Nonprofits: What To Do Now To Ward Off Fraudulent Donations

With respect to this giving season:

Online donations are designed to be easy for donors to use. Unfortunately they can be easy targets for thieves too, seeking a testing place for stolen credit card data to make false donations, hundreds of them in a flash. There is a seasonal upswing in nonprofits being attacked online. When you discover your donation site has been compromised, you feel vulnerable, lacking full control, and worst of all, have to explain to your management and Board why this happened.

Here’s what can happen:

The thief purchased thousands of stolen credit card records on the internet and blasted that data at your website donation page, hoping some would succeed. Then knowing which few credit cards actually did work, he goes off to another website and uses them again, for a higher amount, perhaps this time for electronics or other items. The game is over when the cardholder’s bank notices the card has been used irregularly and cancels it. Thieves seem to start with small dollar donations at nonprofits, under bank radar screens for meaningful fraud transactions. They are hoping nonprofits are not as aware of their bank account activity and cash flow as are for-profits. Wrong assumption, but this is the mentality.

In retrospect, when you are tested with fraudulent donations, your online donation mechanism functioned fine; you didn’t set the controls on your gateway and donation page tightly enough. (A gateway is the online service that links a donation page to the merchant accounts. It’s also the place where the current day and historic donation data is stored for bank account reconciliation and statistical purposes.)

Before this happens to your organization, consider procedures to prevent and control future abuse (easily accomplished with the assistance of your merchant account and/or gateway vendors). Give careful forethought to implement some, if not all, of these:

• Set a minimum dollar threshold on your gateway to preclude small bogus transactions (in recent cases, 7 cents or $1.03) from slipping through.
• Address verification service (AVS) must be enabled on your gateway. You want the combined house number AND the 5 digit zip code of the cardholder to match the AVS algorithm used by the card brands to successfully process a card.
• Some well-regarded gateways allow you to block computer IP addresses in selected foreign countries. As an option you can set the gateway to reject all but those in the USA, if this is appropriate for your donor base.
• Ask your web developer to identify the thief’s IP address. Set the cart to recognize that IP address in the future and automatically direct him to a government website (like FBI.gov).
• Think about including a CAPTCHA or “I am not a robot” challenge-response test as well. You want a human to make a donation, and these block fraudulent robo-processing.
• Be sure donations are reported to multiple email boxes so at least one of your fellow staff will notice immediately if a vulnerability occurs. If staffers work outside of the office, be sure transaction notifications buzz on their cellphones. Thieves assume you are not watching and can work their mayhem on weekends and in the middle of the night.
• Some strong gateways use artificial intelligence and report to you anything that seems awry. They work 24x7x366. Be sure you can heed their warning to multiple staff cellphones at any time.
• Manually reverse every successful transaction that doesn’t belong to you via the gateway refund function (immediately!). Your fee for a chargeback (when a consumer declines a purchase by starting a documentary process with his bank to reverse the card transaction) is usually $25. Prevent being hit with $25,000 in chargeback fees if you receive 1,000 7-cent fraudulent transactions!
• If you have a concern, contact your merchant account salesperson immediately so he/she can advise you how to best notify the fraud experts of the online payment vendors you use. There are established fraud protocols that card processors and gateways follow.
• Finally, review your transactions at least daily, weekends included. Pay attention to which ones failed, look for patterns of odd transactions and report them immediately by phone, not via an online service ticket, for fastest servicing.

I hope you never need to use these controls, after the fact. Heed this advice to tighten controls now, align with best-in-class service vendors who have your ongoing security top of mind, and ask them to help you become better protected. Nothing is foolproof but you need a procedure in place to be able to react quickly if this does indeed happen to your nonprofit.

_______________________________________________________

About Marc W. Halpert, LinkedIn Trainer and Evangelist

I am a “multi-preneur,” (www.linkedin.com/in/marchalpert) having started 3 companies, all of which I continue to operate. My latest business, connect2collaborate, spreads my LinkedIn and networking evangelism worldwide to train and coach others to better explain their brand and positioning on their LinkedIn profile pages:

• as an “evangelist” recognized by LinkedIn to help nonprofits cultivate talent pool, volunteers, boards, and corporate sponsors.
• as a corporate trainer for departments needing to know how to optimize LinkedIn for their responsible areas.
• as a coach helping professional practitioners in all industries use LinkedIn to better achieve their goals.
• as a high-energy speaker at conferences.
• as a volunteer coaching and teaching underemployed babyboomers to master new better career objectives.

I blog daily on LinkedIn topics to encourage readers towards a more beneficial use of this amazing tool. I speak about LinkedIn at public events and private corporate sessions too.

I have authored two books on LinkedIn: the first one was published by the American Bar Association “LinkedIn Marketing Techniques for Law and Professional Practices” was released June 2017 and "You, Us, Them, LinkedIn Marketing Concepts for Nonprofit Professionals Who Really Want to Make A Difference" in June 2018. Both are on Amazon in paper and e-book. The second book also has a companion online e-course to complement it, available here.