In the world of processing credit card payments, online fraudsters have been increasingly targeting nonprofit donation pages. On our network, we have seen one very sophisticated fraudster utilizing compromised IP addresses to test stolen credit card numbers on a number of client pages.
Not only does fraud waste the time of our clients’ teams, and of our own team – fraud also results in chargeback costs, and it muddies the data in our clients’ accounts. It can even weaken email sender reputation.
Detailed below is a brief overview of best practices for combating fraud. We based them on internal observations and researching fraud prevention tools that are being introduced.
At the time that a payment is processed, it’s the payment gateway (e.g. Worldpay, PayPal, Stripe, Moneris, etc.) — and not Engaging Networks — that possess the best information to determine whether a credit card number is valid. For example, the payment processor can know if the credit card number submitted was issued by a bank in the United States, United Kingdom, or a bank in another country. When this information is combined with the address information entered in the form, the payment processor can assess the level of risk. Your payment gateway is the best “line of defense” to prevent and/or minimize the impact of fraud.
Dealing with fraud
Engaging Networks has been dealing with fraudsters ever since we first started processing online transactions over a decade ago. We have continually modified our code base and defense mechanisms to get ahead of fraud issues as much as possible.
Typically the single most effective anti-fraud measure that our clients can implement on their donation pages is a sophisticated CAPTCHA challenge — which is easy to set up in your account.
Other mechanisms that we have implemented, including automated IP blocking, have been working well, protecting clients from countless sham transactions.
The most recent fraud activity, and specifically the use of a botnet of IP addresses, has prompted us to introduce another round of improvements in our fraud counter-measures.
New alert item in your account
You may have noticed in the notes for our most recent software release that we have exposed directly to our clients an “IP Block rejection alert.” We did this to allow internal teams to act quickly, possibly adding a CAPTCHA challenge to targeted donation pages.
We strongly recommend to all of our clients who process donations that they should make full use of these notification emails. Please add each email address that should receive the notification, under Hello YOURNAME > Account settings > Account emails. Add an email address to be the “Spam/Fraud Notification recipient”
In our recent release, we provided clients with a “Country Restriction” ruleset, enabling you to specify which countries should automatically display a CAPTCHA challenge. It’s a conditional feature that only appears on your donation pages when needed.
The system will detect the supporter’s country by noting their IP address as soon as they submit a page. You will decide which are the primary countries for which no CAPTCHA challenge will be displayed. Conversely, you can also decide which are the other problematic, higher risk countries for which a CAPTCHA challenge will be displayed, to deter fraud. Examples of countries that are higher risk (because they are often the location of IP addresses that are testing stolen credit card numbers) are Ukraine, Brazil, Romania, and China. Our new feature will make it easy for you to make the conditional CAPTCHA challenges appear on donation pages whenever someone from the designated “high risk” countries visits the page.
We want your feedback!
One item that we are considering at the moment is a proposed feature to ‘lock down’ base URLs. This feature would allow only the domains, set in Account Preferences, to load for the pages in the account. These base URLs are currently found under Account Settings > Account Preferences.
For example these URLs all load the same page:
We would appreciate feedback from you by emailing firstname.lastname@example.org. Specifically, we’d like to know if you are using multiple domains in Engaging Networks. If you are currently only using two domains (a Base URL and a Donation Base URL), then enabling this function in our next software release would not hamper the loading of pages.
BUT, if you are using many different domains (i.e. more than two), outside of these settings, then our proposed change might cause disruption. So we would like to know your current use cases.
You can trust that Engaging Networks will continue to be extremely vigilant in doing everything that we can to minimize the impact of fraud on our client community. If you have any questions, please do let us know.