How Nonprofits Can Keep Donors Safe by Preventing Credit Card Fraud
How to Take Action Now to Help Donors Avoid Credit Card Fraud
It goes without saying that donations power nonprofits. Without them, your organization would not be able to function. For this reason, it is important to approach the donation collection process carefully, especially when you are collecting those donations online.
As a nonprofit, your organization needs to take measures to protect itself from credit card fraud. Whether it is securing your donors’ data or taking steps to prevent scams that target your organization, it is your responsibility to make sure safety measures are in place.
Here's what you need to know about protecting your organization and your donors from fraud.
Common Nonprofit Donation Scams
Although you might consider your nonprofit different than a business when it comes to accepting donations and processing that income, your organization faces many of the same fraud risks as a for-profit company.
Handling people’s credit card information will open you up to being targeted by hackers, scam artists, and identity thieves, and it does not matter to fraudsters that you are a charitable organization. In fact, nonprofits are often targeted specifically because they sometimes neglect payment security measures that businesses use as second nature.
Let’s review two common scams that nonprofits should look out for.
ACH fraud: More and more, nonprofits are encouraging donors to give via ACH (automated clearing house) payments. Also called direct debit payments, ACH payments are an alternative to credit card payments that remove money directly from an individual’s bank account.
Here are a few reasons why nonprofits might prefer ACH payments from donors:
- Lower overhead. There are fewer fees associated with processing ACH payments than with credit card payments. When you conduct an ACH transaction, your organization incurs a single flat fee. When donating with a credit card, you are charged a flat fee and a percentage of the transaction, both of which vary based on the type of credit card used.
- Convenience. All you need to conduct an ACH payment is an individual’s bank account routing number. Nearly everyone has a bank account, but not all people use credit or debit cards. When soliciting donations, it is important to appeal to as many potential donors as possible, so it makes sense to accept payments via a medium most people can use.
- Recurring donations. ACH payments are especially popular with nonprofits because they can easily be used to set up a recurring donation schedule. Because of their low overhead and convenient setup, many nonprofits are now encouraging recurring donors to give via ACH payments.
However, because nonprofits are increasingly using ACH payments to fundraise, scammers have taken note. Fraudsters can steal an individual’s bank account routing number through fishing or database hacking. This is how the scam plays out:
- First, they will make a large donation using the stolen routing number.
- The next day, they will contact your organization and insist that the donation was an error. For example, they might say they intended to donate $10.00 but accidentally wrote $1000.00, or say that they did not authorize a donation at all.
- After making their claim, they will request a refund to a credit card or via check.
- Then, they will also contact the bank associated with the routing number and state that the nonprofit withdrew an unauthorized donation, requesting a refund.
Now they have doubled the amount of the fraudulent refund. Because it can yield such high returns, nonprofit ACH scamming has become more popular with online thieves, and you need to take note of it when protecting your organization against fraud.
Donation form fraud: This type of online theft that specifically targets nonprofits. Many scammers use online donation forms to test out stolen credit card numbers. Because some nonprofits prefer the ease of use over cybersecurity when creating donation forms, they inadvertently make it easier on thieves who want to test multiple stolen numbers in quick succession.
Similar to ACH fraud, donation form fraud involves requesting refunds for false donations made by the scammer. The con typically plays out like this:
- First, thieves will use your donation form to verify the validity of the card number they have stolen. They might attempt dozens of small donations using different cards; once one goes through, they know they can use it to complete their scam. This process is known as card tumbling.
- Next, they will make a false donation and request a refund in the same way an ACH fraudster would.
What mainly differentiates donation form fraud from ACH fraud is that it is easier to spot before it happens, but can cost you more if a thief slips through the cracks. After the refund is processed, you will be hit with a chargeback fee once the bank realizes that the transaction was fraudulent.
Ways to Prevent Credit Card Fraud
Although thieves might target your nonprofit for payment fraud, that does not mean you have to be a sitting duck. There are measures you can take to avoid becoming a victim, and, if you take security seriously, you will protect your organization and your donors.
Here are a few core strategies to prevent thieves from successfully targeting you.
Make sure donors have access to the card they are using.
Most credit card thieves do not have on hand the credit card whose number they have stolen. However, they gained access to the card number, more often than not, they know very little about the cardholder or their card. For this reason, your organization can usually weed out fraudulent donations by making it harder to use card numbers illegally:
- CVV2 verification. A card’s CVV2 number is the short code found on the back of a credit card. Require that online donors input this number when entering their card information, and you will likely eliminate fraudsters who do not have access to the code.
- Address verification (AVS). AVS verifies a donor’s billing address with the address his or her bank has on file. This can be done in seconds, and if the thief does not know the correct address, he will not be able to proceed with the scam.
Verify the cardholder’s identity.
Another way to make it harder on scammers to successfully target your organization is to require that donors verify their identity before completing a transaction. Here are a few steps you can take to verify a donor’s identity:
- BIN/IP address verification. Included in every card number is information identifying the cardholder’s bank, called the Bank ID Number (BIN). When processing a donation, compare your donors’ regional IP address against their BIN. If they are making their donation from a different country than their IP address, this could be a red flag.
- 2-factor authentication. You can also confirm a donor’s identity using a 2-factor authentication process. Before completing a donation, the user will have to confirm their identity via SMS or another communication platform.
Make your donation form more sophisticated.
Many nonprofits shy away from using sophisticated donation forms online because they do not want to make it harder than they have to for donors to complete a donation. However, the more simplistic your donation form, the more likely it will be exploited by scammers. You can make your donation form more secure by using these two strategies:
- Require a minimum transaction amount. To prevent refund fraud tactics, you can require a minimum donation amount before completing a transaction. This might seem counter-intuitive, but most donors usually give more than $15 when they donate. If you do not accept small donations, you will not miss out on much.
- Use encryption/tokenization. With encryption and tokenization, donors’ payment information is turned into a code that only your payment processor can read. If thieves hack your data, they will not be able to extract a donor’s information.
Note: fraud prevention and protection strategies evolve quickly to counter advances made by online scammers. Don’t content yourself just with what security measures work now. Think of fraud protection as a continuous process that you can always improve.
Choose a Reliable Payment Processor
Now that you know more about the types of fraud threats your nonprofit may face and how to prevent fraud from occurring, there’s one more thing you need to know: how to choose a reliable payment processor.
Payment processors are online platforms that facilitate transactions.
If your organization already collects donations online, you definitely have one. However, if you do not currently accept donations online, or if you are not sure the platform you use is a good fit, it is always helpful to consider what to look for in a reliable payment processor.
Just as you would carefully consider any other software your nonprofit uses, you need to know what to expect from your payment processor. Here are some of the most important fraud protection attributes you should look for in a payment processor:
- PCI compliance. PCI compliance refers to a set of Payment Card Industry safety standards that all reputable payment processors must meet. If your payment processor does not satisfy these standards, both your organization and the platform can face significant fines and legal liability.
- Data portability. Whatever data your platform saves on your nonprofit and your donors should be portable, meaning that you have the ability to transfer your donor data to a different platform if you choose to leave. You do not want to be held hostage to a platform that you might outgrow, or lose all your data if the platform is compromised.
- Round-the-clock security assistance. Your platform should support 24/7 security assistance that you can count on if an attempt at fraud is ever made on your site. You can put forward all the security measures in the world, but if you do not have a dedicated team to solve issues as they arise, you will still be vulnerable to fraud.
- They have experience with nonprofits. Experience with nonprofits is the most important feature to look for when choosing a payment processor. As discussed before, nonprofits are uniquely vulnerable to online fraud, and your payment processor should be cognizant of the threats your organization faces.