Eliminating Fraud Risk for Nonprofits

What keeps nonprofit execs up at night? Usually, it’s one of two things: raising more money, or protecting the money you’ve raised and the reputation you’ve built.

Nonprofits are in the business of making human connections. Every donation means that someone has placed their trust in you. Safeguarding that donation, and that donor’s data, isn’t something that can be taken lightly. And to be honest, protecting your nonprofit’s reputation is also something that shouldn’t be taken lightly.

Overall fraud is on the increase, and nonprofit organizations can be particularly vulnerable. In this article, we will:

• Identify different types of nonprofit fraud
• Learn how to evaluate fraudulent transactions
• Talk about fraud prevention
• Explain what to do in an active fraud attack
• And learn about CharityEngine’s Advanced Fraud Protection

Even if you’re not a CharityEngine client (you should be!), this article will help you ask educated questions of your CRM vendor.

Note: this article is a high-level recap of a fantastic webinar that Alexis Langley, Customer Experience Manager, and Jessica Mocha-Piel, Implementation Supervisor, offered to our clients recently. You can watch the recording here. If you’re a CharityEngine client and you missed it, watch the webinar for specific instructions on how to enable anti-fraud measures in our software.

What Does Nonprofit Fraud Look Like?

Nonprofit fraud centers around financial data that can be stolen to fraudulently purchase other goods and services and nonprofit donation pages being used to test stolen data. Cybercriminals are after both credit card data and ACH data.

A criminal will often steal credit card data from another source and then test it on a nonprofit’s donation page.

ACH data, or bank transfers, are also at risk. When criminals have access to routing numbers and account numbers, it’s devastatingly easy to wire money out of an account. Again, they’re likely to test the stolen information by making multiple small (or even large) donations to a nonprofit.

Why would criminals target nonprofits? As a nonprofit, you’ve likely made it as easy as possible for your donors to give on your donation forms. Donation forms are an easy target to test the success of the stolen credit cards. Combine that with the fact that many nonprofits just don’t have the expertise, controls, or oversight to quickly identify and rectify fraud, and you'll see why having a partner like CharityEngine can be valuable.

But Don’t Panic!

Despite all the alarming talk about nonprofit fraud, it’s important to understand what it’s not. Fraud, or stealing financial information and testing it on a nonprofit’s website, is most likely not a security breach. In other words, the most common nonprofit fraud isn’t someone hacking your database and stealing the names or credit card numbers of your donors.

However, nonprofits suffer when they are inundated with fraudulent transactions. There are three significant impacts:

• Chargeback fees, in which you are charged by your bank because the owner of the stolen credit card disputes the charge. Most processors will reimburse the fees for fraudulent transactions; of course, CharityEngine takes care of this for our customers. 
• Administrative time your team spends communicating with donors and cleaning up the fraud attack.
• A damaged reputation, if word gets out that your systems have been attacked.

Though it’s not a security breach, nonprofit fraud risks are serious business.

How Can Nonprofits Identify Fraudulent Transactions?

You don’t want to wait to be inundated by fraudulent charges before the alarm bells start ringing. Here are some things to notice that might signify a fraud attack:

• Many small donations, like $5, from the same person in a short amount of time. When this happens, criminals are often testing cards to see which ones haven’t been reported as stolen and canceled.
• On your transaction record, check the name. Does it seem like a real name?
• Look at the address. If it looks a little suspicious, plug it into Google and see if it’s a real donor address. If the address is Fenway Park, it’s probably not where your donor lives! And is the address formatted correctly?
• Does the email address look legit? If you’re seeing incoherent words or a string of numbers and letters, it’s probably fraud.
• Is the same IP address being used for multiple donations attributed to different donors? That could be a flag. Cybercriminals can manipulate their IP addresses, but not all do.
• If any of these are present and you want to check the likelihood of authenticity, go to the donor record and check the giving history. Do they often give $5 donations?

Taken alone, these warning signs don’t guarantee fraud. But when a few are taken together, it’s worth a little investigation.

How Can Nonprofits Lower Their Fraud Risk?

In a word, prevention.

We advise our clients to implement these five practices to prevent fraud:

• Add CVV or Captcha to your forms. These are effective ways to make sure the cardholder is in physical possession of the card. (To be contradictory, you don’t always need to enable CVV on CharityEngine forms, and here’s why.) CharityEngine also offers native address verification, which matches the address with the credit card company has on record and flags any mismatches.
• Always disable your forms when you’re not using them. It’s a gateway to your systems, and an old, forgotten, active form can still be found.
• Set limitations on the number of times a device can donate, unless it’s a situation that warrants multiple transactions, like tickets to an event.
• Always block or blacklist suspicious IP and email addresses.
• Monitor your transactions daily. We can’t stress this enough! If you don’t have a baseline expectation for volume and transactions, you’ll be caught unaware when something goes wrong.

Uh Oh, It’s a Fraud Attack! What Do I Do?

You log in to check your transactions (good!) and you notice that a new donor has donated $5 30 times in one hour.

And because you read this article or watched the webinar, you’re on high alert! You know it’s a fraud attack!

So what do you do?

First of all, breathe. It’s okay. And if CharityEngine is your CRM, we’ve got your back, so reach out to us ASAP. If you have another vendor, make sure they’ll have your back, too.

Here are the five things we tell clients to do when it looks like they’re being compromised:

• Deactivate your form. Shut down that avenue into your systems. (But what if it’s a huge year-end campaign, and shutting down your form will hurt your fundraising?) Move to the next step!
• Make sure CVV and CAPTCHA are required. This is not one of those times you can forgo these measures, so be sure they’re on.
• Process the chargebacks, or the “returns” on the credit cards used in the attack. Wait five days for the transaction to settle in your account, then refund the money.
• Add the IP and email addresses to your blacklist.
• And, finally, submit a support ticket. We want to help you! We can also help you get reimbursed for processing fees charged on the fraudulent transactions.

Just Tell Me a Little Bit About CharityEngine’s Advanced Fraud Protection…

Whether you’re a client or not, here are a few things to know about our patent-pending advanced fraud protection. If we can brag a little bit, our fraud protection rate is 99%, which means you’re in good hands.

While we’re pretty good at helping you avoid fraud, we’re also pretty good at helping you recover.

For example, we make it easy to process chargebacks so the true cardholder gets their money back. Just scroll to “chargeback” on the entry on the listing screen, and you can process it right from the software.

(If you watch the webinar, you’ll see that Jess and Alexis offer chargebacks as an opportunity for you to connect with someone who hasn’t heard of your nonprofit! Maybe you won’t have to process that chargeback after all.)

CharityEngine’s Advanced Fraud protection is available to all clients as additional protection.

With it, we will:

• Provide the address matching and flag any mismatches.
• Flag IP addresses that look suspicious.
• Share information with a data co-op of tech vendors to help identify bad IPs.
• Hold suspicious transactions until they’re verified, so fraud doesn’t even reach your systems.

And that means that our Advanced Fraud Protection:

• Stops fraud attempts
• Saves time
• Saves money
• Saves your reputation!
• And improves conversion rates, because you don’t need to enable CVV and CAPTCHA

Fraud is a problem, but preventing it is easy. If you’re a client and you’ve got questions about fraud prevention or enabling more advanced protection, contact Alexis from our customer success team. And if you’re just curious about how CharityEngine could help your nonprofit, book a demo and we’ll show you what else is under the hood!