Nonprofit Fraud Warning Signs and How to Prevent It

When you consider fraud, you might think of someone stealing your identity and using your credit card to make purchases. Nonprofits aren’t usually selling valuable goods, so no one is making purchases with a stolen identity. So are you susceptible to fraud and deception?

Yes, but you can protect yourself.

The consequences of fraud can be damage to your brand, declining support, and loss of fundraising income. This article explains why nonprofits can be vulnerable to exploitation, presents the warning signs to look out for, and equips you to protect your organization with safeguards like secure software.

(Note: If you're not sure how to start using secure software, we've got you covered there, too!)

Why Are Nonprofits Susceptible to Fraud?

Nonprofits become victims of fraud for a few reasons:

• Nonprofits trust others who appear to share in their missions and efforts.
• A smaller staff focused on serving donors often doesn’t have extensive IT resources to combat fraud.
• Nonprofits have money coming in from different sources and for different amounts, so fraud can be tough to spot.
• And finally, a simple, insidious reason: you’re a testing ground for more significant fraud. With often recognizable brands and easy-to-use donation forms, your nonprofit is at risk from organized criminal enterprises wanting to test stolen credit card information to use for bigger crimes.

The risk is real, so how can you know if your nonprofit is the victim of fraud? Some warning signs might alert you.

Warning Signs of Nonprofit Fraud

We checked in with the Nonprofit Risk Management Center to see some of the most common red flags for nonprofits. Nonprofit fraud can run the gamut of illegal behavior, from embezzlement to expense to e-commerce fraud. Here are some general guidelines of warning signs nonprofits should watch for at all times:

• Invoices and vendors you don’t recognize
• Vendors with a P.O. box instead of a physical address
• A company name comprised of only initials, which is a common fraudulent naming convention 
• Sudden increase in purchases from a vendor
• Vendors invoicing you more than once a month

What about e-commerce fraud, in which extensive, organized criminal enterprises steal credit card numbers and test them using your nonprofit? Called carding or a carding attack, this is a fairly common occurrence and the one we at CharityEngine see the most.

The Digital Defense Fund offers some indicators you might be a victim of a carding attack:

• An abundance of small donations hitting your payment processor at once 
• Unusual activity at a time or on a day people aren’t usually monitoring software
• Transactions using the same mailing address and phone number 
• Email addresses that look strange

While it might seem you need to be on guard 24/7 to recognize an attack, the good news is that technology can help you with fraud protection. Here’s what nonprofit fraud can look like in practice. 

An Example of E-Commerce Fraud

Here’s a real example from about ten years ago. Unbeknownst to our nonprofit client, they were targeted by a sophisticated international organization. The criminals had deployed a network of bots methodically processing fake donations using stolen credit cards. The donations appeared to be coming from different locations and even different countries.

The nonprofit was large, and the decline ratio of this activity was low relative to the organization’s overall donation volume. It took the payment processor about two months to flag this activity as fraudulent. 

What’s the first thing the payment processor did? They shut down the nonprofit’s account and insisted the issue be resolved before the organization could accept and process credit cards online.

Abruptly, the nonprofit was told they were a victim of fraud, had their accounts shut down, and started losing money with every minute that passed.

This nonprofit came to us frantic to get answers and develop a plan to proceed.

The first thing we did was look at their payment gateway. The client used one of the largest at the time and had anti-fraud services enabled. So why didn’t the system flag the fraud sooner? 

There were three reasons this attack was successful:

• The donations were spread over time
• They had a realistic cadence that mimicked donor behavior
• They used accurate donor information

CharityEngine worked with the client to implement some short-term solutions, and then we used our CRM to roll out some longer-term changes that leveraged big data. We could effectively eliminate the risk without affecting the nonprofit’s conversion rates.

How Can Nonprofits Identify Fraudulent Transactions?

You don’t want to wait to be inundated by fraudulent charges before the alarm bells start ringing. Here are some things to notice that might signify a fraud attack:

• Many small donations, like $5, from the same person in a short amount of time. When this happens, criminals are often testing cards to see which ones haven’t been reported as stolen and canceled.
• On your transaction record, check the name. Does it seem like a real name?
• Look at the address. If it looks a little suspicious, plug it into Google and see if it’s a real donor address. If the address is Fenway Park, it’s probably not where your donor lives! And is the address formatted correctly?
• Does the email address look legit? If you’re seeing incoherent words or a string of numbers and letters, it’s probably fraud.
• Is the same IP address being used for multiple donations attributed to different donors? That could be a flag. Cybercriminals can manipulate their IP addresses, but not all do.
• If any of these are present and you want to check the likelihood of authenticity, go to the donor record and check the giving history. Do they often give $5 donations?

Taken alone, these warning signs don’t guarantee fraud. But when a few are taken together, it’s worth a little investigation.

How Nonprofits Can Protect Against Fraud 

There are some steps you can take to keep your nonprofit safe from fraud. This is the list of five dos and don’ts we share:

1. Always require the CVV code when accepting transactions. If the donations are being entered by a bot that’s testing credit cards, no one will respond with the code, and you will deny the transaction before any harm is done.

2. Don’t refund!  Rarely would a legitimate donor ask for a refund: this request should be a red flag! Fraudulent tricks include making a large donation via a fake check, then requesting a partial refund.
   
   This scam also happens with credit cards. A donation is processed, and then the donor files a chargeback and requests a refund. The donor can then collect the chargeback and the refund! When a refund is requested, ask in writing if a chargeback has been requested. If so, don’t issue a refund.

3. Do be careful of international donations. These aren’t under U.S. jurisdiction, and that makes them easy vehicles for fraud. You can have a separate web page for international donations to police them more carefully.

4. Do ask for large sponsorship donations to be made ahead of time. This allows the check to clear if someone has procured a large table at a gala or premier sponsorship of a nonprofit event. Honest donors won’t mind if you explain it’s standard practice to prevent fraud.

5. When you do identify transactions that appear to be fraudulent, add the email addresses and IP addresses associated with the transactions to the blacklist. This will allow you to avoid sending your donation forms or other notices to bad actors by email and will prevent further transaction attempts from the blocked IPs.

We remind clients that fraudsters can change their IP and email addresses often. Identifying them can be a time-consuming process if you’re investigating more than five attempts at a time. This is where CharityEngine’s Advanced Fraud Protection will provide the best time savings and impact!

And always leverage technology. We pound this point into the pavement because we know firsthand how much good technology can make your nonprofit safer and more successful.

If you have access to advanced fraud protection, you might not have to protect yourself at all manually; the software likely does it for you. But here are some steps you can take to ensure you are doing what you can to keep your nonprofit safe:

• Check with your payment gateway, no matter how large or widely used, and ask if they are, at a minimum, performing fundamental, industry-standard I.P. Pattern Detection Analysis to block acceleration attacks.
• Implement a solution that goes beyond this pattern detection to tie together analytics and geo-dates. Analytics-Based Intelligent Analysis can prevent more sophisticated attackers from targeting your nonprofit.

These next mitigation steps are best-practice methods to block automated attackers, but they can potentially harm your donor experience and reduce conversion rates. Keeping your donor experience easy is always advised, but protecting against fraudulent attacks is critical. You probably experience the following with many, if not most, of your personal online purchases:

• Address Verification Services (AVS) are settings at both the gateway and merchant levels. They can be toggled on or off and configured with decline/approval responses based on how closely an address entered matches the address on file with the credit card.
• CVV Code Validation is that “three-digit code” you’re constantly being asked to report when shopping online. This, too, can be configured by the gateway or the merchant and set to approve or decline charges depending on the code given.
• Captcha is that familiar, annoying box that asks you to select all the pictures with steps or traffic lights. It drives users nuts, but it’s effective at blocking bots.

It’s worth noting that ACH payments, or checks and bank transactions, are traditionally less often attacked. But due to new Nacha guidelines, all merchants must implement technology that validates bank accounts if they are being used for e-commerce transactions.  

This is positive news for nonprofits. If your processor uses a robust ACH account verification service, it will prevent fraud, reduce your ACH return rate, and reduce associated fees.

Industry-Leading Fraud Protection

If the dos and don’ts DO give you a headache, and you’re a CharityEngine customer, you’ve got a patent-pending, practically priceless option right in front of you. Changes in technology mean we're constantly updating our offerings to be at the forefront of security.

Advanced Fraud Protection is the highest, most effective level of fraud protection there is. Only CharityEngine offers security tools specific to fundraising, built to respond to the attacks that are most likely to threaten our clients.

Standard anti-fraud practices and recommendations we offer include:

• Active monitoring of all online donations to check for suspicious activity
• Ensuring clients set a minimum donation amount (a $5 donation is surely testing a stolen card!)
• Having clients accept donations in set amounts
• Requiring donors to create an account and log in to donate
• Asking for credit card expiration dates and CVV codes
• Enabling address verification services
• Requesting donor email addresses for donor verification and tax forms
• Rejecting or holding donations suspected of being fraudulent

The benefits of using Advanced Fraud Protection are significant. This feature:

• Helps stop fraud attempts. The system identifies fraud runs before they hit the payment processor. Once the bot or human realizes the payment processor isn’t responding and the attempts to run the transaction are being blocked, the fraud stops.
• Saves time. Reducing the number of attempts during an attack means fewer transactions to review and avoids the need to add IP and email addresses to the blacklist.
• Saves money. Transaction fees are assessed on a payment, whether the card is declined or not. By identifying and stopping fraudulent activity before it hits the payment processor, you avoid having to pay these transaction fees.
• Allows you to maintain the flexibility to enable it or not. You can enable or disable it at the form level; you may not need it on a temporary form, such as an event.

CharityEngine’s Advanced Fraud Protection is a suit of armor for your nonprofit. Not only does the technology protect you from fraud, but you have our teams working overtime to keep you safe.

Building a Culture of Vigilance

Fraud is a constant threat, but it doesn’t have to derail your mission. By combining awareness of red flags with strong fraud-prevention practices and the right technology, your nonprofit can stay one step ahead of bad actors.

Remember, every safeguard you put in place protects not only your revenue but also the trust your donors place in you. Safeguarding that trust is what keeps your mission thriving.

If you want to talk to us about your specific situation, see our solution in action, or learn about how it looks to work with us, we’re always just a phone call or email away.