned federal judges of unusually high threat levels as a result of several recent high-profile decisions.
• Following the Administration’s release of archived materials relating to the 1963 assassination of President John F. Kennedy, right-wing influencers propagated false conclusions that Jews were responsible.

We mention these incidents to highlight that the societal temperature is high, and violence and hostile actions are becoming more normalized. This can lead to a heightened perception of threat, but can also lower the threshold for individuals to operationalize. Awareness of resources such as the U.S. Violent Extremist Mobilization Indicators and the Pathway to Violence is more vital that ever to help identify threats before formalize into hostile events. You can read more about the Hostile Event Attack Cycle here, which can help security leaders better identify potential suspicious behavior.

Considering the current environment, the community will want to be particularly alert and cautious to protests. While peaceful protests are a cornerstone of our democracy, historically and in recent events, protests have seen clashes with counter-protesters and law enforcement, including detentions of legal U.S. residents in relation to their protest activity. They have also seen incidents of nefarious actors using the mass gatherings to conduct more dangerous, hostile events. Organizations are encouraged to monitor significant protest activity in their areas of operations for possible impacts to normal operations and advise community members who do protest to do so carefully – and responsibly.

Administration Transition. While any transition of a U.S. Presidency comes with shifts in priorities, there are a few particular areas worth noting in this assessment. We are still very much in the transitional phase, and while some policies are either yet to be published or being litigated, there are potential impacts for faith-based communities. In February, a Federal judge barred immigration agents from conducting enforcement operations at certain houses of worship. While the temporary injunction applies only to the plaintiffs, this will be an area to closely monitor. Administration actions likely to spark faith-related protests or acts of violence include acts or expressions of support of Israel in its war with Hamas, Hezbollah, and the Houthis; moves to limit faith organizations offering their facilities as sanctuaries for undocumented immigrants; and continued embrace of authoritarian governments and parties abroad that may be construed as acceptance of the racist, sectarian, and religious hate that often accompany such movements.

As the U.S. enters tornado season, and nears the Atlantic hurricane and summer wildfire seasons, there are question marks surrounding FEMA and how the U.S. will handle disaster response & recovery. The administration has signaled a desire to have states play a larger role in that response, with recent indications being that FEMA may focus more on disaster response and step out of the recovery role. Stated desires for FEMA to leave the recovery role by Oct. 1 2025 seem to suggest a status quo through the majority of the 2025 hurricane season, but that is merely an assumption. Organizations are encouraged to develop contacts at the local, state, and national level for disaster response and recovery as appropriate and be prepared for potential large shifts how to navigate future disasters.

Finally, as social programs face uncertainty, services for the unhoused and those with mental illnesses may decrease. Whether or not these individuals directly interfaced with programs run by Faith-Based Organizations (FBOs) in the past, there may now be unsupported community members who require additional support from non-profits but pose a risk for emotional outbursts or criminal offenses due to their psychological stress and conditions.

Executive/VIP Protection. As mentioned earlier, incidents like the healthcare executive murder and the threatening of federal judges demonstrate an increased acceptance of using violence to voice various personal or societal grievances. Leaders, or organizations that stand out from the crowd based on real or perceived stances on certain issues may increase their likelihood of being targeted with hostile acts. This is not mentioned to discourage free speech, but rather to raise awareness that such stances can bring additional risks that must be mitigated for. You can read more about this threat in our 11 December, 2024 Weekly Report.

Israel-Hamas Conflict. While the direct conflict between Israel and Hamas remains fluid, it continues to inspire individuals from both sides across the globe. We recently shared an (U//FOUO) report of a pro-Al-Qaeda individual on social media encouraging violence against “Jewish and Crusaders”, encouraging others to “ignite and burn their businesses, and stores.” This type of online propaganda is nothing new, but it must all be taken seriously as lone actors continue to be inspired by similar propaganda.

The threat of lone actors continues to be a significant concern in relation to this conflict, as the ability for both sides to radicalize others remains strong. While bladed weapons and small arms remain popular weapons amongst lone actors, the past 6 months has also seen multiple vehicle ramming incidents, several of which had inspirations tied to this conflict. Particularly given the upcoming period of significant holidays for multiple religions, we urge proper planning and consideration for mitigating vehicle-borne attacks.

Hostile Events. Those who follow our Daily Awareness Post will be familiar with the consistent sharing of vandalism, arson, and other acts of targeted violence. Such incidents have been reported on since we issued our 2023 Threat Data and while the FB-ISAO 2024 threat data analysis is not yet available as a comprehensive report, preliminary data points to a continuation of the same.

CYBER THREAT: The TIG has determined to maintain the Cyber Threat Level at “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal.

We continue to encourage preparedness and vigilance against routine threats and ongoing challenges such as ransomware, business email compromise, and scams. Similar to the VIP threats that were discussed earlier, an organization’s public stance on various social and political topics could see it the target of hacktivists. Basic security measures including robust, unique passwords, and implementing multi-factor authentication (to include online meeting passcodes) significantly reduce the likelihood of a successful attack. Below are a few more specific areas of concern:

Business Email Compromise (BEC). Last year, the FBI’s Internet Crime Complaint Center (IC3) claimed that BEC cost US and global organizations nearly $55.5bn between October 2013 and December 2023, on the back of over 305,000 incidents. BEC incidents can and have happened to faith organizations, their staff, and members, which is why stressing proper cyber hygiene and best practices is so vital.

Ransomware. In our daily scans of ransomware group blogs, we continue to see houses of worship and organizations like hospitals and schools with religious affiliations among the listed victims. Recent reporting suggests that ransom payments are down (which is a good thing) but some groups are increasing volume of attacks to compensate for fewer payments coming in.

Scams. There are predictable scams, such as ones that will come with tax season, following natural disasters, romance scams or to leverage amplified interest in current affairs (beware of incoming “SignalGate” and seasonal severe weather scams). One scam that has been getting more attention of late are phishing texts related to fraudulent toll booth charges.

Supply Chain Compromise. A massive area of concern for all organizations is a vendor compromise that has the potential to impact your network or data. All members are encouraged to utilize third party risk management questionnaires before engaging with new vendors, and you can read more about this threat in the 20 March 2025 Weekly Report.

The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.

Before concluding, we want to raise two additional areas that should be on the radar for faith-based leaders, both spanning the cyber and physical realms: Insider Threats and Blended Threats.

Insider Threats. The FB-ISAO regularly reports on insider threats, often in the form of financial crimes from those who have been in positions of trust within their organizations. This remains a concern, and all organizations should take necessary steps to develop proper checks and balances within their leadership structures, especially when finances are involved. But insider threats can be accidental as well. An employee lazily clicking on a phishing link, or otherwise not following security protocols can easily allow threat actors into networks.

Blended Threats. A Blended Threat is a natural, accidental, or purposeful physical or cyber event that carries the potential to impact both the physical and cyber activities of an organization and threaten lives, information, operations, the environment, and/or property. These can impact faith-based organizations in multiple ways. If a surveillance camera has a vulnerability, a threat actor can access your network, leaving your data exposed as well as impacting your physical security awareness and tools. Alternatively, if your organization stores all of your data on premises without any off-site backups, and a natural disaster destroys your facility, your data goes with it. Those are two examples of blended threats, and why FBOs should consider security and resilience holistically and try to avoid information and analytical silos.

Regular updates are being shared in the Faith-Based Daily Awareness Post, shared via email and available on our blog.