FB-ISAO Current Threat Level

This threat level statement is current as of 09 July 2025.

Threat Levels Remain at Elevated

FB-ISAO recognizes that during a time of such political divisiveness, observations and assessments may be seen as supportive of one political idea or another. FB-ISAO, and our working groups, strive to be apolitical and unbiased in all of our efforts.

FB-ISAO’s Cyber Threat Intelligence and Operational Resilience working groups actively monitor reports and continually observe a broad array of threat and hostility indicators to people and places of faith. We examine the local impacts of events relating to ongoing conflicts around the world and the related activities of threat actors internationally and domestically to arrive at our assessments.

ASSESSMENT: We assess that, in light of all presently available indicators, the general threat of physical and cyber-attacks against Houses of Worship in the United States remains ELEVATED.  We understand that individual Houses of Worship, given their faith, geographic location, socio-political / ethnic demographics, and degree of local tensions may consider their threat as SEVERE and should adjust their posture accordingly. Review our Threat Level Explainer.

• The ongoing open conflicts in the Middle East, Eastern Europe, and South Asia create a tense geo-political threat environment.
• This is heightened by the 21 June US bombing of nuclear weapons infrastructure in Iran. 
• These conflicts and other political events in the US contribute to domestic unrest and a concerning threat environment for communities of faith, particularly Jewish, Muslim, Hindu and Sikh communities.
• These concerns are heightened in this period of major holidays and outdoor mass gatherings.

Due to current volatility, we will reassess these levels frequently over the course of the summer. We recognize that the FB-ISAO threat level has been at the ELEVATED level for quite some time, and assess that the combination of global geopolitical tensions, combined with domestic unrest and persistent political polarization make it likely that the threat level will remain “Elevated” for the foreseeable future. FB-ISAO will continue to closely monitor events and if we assess that there is a high likelihood of an increase in physical or cyber threats (or a significant decrease in tensions) we will make appropriate revisions to this threat assessment.  

DISCUSSION

The NTAS Bulletin dated 22 June 2025, discusses the ongoing Iran conflict and how it is contributing to a heightened threat environment in the US, especially in regard to the cyber arena. Pro-Iranian hacktivists are carrying out low-level cyberattacks, and government-linked Iranian cyber actors may also target US networks. While it does not seem that Iran intends to retaliate against US facilities and officials abroad at this time, the potential of such attacks remains. Recent acts of terrorism in the Homeland linked to anti-Sematic and anti-Israel views suggest that the conflict could also incite attacks in the Homeland.

Religiously targeted acts of violence such as arson, vandalism, and low-level attacks including swatting and bomb threats continue to occur. Globally, there has also been a continued use of vehicle ramming attacks. Immigration enforcement and other divisive political issues continue to fuel nationwide protests which recently have included the deployment of US military personnel on domestic soil. While the vast majority of protests have been peaceful and without significant incidents during military deployments, Houses of Worship have regularly been caught in difficult situations between their communities and law enforcement, immigration, and military personnel. In a relatively short span of time, we’ve witnessed increased targeted violence, with the murder of two Israeli embassy staff in Washington D.C; the firebombing of an anti-conflict march in Boulder, Colorado; the targeted attack of two Minnesota lawmakers and their spouses; and the assault with semi-automatic weapons on a church in Wayne, Michigan.

To prepare for potential threats stemming from the Iran conflict, US organizations should consider enhancing cyber vigilance and in reinforcing network defenses. It is important to patch known vulnerabilities, monitor for unusual activities, back up critical systems and share unusual or nefarious network activity for broader collective defense. High-profile individuals should consider their risk assessment and potentially increase personal security awareness. Communities that may be vulnerable to hate-based violence like Jewish and Muslim institutions may benefit from in coordinating with local law enforcement and other hometown security partners (to include co-tenants, adjacent and proximate facilities), review emergency plans, and ensure security protocols.

Given the unavoidability of mis-, dis-, and mal-information internationally and here in the US, members are encouraged to avoid idle speculation, not overreact to hearsay, memes, unsubstantiated rumors presented as facts, and to avoid personal emotions and biases. Rather, seek a wide and diverse array of information sources, and calmly and rationally assess substantiated information and respond accordingly. This challenge was demonstrated the week of March 17, 2025 when multiple healthcare industry associations released a bulletin referencing a potential coordinated attack on US hospitals, which multiple intelligence agencies quickly dismissed as having a lack of “credible information supporting or corroborating the claims.” It is critically important in this highly charged environment to carefully assess the actual material as opposed to perceived indicators of threat, and identify actual changes in the threat environment, emergence of threat actors, or observable changes in an adversary’s capabilities vis a vis your own vulnerabilities when make assessments.

The Physical Threat Level is “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal. We are also closely monitoring events and are considering an escalation to “SEVERE,” meaning that an event is highly likely, but decided to not escalate to that level at this time.

ANALYSIS OF THE CURRENT PHYSICAL THREAT ENVIRONMENT

Iran Conflict.  Events quickly escalated in the Middle East, with the US getting directly involved as a combatant in the Israel/Iran conflict. While a ceasefire has is currently being held, the situation remains very fluid, with recent reports indicating Israel still maintains a desire to carry out further strikes. Iran is reportedly courting the support of Russia, which could further broaden the conflict. Iran is known to have assets in the US and has a demonstrated capacity to use proxy agents to conduct terrorist operations abroad. What is missing in the current phase is a religious directive or fatwa specifying houses of worship as legitimate targets and providing religious sanction for an attack.  Public release of such an order would be predicate to raising the threat level to SEVERE.

Israel-Hamas Conflict. While the direct conflict between Israel and Hamas remains fluid, it has already triggered individuals on both sides to act. We continue to share reports of pro-Al-Qaeda entities encouraging violence against Western interests. This type of online propaganda is nothing new, but it must all be taken seriously as lone actors continue to be inspired by similar propaganda.

The threat of lone actors continues to be a significant concern in relation to this conflict, as the ability for both sides to radicalize others remains strong. While bladed weapons and small arms remain popular weapons amongst lone actors, the past six months has also seen multiple vehicle-ramming incidents, inspired by this conflict. Particularly given the upcoming period of significant holidays for multiple religions, we urge proper planning and consideration for mitigating vehicle-borne attacks.

The physical and cyber implications of the Middle East conflicts are significant. Physically, both conflicts have resulted in mass casualties, infrastructure destruction, and disrupted daily life. Simultaneously, cyber operations have become an extension of these hostilities. Iran-linked groups, such as “Cyber Av3engers”, have launched cyberattacks like energy infrastructure targets. These actions not only threaten the stability of affected regions but also pose spillover risks to global networks and organizations.

Hostile Events. Those who follow our Daily Awareness Post will be familiar with the consistent sharing of vandalism, arson, and other acts of targeted violence. Such incidents have been reported on in our 2023 Threat Data and FB-ISAO 2024 threat data reports.

Civil Unrest. As the US continues to see diverse political climates, we see deeply divisive issues such as political polarization, cultural tensions, immigration, border policies, and misinformation remain prominent, contributing to an elevated threat environment for faith-based communities and houses of worship. Before addressing a few specific areas, it is important to understand these threats within the context of the general threat environment within the US.

Examples of incidents which have occurred within the past two months that highlight the national tone:

• Fatal Shooting of Two Israeli Embassy Staff in Washington, D.C – May 21^st : Murder of foreign officials, and hate/crime terrorism charges. According to police, he proclaimed his act “for Gaza” and had posted extremist materials online.
• Firebombing/Flamethrower Attack at Jewish-Related Event in Boulder, Colorado – June 1^st, 2025: A suspect used a garden spray and Molotov cocktails at a pro-hostage, Jewish-run event in Boulder, shouting “Free Palestine” and “End all Zionists.”
• Minnesota Democratic legislators: Shot two Minnesota Democratic legislators with a manifesto with 70 targeted individuals.
• “No Kings” Protests on June 14^th: Over 5 million people protested nationwide against authoritarianism and immigration policies.  with threats being places over individuals who may participate in the ‘No Kings’ protest.
  • Suspect arrested in connection with threats against Texas lawmakers amid “No Kings” protest in Austin
  • Organizers say volunteers ‘took action’ against ‘imminent threat’ to protesters before deadly ‘No Kings’ shooting
  • New protests have also sparked and are intended to occur On July 17th, March in Peace. Act in Power & No Kings protest organizers announce July 17 as next demonstration.
• Anti-ICE Protests: Demonstrators protesting an end to immigration raids and detentions. Carrying sings and chanting slogans denouncing what they called inhumane treatment of migrants.
• National Guard and Marines being deployed in Los Angeles: President Trump, under Title 10 authority, deployed some 4,000 California National Guard troops and 700 active-duty Marines to Los Angeles June 7^thto guard federal buildings and personnel amid protests over ICE raids. The deployment triggered sharp backlash including legal challenges.

We mention these incidents to highlight that the societal temperature is high, and violence and hostile actions appear to be becoming more prominent in this threat environment. This can lead to a heightened perception of threat but can also lower the threshold for individuals to operationalize. Awareness of resources such as the US Violent Extremist Mobilization Indicators and the Pathway to Violence is more vital than ever to help identify threats before they formalize into hostile events. The community can read more about the Hostile Event Attack Cycle here, which can help security leaders better identify potential suspicious behavior.

Considering the current environment, the community will want to be particularly alert and cautious to protests. While peaceful protests are a cornerstone of our democracy, historically and in recent events, protests have seen clashes with counter-protesters and law enforcement, including detentions of legal US residents in relation to their protest activity. They have also seen incidents of nefarious actors using the mass gatherings to conduct more dangerous, hostile events. Organizations are encouraged to monitor significant protest activity in their areas of operations for possible impacts to normal operations and advise community members who do protest to do so carefully – and responsibly.

Executive/VIP Protection. Incidents like the murder of United Healthcare executive Brian Thompson and the threatening of federal judges and public figures demonstrate an increase acceptance of using violence to voice various personal or societal grievances. Leaders andand organizations that stand out based on real or perceived stances on certain issues may be at heightened risk of being targeted with hostile acts. This trend is further illustrated by the recent shooting of a Minnesota lawmaker, which authorities have called a politically motivated act, and the targeted murders outside the Capital Jewish Museum in Washington, D.C., which reflect growing antisemitic violence and ideological extremism. These events underscore the need for heightened vigilance and proactive threat mitigation especially for individuals or institutions associated with polarizing topics.

Disaster Preparedness. As the US enters the 2025 Atlantic hurricane and summer wildfire seasons there is growing uncertainty around FEMA and the nation’s overall capacity to manage disaster response and recovery effectively, placing greater pressure on houses of worship to enhance their capacity to support communities in crisis. An internal FEMA review recently concluded that the agency is “not ready for the 2025 hurricane season,” citing deep staffing cuts, disrupted preparedness initiatives, and low morale within key operational divisions. These challenges come at a time when climate-drive disasters are becoming more frequent and severe, placing even greater strain on emergency management infrastructure.

The Trump administration has signaled a shift in federal disaster policy indicating a desire to reposition FEMA’s primary focus on immediate disaster response and phase out much of its long-standing recovery role. Reports suggest this transition may be implemented by October 1, 2025, which implies that much of the current hurricane season may proceed under the traditional FEMA structure. However, this is not guaranteed, and the phased drawdown could begin sooner depending on internal decision-making and Congressional support. The evolving strategy reflects concerns about the sustainability of FEMA’s broad mission and a broader push to decentralize certain responsibilities to state and local governments. Faith-Based Organizations (FBOs) are encouraged to pursue contacts at the local, state, and national level to develop their capacities to support disaster response and recovery and be prepared to navigate future disasters.

Health: As the US faces evolving public health challenges, two key concerns are impacting faith-based communities: a resurgent measles outbreak and the emergence of a new COVID-19 variant. Measles has reached its highest levels since 1992, with other 1,200 confirmed cases in 36 states as of mid-June, including 23 outbreaks primarily concentrated among under-vaccinated religious communities. These outbreaks highlight the heightened vulnerability of close-knit faith communities.

At the same time, a new COVID-19 sub-variant NB.1.8.1, first was detected in the US in March 2025. With multiple spike-protein mutations, NB 1.8.1 demonstrated sequences, and reported in states including California, New York, Arizona, Rhode Island, and Ohio. Though it hasn’t been linked to more severe illness, it poses a renewed risk for COVID-19 this summer.

Together, the spread of measles in under-vaccinated religious networks and the proliferation of a more transmissible COVID variant create a public health concern. This complex environment amplifies the need for houses of worship to develop mitigation strategies and to educate the community on strategies developed.

Finally, as social programs face uncertainty, services for the unhoused and those with mental illnesses may decrease. Whether or not these individuals directly interface with programs run by FBOs in the past, there may now be unsupported community members who require additional support from non-profits but pose a risk for emotional outbursts or criminal offenses due to their psychological stress and conditions.

The Cyber Threat Level is “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal.

ANALYSIS OF THE CURRENT CYBER THREAT ENVIRONMENT

We continue to encourage preparedness and vigilance against routine threats and ongoing challenges such as ransomware, business email compromise, and scams. Similar to the VIP threats that were discussed earlier, an organization’s public stance on various social and political topics could see it the target of hacktivists. Basic security measures including robust, unique passwords, and implementing multi-factor authentication (to include online meeting passcodes) significantly reduce the likelihood of a successful attack. Below are a few more specific areas of concern:

Business Email Compromise (BEC). BEC has been a significant cyber threat, and recent data from early 2025 indicates that the situation continues to escalate. In 2023, BEC scams resulted in over $2.94 billion in reported losses in the US alone, marking a notable increase from previous years. The average requested wire transfer in BEC attacks rose to $39,315 in February 2025, up from $24,586 in January 2025, indicating a 60% increase in the average amount requested.

Ransomware. In the first six months of 2025 we have identified at least 10 Faith-Based organizations as ransomware victims. With a rise in cyberattacks amid the Iran conflict,  with some reports showing a 700% increase in attacks since events in the Middle East escalated. Globally, ransomware activity continues to be a significant threat, driven by more advanced tools and faster attack cycles. Sophos State of Ransomware 2025 indicated that 63% of organizations fall victim due to a lack of people or skills, resulting in an average ransomware payment of $1M. Organizations are urged to boost cyber defenses and stay vigilant.

Scams. There are several predictable scam patterns that consistently reemerge, particularly in the aftermath of severe weather events. Scammers often exploit the chaos and urgency following hurricanes, tornadoes, or floods by posing as insurance adjusters, disaster relief agencies, or repair contractors. Additionally, scammers frequently capitalize on heightened public interest in current events or crises, crafting phishing attempts around trending topics. Recently reported scams include fraudulent Departments of Motor Vehicles (DMV) scams.There are predictable scams, such as ones that will come with tax season, following natural disasters, romance scams or to leverage amplified interest in current affairs (beware of incoming “SignalGate” and seasonal severe weather scams). One scam that has been getting more attention of late are phishing texts related to fraudulent toll booth charges. Scammers are sending fraudulent text messages impersonating state DMVs warning recipients of “unpaid tolls” or traffic violations and urging to click links to avoid license suspension or legal penalties. These professionally crafted messages using official logos, .gov-style URLs, and urgent language have surged by over 700-800% in June 2025, and are now reported across more than a dozen states.

Supply Chain Compromise. A massive area of concern for all organizations is a vendor compromise that has the potential to impact your network or data. All members are encouraged to utilize third party risk management questionnaires before engaging with new vendors, and you can read more about this threat in the 20 March 2025 Weekly Report.

The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.

Additional Considerations Related to Insider Threats and Blended Threats

We assess two additional areas that should be on the radar for faith-based leaders, both spanning the cyber and physical realms: Insider Threats and Blended Threats.

Insider Threats. The FB-ISAO regularly reports on insider threats, often in the form of financial crimes from those who have been in positions of trust within their organizations. This remains a concern, and all organizations should take necessary steps to develop proper checks and balances within their leadership structures, especially when finances are involved. But insider threats can be accidental as well. An employee inadvertently clicking on a phishing link, or otherwise not following security protocols can easily allow threat actors into networks.

One emerging and highly concerning variant of insider threat is the North Korea IT-worker infiltration scheme. In this scenario, North Korean operatives pose as legitimate remote IT contractors, using stolen or fabricated identities, AI-generated profiles, deepfakes, VPNs, and even “laptop farms” managed by unwitting US facilitators. These individuals secure remote positions at US firms, earn pay in cryptocurrency or stablecoins, and funnel millions back to Pyongyang to support its sanctioned weapons programs. The tactic isn’t only financially motivated – its operators have also been linked to espionage, data theft, and extortion.

All organizations are encouraged to understand this threat and discuss it with potentially involved personnel to explore ideas like strengthening hiring protocol, enforcing protocols, enforcing multi-departmental insider-risk programs, instituting continuous monitoring, and embedding these scenarios into incident response plans.

Blended Threats. A Blended Threat is a natural, accidental, or purposeful physical or cyber event that carries the potential to impact both the physical and cyber activities of an organization and threaten lives, information, operations, the environment, and/or property. These can impact faith-based organizations in multiple ways. If a surveillance camera has a vulnerability, a threat actor can access your network, leaving data exposed as well as impacting physical security awareness and tools. Alternatively, if your organization stores all of its data on premises without any off-site backups, and a natural disaster destroys the facility, the data goes with it. Those are two examples of blended threats, and why FBOs should consider security and resilience holistically and try to avoid information and analytical silos.

Regular updates are being shared in the Faith-Based Daily Awareness Post, shared via email and available on our blog.