The most common type of fraud in the industry is card thieves testing stolen card numbers through non-profit payment pages. All non-profit organizations who maintain a public donation page will encounter this activity at some point, and we’ve written up answers to some common questions below.
- What do fraudulent payments look like?
The most common type of fraudulent payments in the industry are typically $1-20; the cardholder information and address listed with these payments typically looks 'off', grammatically, or seems geographically incorrect (i.e. a donor’s address listed as being in Hong Kong, CA, or similar). These payments will come in batches and most will be declined due to DonationPay and IATS’ fraud protection features, with a few attempts coming through successfully here and there. While the exact information entered with each transaction is typically not identical, the formatting will be consistent across attempts.
While this kind of fraudulent payment is most common, fraudulent payments come in all amounts and formats, and best practice is to refund any kind of payment that looks at all suspicious to your organization. The DonationPay team is happy to be a second pair of eyes for any payments you’re not sure about, just contact your account rep directly or email firstname.lastname@example.org.
2. How do these payments work and why do fraudsters make them?
Card thieves and card theft rings use publicly-available nonprofit payment pages to test stolen card numbers. They put through batches of small payments, hoping to escape the notice of each cardholder and verify which card information is accurate enough to use for future theft. Fraud protection features on your account typically prevent huge attacks (where thousands of attempts are programmatically submitted at one time) from bots, but as industry fraud-prevention features have improved, so has the savvy of these card thieves. Often, card numbers and info will be input by hand, by workers in call centers, every few minutes; in every way, this mimics the behavior of real donors and is difficult to stop entirely without also limiting your actual donors' access to your payment pages.
3. What happens when my organization gets fraudulent payments? What do DonationPay and IATS do?
DonationPay and IATS have invisible fraud protection features engaged on your donation pages; these features are adjustable and your organization can decide to make changes to them during a fraudulent payment attack. DonationPay can add CAPTCHA to your page, set a minimum amount, tighten up our IP blocker (which limits the number of payment attempts that can be made from a single IP address) or temporarily disable your page at your request. IATS has a suite of fraud protection features that can be activated in your account there, including the ability to block payments by country, and other tools. Behind the scenes, DonationPay and IATS always use industry best practices to combat fraud, including system wide form obfuscation, CVV and address verification, suspicious IP restriction and detection features, velocity checks and more.
Your organization is responsible for managing any fraudulent activity that comes through your account, so if you notice this activity before hearing from DonationPay or IATS about it, take action immediately: adjust your fraud protection tools in your IATS account, and, if you don’t already have a CAPTCHA on your page, send a request to email@example.com and our team will add one.
Depending on how severe the attack is, DonationPay may temporarily disable the affected page; our team will notify you if this becomes necessary. We typically start by disabling a page for 15 minute intervals, but if fraudulent payment attempts continue, we may take the page down for 24 hours or more before reinstating it.
Depending on how severe the attack is, IATS may also temporarily suspend your merchant account. This is a measure that is often required by IATS’ acquiring bank (First American Payment Systems), and you will receive an email notification beforehand, outlining steps you can take to prevent suspension. This measure is to protect your organization from the financial consequences of this kind of activity (chargeback fees, paying for thousands of declined payment attempts etc.) and is not punitive. Suspensions can be reversed ASAP, as soon as you’ve taken the steps outlined in your IATS notification email (typically adding a CAPTCHA to your page, adjusting your fraud tool settings in the IATS gateway, and changing your account passwords).
Because both IATS and DonationPay will need to get in touch with your organization in the event of fraud, we recommend making sure the contact information we have on file is up to date. IATS will send email notification of fraudulent activity to the primary listed contact they have on file, so if your organization has had staff turnover since you opened your account, be sure to get in touch with IATS at firstname.lastname@example.org or 888 955 5455 to update the listed contact for your non-profit.
4. My organization has received some payments that look suspicious. What do I do?
- Refund any payments that look potentially fraudulent, as soon as possible. Because these payments are made with stolen card numbers, the cardholders will, if they notice their card has been used for an unapproved transaction, file a chargeback, which will carry a $35 fee to your organization. Refunding payments immediately protects you from having to pay chargeback fees.
- Adjust your fraud-protection tools. If you do not already have a CAPTCHA on your DonationPay page, request our team add one by emailing email@example.com. Log in to your IATS account and adjust fraud protection settings there. If you need assistance configuring the fraud protection settings in your IATS account, contact the IATS team at firstname.lastname@example.org or 888 955 5455.
5. When I try to refund a fraudulent payment, I get a message that says 'the refund has been rejected by the bank.' What do I do?
If you get this message when you try to refund a payment you suspect is fraudulent, the payment has likely already been caught and rejected by IATS. This happens occasionally when their system initially approves a payment when we submit it, but afterward identifies it as part of an ongoing fraud attempt. If you get this message, typically no further action is necessary, but we do suggest logging into your IATS account to confirm the payment is listed as rejected.
6. Fraudulent payments have stopped on my account. How do I report this activity?
Sadly, law enforcement and regulatory agencies don't offer an actionable reporting option for this kind of activity. To report credit card fraud, you have to track down the issuing bank of each card individually and report it to that bank, which is virtually impossible without a correct cardholder name and full card number. This places the burden for reporting the theft on the affected cardholder, which card thieves very well know and which has allowed this kind of fraud to proliferate in the industry. DonationPay does report macro details on fraud to relevant regulatory bodies, by sharing the general level of fraudulent activity we're seeing through our system (X number of fraudulent transaction attempts in first and second quarter etc.) and we are always pushing for updated protocols on how to more effectively report this kind of fraud.
7. My organization keeps getting fraudulent payments. Why can’t we stop them entirely?
If your organization maintains a public donation page, you will eventually be targeted by card thieves testing card numbers through that page. It is unavoidable in the industry and all providers like DonationPay and IATS take a harm-reduction approach, since complete eradication is not an option. Locked doors and a good alarm system make it more difficult for burglars to break into your home, but cannot stop them from trying; it’s the same with fraud protection features on your donation forms and merchant account. Fraud protection features make it more difficult for card thieves to successfully test stolen card info, but cannot stop them entirely from trying.
8. My organization has received a lot of fraudulent payments lately; does this mean our donor data is not secure? Can these fraudsters steal our donor’s information or card numbers?
No, receiving fraudulent payments through your donation page does not mean your data has been compromised in any way. While this kind of activity is frustrating to manage, it does not represent a data breach.
9. I have more questions!
We’re here to answer any questions you have about fraudulent activity and your DonationPay account; just drop us a line at email@example.com or contact your account rep directly.