All Donations Are Good, Right? Wrong.

Watch out for card testing fraud in online donation forms

Last month the MNA online donation form saw an uptick in activity – unfortunately, these donations were not all positive. Our database alerted us to an unusual number of failed transactions. When we investigated what was going on, we discovered that each of the failed transactions was for super small amounts – $1 or $2. That’s weird for MNA, since we don’t usually solicit small individual donations.  Turns out, MNA had become a target of card-testing fraud. Luckily, our payment processor flagged most of the transactions and implemented some automatic spam prevention steps.

Transaction Fraud

According to an article from Funraise, this fraud does not usually take the form of big donations. “More commonly, a list of stolen credit card numbers is run at high rates against a donation form so that fraudsters can test each card.” Since the owners of the stolen card numbers are less likely to notice or report small inconsistencies on their statements, fraudsters will typically do this in super small amounts.

It’s important to note that this does not mean that the security of your database is at risk. The fraudster is not trying to break into your system and steal your organization’s information. Instead, they are just using your donation form to see if any of the card numbers they have are still active and available for larger fraud charges.

How to spot it

If your organization is a victim of this kind of scheme, it’s important to contact your bank and your payment processor immediately. You’ll have to refund any fraudulent donations, and your organization could be on the hook for chargebacks and fees. MNA is reporting our fraudster (“Sebastian Albright”, if you’re reading this, go kick rocks) to the FBI.

To spot this kind of fraud, keep an eye on your payment processing system. Watch for suspicious activity, such as an unusual number of small donations, or many failed transactions from the same name or email address.

How to prevent fraudulent transactions

The reality is that it’s impossible to always prevent fraud in online transactions, but there are some things you can do that will help:

  1. Add a captcha to your online transaction forms to prevent bots from using the form.
  2. Enable a minimum donation amount of at least $5.
  3. Edit your donation form to require more information, like full address and contact info.
  4. If you notice several failed transactions from the same IP address, block it until you can confirm it’s a real person.
  5. Check your database/donation form settings for the spam prevention section (you should be able to limit number of transactions per day from one account or IP address).
  6. Reach out to your payment processor or database help team – they might be able to offer additional support.

We offer this information to show that this can happen to any nonprofit – we don’t have a clue what brought this spammer to the MNA donation form, and he was able to take advantage of some of these vulnerabilities that we didn’t even know existed. Cybersecurity has been top of mind for us for the last few months, and this just goes to show that there is always more we can learn and share with our members.

At the end of the day, though, we feel like we won after signing Sebastian up for as many shopping website emails as we could. Enjoy wading through your inbox, sir.

Additional resources

Leave a Reply