Advanced Fraud Protection from CharityEngine

Optimized donation forms can help your nonprofit increase conversions and amplify your mission. But there’s also a dark side: they are prime targets for nefarious individuals testing stolen credit card information, and the cost to nonprofits is significant. There are financial implications, and donor trust can easily erode if your systems appear to be vulnerable.

Most nonprofit CRMs offer fraud protection, and CharityEngine is no different. CharityEngine's standard fraud protection is above industry standards, including IP tracking/blocking processes baked into the system. However, we have developed a patent-pending, proprietary fraud tool that offers Advanced Fraud Protection. In this article, we will explore the tool and discuss the steps CharityEngine clients can take to protect their donation forms.

If you’re not yet a CharityEngine client but are intrigued by this offering, or if you are a client and want to explore the software's preventive features more deeply, this article is for you.

Benefits of Advanced Fraud Protection

Fraud protection happens on many layers. For example, CharityEngine is PCI- and SOC 2-certified, elite designations that keep donor data safe. (PCI certification protects online transactions and SOC certification covers data security.) Our donation forms are designed to reduce fraud as well.

Those clients wanting extra protection can purchase Advanced Fraud Protection. The benefits are significant!

• Stop fraud attempts. The system doesn’t even let fraudulent transactions get to the payment processor; they’re stopped in their tracks as soon as fraud is detected.
• Save time. When the number of attempted attacks is reduced, you have fewer transactions to review. It also means you don’t have to take the time to blacklist IP and email addresses.
• Save money. Every time a transaction occurs, you’re charged a fee…even if the card is declined. If fraudulent cards don’t get to the payment processor, there’s no transaction and no fee.
• Enjoy flexibility. This feature is easy to enable or disable at the form level.
• Increase conversion rates. Because we use big data and logic to root out fraudulent charges, you can remove traditional anti-fraud measures that challenge donors trying to convert.
• Our patented fraud protection includes data sharing with international payment processors to help mitigate attacks from known fraudulent IPs.

With this protection, you’ll be given a daily digest of transactions marked as fraudulent. In this way, you’ll be able to charge any pending transactions that were flagged as fraud but are, in fact, legitimate donations.

Is Advanced Fraud Protection Worth It?

All CharityEngine clients are protected from fraud. We offer tips any nonprofit can implement to lower their risk and have published easy-to-follow articles about protecting your nonprofit from fraud.

We take payment processing and fraud very seriously—for all our customers. Our priority is always to keep donor data and payment systems as safe from fraud as possible, and our clients can remain confident that we are always on the job.

That said, it’s impossible for any company or software to completely prevent all online fraud attacks. If a bad actor has stolen information and uses the correct information, there’s simply no way to identify that activity as fraudulent. Nonprofits can only arm themselves with the most sophisticated fraud prevention available.

Advanced fraud protection isn’t a standard offering in fundraising software and payment processing. Not all customers care to pay for it or enable it, and we are always happy to discuss your specific needs to see if it makes sense.

Two considerations as you weigh the options:

• Standard fraud protection, which all customers receive, cannot completely prevent all fraud. (No fraud protection is 100%, but CharityEngine comes close at about 99%.)
• Our advanced protection will occasionally flag legitimate transactions as fraud, and it can sometimes hamper the user experience if donors are flagged based on donation amount, location, IP address, etc.

It’s easiest to think of standard fraud protection as reactive. With it, we will identify repeated attempts to run a card, flag suspicious transactions, and detect patterns that should be investigated. Advanced Fraud Protection is proactive: we screen transactions as they come in, ensuring that fraud doesn’t get through.

As you can see, it’s not always a clear-cut decision. It’s important to weigh the benefits. If you aren't yet a client and want to talk about advanced fraud and other ways CharityEngine can help your nonprofit, just click the demo button and we will be in touch.

What to Do Before Implementing Advanced Fraud Protection

When a client purchases advanced fraud protection, there is a series of steps we ask them to consider. Tweaks to your organization might be necessary to ensure you’re prepared to use the tool.

• How often will your team want to review pending transactions? The frequency should be determined by your transaction details or considering larger-volume fundraising events.
• Craft a plan for weekends and holidays to ensure you’ll have the staff to review transactions, even when the office is closed.
• Consider the geographic areas from which most of your donations originate. If transactions are flagged outside of this area, think about how you’ll determine if there’s fraud. (We can help you with this!)
• Plan an internal verification process to review flagged transactions. You can use Google, or look at historical data in your fundraising software, or even call the donor directly.

Crafting this Standard Operating Procedure will ensure you’re ready to implement and act on Advanced Fraud Protection.

Accessing, Evaluating, and Deleting Pending Fraud Transactions

Within CharityEngine’s software, it’s easy to review transactions and determine if they’re valid or fraudulent. It’s also easy to either process the payment or delete the transaction before it hits the payment processor.

For detailed instructions and screenshots, please refer to this helpful and comprehensive article in our Help Center.

Here are a few high-level notes if you’re looking for an overview of what can be done in the software:

• Our advanced fraud protection feature will flag and pause transactions before they are processed, requiring manual work to review and approve transactions that do not appear to be fraudulent.
• You’ll go to the Donations section of the app and see a link to review fraud transactions. Bear in mind that optimized forms and other standard fraud prevention features will have already weeded out most attempts.
• When reviewing suspicious transactions, you’ll be aided by flagged key identifiers. If CharityEngine has inspected the name, address, email, IP address, amount, and number of charge attempts and finds any of it questionable, you’ll see a red or yellow triangle next to the flagged identifier, like an IP address or email address. If you see a green check, that identifier has been cleared by the system.
• You will view a screen of all your pending transactions and easily delete those you’ve deemed to be fraudulent.
• Conversely, you can bulk process the rest of the payments.

Here is a real fraud attempt stopped by our system. It offers a clear look at identifiers you can review to validate a transaction.

Here is the key to suspicious identifiers:

1. The unusual name pattern (duplicate first and last).
2. The common email domain (Gmail) is free and relatively easy to create.
3. The address does not follow standard formatting.
4. A donation of $5 or less is a common indicator of fraudulent activity.
5. The IP address is flagged as a highly suspect network. This could include a public network (i.e. public institution or free access at merchant locations).
6. Location. Our algorithm will evaluate IPs located within specific areas or regions where questionable traffic may be experienced. In this example, Uruguay is flagged as a potential location source for originating fraudulent activity.
7. The Blacklist Ratio and Decline Ratio for this region are displayed with additional information to inform whether to allow the transaction or terminate.

A note about the $5 or less amount: Many online attackers have become more sophisticated and will “donate” a dollar amount with cents to keep testing the system to see what gets through. If you’re accepting money online, it’s imperative that you continually monitor your accounts. Fraud protection systems can help, but there’s no substitute for vigilant human oversight.

With or without fraud protection, the easiest way to see if a donor is legitimate is to search online. You can search the address, name, phone number, and email address. Unless you get a real person and information, you might want to delete the transaction. And beware of addresses that are hotels or other anonymous buildings!

Active Fraud Attacks

If you suddenly see many small, unique transactions in a short amount of time, that can be indicative of an active fraud attack.

Here are the steps we recommend for any nonprofit encountering a fraud attack:

1. Deactivate your donation form. You can make a copy and repost it, but take the form under attack offline.
2. Ensure the form requires CVV codes. These are designed to prevent the use of stolen credit card numbers.
3. Consider enabling CAPTCHA. This step is also designed to prevent fraud.
4. Process voids or refunds. When fraud is detected before settlement, voids won’t cost anything. Refunds, which would be issued if fraud is detected after settlement, might have a processing fee, but it’s often waived by the merchant if the transaction is associated with a fraud attack.
5. Identify IPs that require blacklisting. Once you blacklist an IP, it cannot access your system or form.
6. Tighten the system-security protocols for online behavior to more quickly auto-block IP addresses and emails.
7. Investigate whether changing the URL is advisable. Your provider can help you determine when this step is appropriate.

Every nonprofit should have a level of fraud protection built into their fundraising software and payment processor. Advanced Fraud Protection offers an additional layer of protection for CharityEngine clients.

Nonprofit Fraud Risk

CharityEngine has been in the business of helping nonprofits change the world for quite some time, and we are always vigilant about preventing any type of fraud. As you know if you’re a client, we are SOC 2-certified and a PCI-certified payment processor. We educate any nonprofit, client or not, on ways to prevent fraud.

If you’d like to dive deeply into CharityEngine’s fraud protection, we will again offer the link to the detailed help center article and point you to a webinar from our Professional Services team.

We’d love to leave you with a client testimonial about Advanced Fraud Protection. A midsize client in the veteran-services industry shared this:

"Before we added CharityEngine’s Advanced Fraud Protection, our organization was targeted with a significant fraud attack. Outside of the discomfort we felt from being targeted and knowing what this meant for innocent cardholders, we still had to pay for it. 

Now that we have Advanced Fraud Protection enabled on our account, we can review flagged transactions in less than five minutes every day.

Advanced Fraud is the type of feature I’d recommend any nonprofit set up well before they need it! Our entire organization has peace of mind knowing that we have the highest level of protection possible to prevent future attacks. It is well worth the investment, and I only wish we had enabled it sooner."  

If you’re a client interested in adding Advanced Fraud Protection, contact Customer Success. If you’d like to become a CharityEngine client, contact Sales. Whether we hear from you or not, we wish you continued success in your mission.