How to Prevent Nonprofit Payment Fraud

The nonprofit sector is increasingly relying on the convenience of online donations. However, with limited technical and financial resources, these organizations are stretched to provide adequate security in an area where criminals are becoming progressively more creative. 

Online payment fraud can include donation form fraud, refund fraud and the theft of digital information for use in future criminal activity. While any of these scenarios are costly for nonprofits, data theft could be considered the most serious since it results in significant reputational damage. Unsurprisingly, 92% of donors say that it is important for nonprofits to protect information (opens as a pdf).

How do nonprofits combat payment fraud? The first step is learning about the most common scams and the signs you can use to spot them. 

Donation Form Fraud

Donation form fraud, or card-testing fraud, refers to several forms of credit card fraud made using the nonprofit’s online giving form. Card testing is a technique fraudsters use to preliminarily screen credit card information they have generated using scripts stolen from cardholders or purchased on the dark web. 

Before bad actors use credit card information to make a fraudulent purchase, a basic test is done to see if the card number is real and if the card has already been reported stolen or otherwise blocked. Using the donation form, fraudsters will make hundreds of very small donations ($1 or less) with a sequence of cards. Once the real cardholder discovers the phony charges and files a chargeback (or claim with their credit card company), the real damage sets in. 

First, the nonprofit pays the processing fees for each transaction, which clearly adds up with hundreds of card tests. Then, as the donations are refunded, organizations are hit again with reversal fees. Chargebacks are an additional expense and can cost between $15 and $100 per transaction, plus the cost of time and effort in refuting the chargeback. This process can go as far as arbitration and is similar to a legal suit. If a nonprofit incurs too many chargebacks over a certain period of time (as defined by its bank), it can face increased processing fees due to the additional risk it now poses, or worse, the loss of its merchant account. 

Preventing Donation Form Fraud

Nonprofits are a target for this kind of card testing because they typically do not monitor or check card transactions in real-time and may not recognize the signs of fraud. Successful transactions are also more likely when less information is requested. In an effort to streamline donations, donation forms are often simplified and lack basic verification checks, such as address, zip code and credit card verification code (CVC). The good news is that there are several precautions that can help nonprofits prevent fraud: 

1. Additional Form Fields

Increase the number of required form fields to include address, zip code and CVC — often found on the back of the card. These pieces of data can be used to verify a cardholder’s identity and make fraudulent donations more difficult. 

2. Fraud Filters

Ask your payment provider to add specific fraud filters. For example, your payment provider can prevent automated form testing by setting donation minimums, as well as a maximum number of transactions from a single IP address, or block certain IP addresses altogether. Nonprofits can also choose to whitelist or block transactions based on the country of origin, bank identification numbers (BIN), card numbers and email addresses.

3. Captchas

Include Captcha mechanisms on forms that ask donors to solve a puzzle or click certain items within a frame. Although solving the puzzle is necessary, the technology actually looks at mouse movements to see if they are typical of human erratic movements or more consistent like those of a computer. 

4. Compliant Payment Provider

Choose a payment provider that offers the latest payment security and one that will help you implement the Payment Card Industry Data Security Standards to achieve compliance — a requirement for all businesses that process payments. Ask if they protect payments using technologies such as tokenization and advanced authentication techniques, like 3D Secure 2.0. 

Refund Fraud

Refund fraud is a type of fraud that is especially prevalent in the nonprofit sector. This happens when a fraudster makes a large donation and then shortly afterward — typically less than 24 hours later — contacts the nonprofit directly, saying they made a mistake and intended to make a much smaller donation. The fraudster will then ask for a refund of the difference to be routed to another account or via a different payment method. It later turns out that the original donation never clears, and the criminal pockets the refund. The goal of this fraud is to receive the refund before the donation goes through. 

Refund fraud can be attempted using stolen credit cards or Automated Clearing House (ACH) payments. ACH is a popular method for recurring donations and costs less than credit card processing, making it an appealing option for nonprofits. 

However, it is easy to steal routing and account numbers from paper checks and then use them to initiate a donation. In addition to requesting a refund from the nonprofit, fraudsters may also contact the bank associated with the routing number and state that the nonprofit withdrew an unauthorized donation, requesting a refund. As a result, scammers have effectively doubled the amount of the fraudulent refund, making nonprofit ACH scamming increasingly popular among online criminals.

Preventing Refund Fraud 

The prevention of refund fraud first involves education so that officers and employees of the nonprofit are aware of the scam and know how to combat it. Receiving an unexpected, large donation may be exciting, but it also warrants further investigation. Employee training will be your first line of defense for this scam. 

In addition, since there is potential for identity theft, have someone from the nonprofit call to thank large donors immediately. This will simultaneously alert someone if identity theft has occurred and confirm that the donation is coming from a real donor. 

Nonprofits should also insist that refunds can only be issued once the original funds have cleared. Institute policies that prevent rapid refunds and only issue refunds using the same payment method that was processed for the donation. Your payment provider can help here as well by only allowing refunds to be credited to the original payment method. This way, the fraudster can’t siphon funds into another account. 

Other precautions include setting maximum donation amounts so that anything too large is flagged and not immediately processed. Never provide account information as part of an incoming ACH transaction and originate transfers yourself.

Security is not a set-it-and-forget-it task. It is an ongoing effort that needs to be managed. The best defense is to consider security first when building systems and processes. Make use of all the technical standards, vendors and tools that exist to help minimize the potential for payment fraud. Teach your staff how to spot the signs of fraud when monitoring accounts and transactions. It’s your organization’s reputation and financial security on the line, as well as that of your donors.

The preceding post was provided by an individual unaffiliated with NonProfit PRO. The views expressed within do not directly reflect the thoughts or opinions of NonProfit PRO.