Protecting Your Nonprofit From Fraud
Nonprofit fraud can result in damage to your brand and reputation and can cost you a lot in lost donations. Read our tips to guard your nonprofit against fraud.
When you consider fraud, you might think of someone stealing your identity and buying things with your credit card. Nonprofits aren’t usually selling valuable goods, so no one is making purchases with a stolen identity. So are you susceptible to fraud and deception? Yes, but you can protect yourself.
The consequences of fraud can be damage to your brand, declining support, and loss of fundraising income. This article will explain why nonprofits can be victimized and offer some warning signs. We will give you a real-life example of what nonprofit e-commerce fraud looks like, and we’ll give you some tips on how you can protect your organization.
Nonprofit Fraud
Nonprofits become victims of fraud for a few reasons:
- Nonprofits trust others who appear to share in their missions and efforts.
- A smaller staff focused on serving donors often doesn’t have extensive IT resources to combat fraud.
- Nonprofits have money coming in from different sources and for different amounts, so fraud can be tough to spot.
- And finally, a simple, insidious reason: you’re a testing ground for more significant fraud. With often recognizable brands and easy-to-use donation forms, your nonprofit is at risk from organized criminal enterprises wanting to test stolen credit card information to use for bigger crimes.
The risk is real, so how can you know if your nonprofit is the victim of fraud? Some warning signs might alert you.
Warning Signs of Nonprofit Fraud
We checked in with the Nonprofit Risk Management Center to see some of the most common red flags for nonprofits. Nonprofit fraud can run the gamut of illegal behavior, from embezzlement to expense to e-commerce fraud. Here are some general guidelines of warning signs nonprofits should watch for at all times:
- Invoices and vendors you don’t recognize
- Vendors with a P.O. box instead of a physical address
- A company name comprised of only initials, which is a common fraudulent naming convention
- Sudden increase in purchases from a vendor
- Vendors invoicing you more than once a month
What about e-commerce fraud, in which extensive, organized criminal enterprises steal credit card numbers and test them using your nonprofit? Called carding or a carding attack, this is a fairly common occurrence and the one we at CharityEngine see the most.
The Digital Defense Fund offers some indicators you might be a victim of a carding attack:
- An abundance of small donations hitting your payment processor at once
- Unusual activity at a time or on a day people aren’t usually monitoring software
- Transactions using the same mailing address and phone number
- Email addresses that look strange
While it might seem you need to be on guard 24/7 to recognize an attack, the good news is that technology can help you with fraud protection. But before we get to that, let’s look at a real-life case study.
An Example of E-commerce Fraud
Here’s a real example from about ten years ago. Unbeknownst to our nonprofit client, they were targeted by a sophisticated international organization. The criminals had deployed a network of bots methodically processing fake donations using stolen credit cards. The donations appeared to be coming from different locations and even different countries.
The nonprofit was large, and the decline ratio of this activity was low relative to the organization’s overall donation volume. It took the payment processor about two months to flag this activity as fraudulent.
What’s the first thing the payment processor did? They shut down the nonprofit’s account and insisted the issue be resolved before the organization could accept and process credit cards online.
Abruptly, the nonprofit was told they were a victim of fraud, had their accounts shut down, and started losing money with every minute that passed.
This nonprofit came to us frantic to get answers and develop a plan to proceed.
The first thing we did was look at their payment gateway. The client used one of the largest at the time and had anti-fraud services enabled. So why didn’t the system flag the fraud sooner?
There were three reasons this attack was successful:
- The donations were spread over time
- They had a realistic cadence that mimicked donor behavior
- They used accurate donor information
CharityEngine worked with the client to implement some short-term solutions, and then we used our CRM to roll out some longer-term changes that leveraged big data. We could effectively eliminate the risk without affecting the nonprofit’s conversion rates.
How Nonprofits Can Protect Against Fraud
Leverage technology. We pound this point into the pavement because we know firsthand how much good technology can make your nonprofit safer and more successful.
If you have access to advanced fraud protection, you might not have to protect yourself at all manually; the software likely does it for you. But here are some steps you can take to ensure you are doing what you can to keep your nonprofit safe:
- Check with your payment gateway, no matter how large or widely used, and ask if they are, at a minimum, performing fundamental, industry-standard I.P. Pattern Detection Analysis to block acceleration attacks.
- Implement a solution that goes beyond this pattern detection to tie together analytics and geo-dates. Analytics-Based Intelligent Analysis can prevent more sophisticated attackers from targeting your nonprofit.
These next mitigation steps are best-practice methods to block automated attackers, but they can potentially harm your donor experience and reduce conversion rates. Keeping your donor experience easy is always advised, but protecting against fraudulent attacks is critical. You probably experience the following with many, if not most, of your personal online purchases:
- Address Verification Services (AVS) are settings at both the gateway and merchant levels. They can be toggled on or off and configured with decline/approval responses based on how closely an address entered matches the address on file with the credit card.
- CVV Code Validation is that “three-digit code” you’re constantly being asked to report when shopping online. This, too, can be configured by the gateway or the merchant and set to approve or decline charges depending on the code given.
- Captcha is that familiar, annoying box that asks you to select all the pictures with steps or traffic lights. It drives users nuts, but it’s effective at blocking bots.
It’s worth noting that ACH payments, or checks and bank transactions, are traditionally less often attacked. But due to new Nacha guidelines, all merchants must implement technology that validates bank accounts if they are being used for e-commerce transactions.
This is positive news for nonprofits. If your processor uses a robust ACH account verification service, it will prevent fraud, reduce your ACH return rate, and reduce associated fees.
Industry-Leading Fraud Protection
At CharityEngine, we’ve learned from years of helping the client we discussed and others who faced similar attacks. We have built patent-pending technology that leverages massive data networks and sophisticated intelligence to help our clients.
There are some key benefits and differentiators to our fraud protection:
- It is 100% effective at protecting your e-commerce environment from the most sophisticated attacks.
- Our solution doesn’t require you to put barriers on your donation forms that complicate the giving process for legitimate donors and negatively impact your conversion rates.
- Effective fraud protection reduces your cost because your chargeback rates for fraudulent credit card transactions are reduced. In fact, we have seen greater than 80% reductions for clients using advanced fraud protection on their donation forms.
We are enthusiastic about our advanced fraud protection because we know it’s the best on the market! If you want to talk to us about your specific situation, see our solution in action, or learn about how it looks to work with us, we’re always just a phone call or email away.