Skip to main content

Phishing & Security

Church admins are high-value targets for phishing. You control stream keys, AI keys, payment information, and member data. This guide helps you recognize and avoid attacks.

Official Nlarj URLs

These are the only legitimate URLs:

PurposeURL
Main sitenlarj.app
Documentationdocs.nlarj.app
Support emailsupport@nlarj.app
Security emailsupport@nlarj.app?subject=Security
APIapi.nlarj.app
Always verify the domain in your browser address bar

Lookalike domains are the #1 phishing technique. Before entering credentials, confirm the address bar shows exactly nlarj.app — no hyphens, no accented characters, no extra letters.

Examples of fake domains to watch for:

  • our-holy-life.com (hyphen added)
  • ourholylifé.com (accented é)
  • ourholylife.co (wrong TLD)
  • ourholylife-support.com (suffix added)
  • nlarj.app.verify-login.xyz (subdomain trick)

What Nlarj will NEVER do

  • Never ask for your password — not via email, DM, phone, or support ticket
  • Never ask for your stream key — we already have it; you never need to share it
  • Never ask for your BYOK AI key — it's stored in your account, never in a message
  • Never ask you to install "support software" — TeamViewer, AnyDesk, remote access tools
  • Never send urgent "account suspended" emails with login links — check your account directly by typing nlarj.app in your browser
  • Never ask you to pay via gift cards, wire transfer, or crypto

If anyone claiming to be from Nlarj asks for any of these, it's a scam. Report it to support@nlarj.app?subject=Security.

Protecting your stream key

Your stream key is a password for broadcasting to your church's members. Anyone with it can:

  • Replace your sermon with their own content mid-service
  • Broadcast inappropriate content to your congregation
  • Consume your bandwidth/storage quota

Stream key hygiene:

  1. Never screenshot it with the key visible
  2. Never share it in a chat, email, or ticket
  3. Never commit it to git (even private repos)
  4. Never paste it into online "stream testers"
  5. Rotate it immediately if you suspect exposure (Live Streaming → Stream Keys → Regenerate)

Protecting your AI key (BYOK)

Your OpenRouter AI key can be used to generate AI content at your cost. Compromise = surprise bills.

AI key hygiene:

  1. Create a separate OpenRouter key for Nlarj (never reuse a personal key)
  2. Set a monthly spend limit on OpenRouter (e.g., $20/mo — covers any normal church use)
  3. Enable IP allowlist on OpenRouter if you have a static IP
  4. Review OpenRouter usage monthly — investigate any unexpected spikes

Recognizing phishing emails

Legitimate emails from Nlarj:

  • Come from @nlarj.app (check the full sender address, not just the display name)
  • Never ask you to log in via a link in the email
  • Never threaten immediate account suspension
  • Never have typos like "dear customer" or "youre account"

Red flags:

  • Display name says "Nlarj Support" but email is support@ourhaolylife-billing.co
  • "Your subscription expires in 2 hours — click here to renew"
  • Attachment you didn't request, especially .zip, .exe, .docm
  • Link text says nlarj.app but hovering shows a different URL
  • Sent at odd hours (3 AM local time) — legitimate support runs business hours
  1. Change your Nlarj password immediately — go directly to nlarj.app, don't use any link from an email
  2. Regenerate your stream key — Live Streaming → Stream Keys → Regenerate
  3. Revoke your BYOK AI key — at the provider (OpenRouter) and issue a new one
  4. Log out all sessions — Settings → Active Sessions → Log out all other devices
  5. Email us at support@nlarj.app?subject=Security so we can check for unauthorized activity

Members and phishing

Educate your members too — they're often the ones targeted:

  • Giving scams — fake "emergency giving" links pretending to be from your church
  • Prayer request scams — fake prayer chains that harvest personal info
  • Pastoral impersonation — scammers posing as you, asking members for gift cards

Your members should know: all giving happens inside the Nlarj app, never via email links. When in doubt, they should ask you in person.

Reporting phishing

Forward suspected phishing to support@nlarj.app?subject=Security with:

  • Full email headers (if email)
  • Screenshot of the message/SMS
  • Any links (don't click them — just copy the URL)

We track phishing campaigns and warn other churches in our network.