Guest post by:
The credit card scam/fraud attempt that many nonprofits have experiences starts with a very large online gift from an unknown donor. Shortly afterward, an email arrives saying the amount was a mistake (e.g., $7,000 instead of $700) and asking for a refund of the difference to a different credit card. These attempts don’t cost nonprofits much in lost revenue, but can be a headache to clean up.
Another scam uses nonprofits’ websites to test stolen credit cards. Often card numbers are ‘stolen’ by a waiter or other service provider while the card is in his or her possession. The card holder has no idea that their card number has been compromised and so has not reported it stolen. S/he may not notice the extra charges until a statement arrives weeks later.
After that, scammers can manipulate the stolen card numbers to create other possible credit card numbers. The first six numbers identify the bank that issued the card and the last six identify the specific customer. Using a computer program, they generate thousands of new card account numbers, some of which will be valid.
A second source of credit card fraud comes from outright theft – primarily by hacking a popular website or retailer’s database. Scammers purchase these stolen credit card numbers for pennies on the dollar in the hopes that some will be valid.
This is where the nonprofits come in. Scammers will take their list of stolen or invented card numbers — sometimes containing thousands of names, addresses, and card numbers – and start making small “donations” to confirm that the card is valid. Using networked computers to automate their work, they can try thousands of numbers in a few hours. If they get that confirmation, they are ready to go shopping.
What are some of the giveaways that you’ve been hit?
· A large bump in volume of online donations. (For example, if you tend to get 40 gifts overnight, you may see 400 or even 4000.)
· Those gifts are typically for less than $5.
· The email addresses used for confirmation look suspicious – they are random combinations of letters and numbers, from an email provider that is free and easy to create accounts for. (AOL, Yahoo!, and Hotmail are all common.)
· The addresses of the “donors” are all in sequence, or all within the same zip code. This is a good indicator that your scammer purchased or stole a list and is using a subsection of it.
One way you can help protect credit card data is by beefing up the security measures on the back-end using your payment gateway. One of the best ways methods is to set up Address Verification Service (AVS). If your bank does not provide this service, consider using a payment gateway (e.g., Authorize.net, BluePay, iATS, etc.) to facilitate these transactions. Many offer this protection. AVS checks the street address and zip code of each card against the issuing bank’s data for that card. If either does not match, the card will be declines. Most scammers do not have the complete addresses of the card holders and will be unable to process any transactions.
Putting transaction filters on your payment gateway account offer a further layer of protection. One option is a velocity filter. A velocity filter limits the number of approved transactions that can be made in any given hour. If you typically see 10 transactions per hour on your website, setting a limit of 15 will allow your normal transactions to process but flag the extra charges. You can choose to decline these transactions automatically or hold them for manual review.
Another option some payment gateways offer to limit fraud attempts is to block specific IP addresses. Scammers often use a few computers at the same location to process transactions resulting in a few IP address linked to the bogus transactions. These IP address can be put on a blocked list, preventing them from using your website.
Another option is to set up front-end security measures. You can set up a minimum gift amount, such as $5 — which is more than most scam gifts. While this penalizes some online donors who want to donate just a dollar or two, many nonprofits find that they don’t have many legitimate donors who give less than $5 online.
Some organizations even go so far as to require a CAPTCHA or RECAPTCHA field in order for a donor to make a gift online. This type of verification essentially requires that a human being type in an ever-changing code in order to finalize a gift. However, this approach can cause donors who have difficulty reading the CAPTCHA or RECAPTCHA code to simply leave the page without donating.
In the end, every organization must carefully weigh the pros and cons of setting up front-end security that may confuse or frustrate donors, and balance their security needs with concerns related to donor relations.