Blog Articles

Posted on 
August 13, 2020

Safeguarding Your Nonprofit from Fraud

While Charities and Nonprofits do so much good in our world today (and now more than ever use the web to empower their mission and garner support), there's a dark side of the web that aims to defraud the organizations that we know and love. Online credit card phishing and other data fraud is now more sophisticated than ever; here are some strategic ways to safeguard yourself from fraud.

According to LexisNexis Risk Solutions, there were 150 million attacks in 2018 Q1 which is an astounding 88 percent increase over the same time period the previous year. By the end of 2018, online businesses are expected to have been targeted by fraud that totals around $42 billion in chargebacks.

If your organization has not been targeted, consider yourself lucky (at least for now) and implement a security strategy as soon as possible to help you mitigate a future fraud event. If your organization has been targeted before, you could become a future target again for cyber criminals who will stop at nothing to evolve their automated phishing techniques. Tricia Phillips from Kount said it best; “Some people think we’ve been fighting credit card fraud forever and it’s surely been solved by now—but it’s not. It keeps evolving, and it gets harder and harder for online and mobile businesses to balance a good customer experience and their fraud rates.”

1. Safeguarding Your Donation Page

Cyber criminals are constantly scouring the internet for exposed checkout, donation pages, and web code...why? Because they can exploit that data and wreak havoc by gaining enough credit card data to very sneakily process low (often unnoticed) amounts against those cards until they can build up to a greater threshold of fraudulent charges. The A Group reports, "Fraudsters keep each card test small – usually less than $10 – so as not to raise any red flags. But even when consumers discover a small charge to a charity or nonprofit, they are less likely to report the activity or challenge the charge."

Creating a donation page that defends your donors' data is critical. Unsuspecting donors aren't aware of what happens when they enter their credit card info and other personal data into your donation page, but behind the scenes your organization is responsible for having a PCI Compliant website that methodically, securely authorizes their transaction. PCI Compliance is governed by The PCI Security Standards Council and was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council's work.

PCI Security Standards revolve around goals that include building and maintaining a secure network, encrypting card data upon transmission, and implementing strong security controls. These standards help to ensure that your donation page is safeguarded against cyber criminals.

2. Safeguarding Your Donor's Data

If your organization notices a sudden spike in varied donation activity, do not wait to inspect the validity of that activity.  Oftentimes, fraudulent card activity starts with illegal "card testing" where thieves will use bots and scripts to run thousands of transactions within minutes to test and see which cards are active. Your organization should vigorously defend against any activity by looking for common signals tied to those transactions. Oftentimes, you can look for a large number of rapid card declines and those typically can be triggered by AVS (Address Verification Service) declines and missing CVV (Card Verification Value) info.

You can typically stem the tide of rapid card testing by adding a security step to the donation process by adding a CAPTCHA checkout step or by blocking incoming (fraudulent) IP addresses. Typically, when this type of event happens, you can contact your payment gateway/processor and further lock down your security card acceptance controls for your merchant account (to further block the influx of fraudulent activity).

Your donors are counting on you to ensure that their card data and personal data is secure and not exposed to thieves, but in the event that you have a data breach make sure that you do communicate fully with your donors about the breadth of the breech and what actions will be taken after the security incident.

3. Safeguarding Your Payment Processing Methods

As a nonprofit or church organization, you accept credit card and ACH transactions that are then authenticated, captured, and processed by your payment processor (and/or gateway). Although your organization is just accepting the payment, your payment processor can leave your organization open to fraud if they don't adhere to PCI DSS Compliant guidelines.

For example, many credit card processors store card data on their own servers for use when a donor's card is recalled to process a recurring donation. This, in effect, can result in data exposure and can come back to hurt your organization (and your donors) simply because of your payment processor's method of processing.

Your organization should do thorough research when selecting a payment processing partner and ask for their AOC (Attestation of Compliance) to ensure that they truly are living up to the PCI Council's guidelines for compliance.

In conclusion, your organization must remain proactive in safeguarding from all forms of fraudulent activity. One security breach can unfortunately cripple your organization and damage your reputation with donors and constituents. If you're looking for a partner company to help safeguard you, Paperless Transactions is a PCI Level 1 provider with 22 years of company experience in leading nonprofits to a proactive strategy and plan to prevent fraud. Schedule a call with one of our experts today by clicking below.