How to Prevent Nonprofit Fraud Attacks

There you are, logging into your CRM to check recent transactions. You see a huge increase in donations, but with rising alarm, you note that most of them are for $5. You know that’s a hallmark of thieves testing stolen credit cards, and with dismay, you notice that some of those transactions were approved. You – and that innocent person – have been the victim of a fraud attack.

No matter what it looks like, being the victim of a fraud attack is scary and can have significant consequences.

CharityEngine has been keeping nonprofits safe from fraud attacks since 2010. We’ve shared some best-practices advice about nonprofit fraud, but today we want to get a little more specific and delve into the fraud protection we offer CharityEngine clients.

If you’re not a client, keep reading. We might just change your mind!

Before Advanced Fraud is Enabled

Let’s say you aren’t a client or you haven’t yet gotten our Advanced Fraud upgrade. There are still some steps you can take to keep your nonprofit safe from fraud. This is the list of five dos and don’ts we share:

1. Always require the CVV code when accepting transactions. If the donations are being entered by a bot that’s testing credit cards, no one will respond with the code, and you will deny the transaction before any harm is done.

2. Don’t refund!  Rarely would a legitimate donor ask for a refund: this request should be a red flag! Fraudulent tricks include making a large donation via a fake check, then requesting a partial refund.
   
   This scam also happens with credit cards. A donation is processed, and then the donor files a chargeback and requests a refund. The donor can then collect the chargeback and the refund! When a refund is requested, ask in writing if a chargeback has been requested. If so, don’t issue a refund.

3. Do be careful of international donations. These aren’t under U.S. jurisdiction, and that makes them easy vehicles for fraud. You can have a separate web page for international donations to police them more carefully.

4. Do ask for large sponsorship donations to be made ahead of time. This allows the check to clear if someone has procured a large table at a gala or premier sponsorship of an event. Honest donors won’t mind if you explain it’s standard practice to prevent fraud.

5. When you do identify transactions that appear to be fraudulent, add the email addresses and IP addresses associated with the transactions to the blacklist. This will allow you to avoid sending your donation forms or other notices to bad actors by email and will prevent further transaction attempts from the blocked IPs.

We remind clients that fraudsters can change their IP and email addresses often. Identifying them can be a time-consuming process if you’re investigating more than five attempts at a time. This is where CharityEngine’s Advanced Fraud Protection will provide the best time savings and impact!

CharityEngine’s Advanced Fraud Protection

If the dos and don’ts DO give you a headache, and you’re a CharityEngine customer, you’ve got a patent-pending, practically priceless option right in front of you. Changes in technology mean we're constantly updating our offerings to be at the forefront of security.

Advanced Fraud Protection is the highest, most effective level of fraud protection there is. Only CharityEngine offers security tools specific to fundraising, built to respond to the attacks that are most likely to threaten our clients.

Standard anti-fraud practices and recommendations we offer include:

• Active monitoring of all online donations to check for suspicious activity
• Ensuring clients set a minimum donation amount (a $5 donation is surely testing a stolen card!)
• Having clients accept donations in set amounts
• Requiring donors to create an account and log in to donate
• Asking for credit card expiration dates and CVV codes
• Enabling address verification services
• Requesting donor email addresses for donor verification and tax forms
• Rejecting or holding donations suspected of being fraudulent

The benefits of using Advanced Fraud Protection are significant. This feature:

• Helps stop fraud attempts. The system identifies fraud runs before they hit the payment processor. Once the bot or human realizes the payment processor isn’t responding and the attempts to run the transaction are being blocked, the fraud stops.
• Saves time. Reducing the number of attempts during an attack means fewer transactions to review and avoids the need to add IP and email addresses to the blacklist.
• Saves money. Transaction fees are assessed on a payment, whether the card is declined or not. By identifying and stopping fraudulent activity before it hits the payment processor, you avoid having to pay these transaction fees.
• Allows you to maintain the flexibility to enable it or not. You can enable or disable it at the form level; you may not need it on a temporary form such as an event.

CharityEngine’s Advanced Fraud Protection is a suit of armor for your nonprofit. Not only does the technology protect you from fraud, but you have our teams working overtime to keep you safe.

If you have this protection enabled and you’re wondering how to access it, we’ve created a step-by-step guide for clients.

What’s The Risk?

You might be thinking you’re pretty safe. You’re not some gigantic, widely known nonprofit that could attract scammers.

You’d be so wrong.

By your nature, by our advice, by what everyone will ever tell you about running a nonprofit, you’re going to make it easy to give. This makes you vulnerable.

So, you might think, if stolen cards are being tested on my nonprofit, they’re not stealing from me, they’re actually donating a couple of dollars and then using the stolen card elsewhere. Do I really have to worry about all this advanced protection?

Indeed! Here is how fraudulent activity can hurt your nonprofit:

• Chargeback fees will be assessed on the nonprofit when the bank realizes they must return money to a donor. These can add up very quickly and hurt your bottom line.
• Credit card processors can freeze or even terminate your ability to accept donations. Many things can trigger this, including evidence of fraud or excessive chargebacks. If it’s GivingTuesday and your ability to accept payments is frozen, you will miss significant revenue.

So clearly, focusing on fraud protection helps your nonprofit in many ways.

And while we are on the subject…

In addition to minimizing threats, CharityEngine’s Gateway Failover protects you from inoperability caused by payment processors, whether intended or accidental. A true insurance policy against gateway interruption, Gateway Failover automatically and seamlessly rolls over to a secondary gateway if the first ever goes down for any reason.

CharityEngine is the partner nonprofits need to avoid being the victim of a fraud attack. If you’d like to “turn on” advanced protection, contact your account manager and request it. If we’ve piqued your interest in how safe you feel when you’re a CharityEngine client, ask to see our software in action.