In the world of processing credit card payments, online fraudsters have been increasingly targeting nonprofit donation pages. On our network, we have seen one very sophisticated fraudster utilizing compromised IP addresses to test stolen credit card numbers on a number of client pages.
Not only does fraud waste the time of our clients’ teams, and of our own team – fraud also results in chargeback costs, and it muddies the data in our clients’ accounts. It can even weaken email sender reputation.
Detailed below is a brief overview of best practices for combating fraud. We based them on internal observations and researching fraud prevention tools that are being introduced.
At the time that a payment is processed, it’s the payment gateway (e.g. Worldpay, PayPal, Stripe, Moneris, etc.) — and not Engaging Networks — that possess the best information to determine whether a credit card number is valid. For example, the payment processor can know if the credit card number submitted was issued by a bank in the United States, United Kingdom, or a bank in another country. When this information is combined with the address information entered in the form, the payment processor can assess the level of risk. Your payment gateway is the best “line of defense” to prevent and/or minimize the impact of fraud.
Dealing with fraud
Engaging Networks has been dealing with fraudsters ever since we first started processing online transactions over a decade ago. We have continually modified our code base and defense mechanisms to get ahead of fraud issues as much as possible.
Typically the single most effective anti-fraud measure that our clients can implement on their donation pages is a sophisticated CAPTCHA challenge — which is easy to set up in your account.
Other mechanisms that we have implemented, including automated IP blocking, have been working well, protecting clients from countless sham transactions.
The most recent fraud activity, and specifically the use of a botnet of IP addresses, has prompted us to introduce another round of improvements in our fraud counter-measures.
New alert item in your account
You may have noticed in the notes for our most recent software release that we have exposed directly to our clients an “IP Block rejection alert.” We did this to allow internal teams to act quickly, possibly adding a CAPTCHA challenge to targeted donation pages.
We strongly recommend to all of our clients who process donations that they should make full use of these notification emails. Please add each email address that should receive the notification, under Hello YOURNAME > Account settings > Account emails. Add an email address to be the “Spam/Fraud Notification recipient”
In our recent release, we provided clients with a “Country Restriction” ruleset, enabling you to specify which countries should automatically display a CAPTCHA challenge. It’s a conditional feature that only appears on your donation pages when needed.
The system will detect the supporter’s country by noting their IP address as soon as they submit a page. You will decide which are the primary countries for which no CAPTCHA challenge will be displayed. Conversely, you can also decide which are the other problematic, higher risk countries for which a CAPTCHA challenge will be displayed, to deter fraud. Examples of countries that are higher risk (because they are often the location of IP addresses that are testing stolen credit card numbers) are Ukraine, Brazil, Romania, and China. Our new feature will make it easy for you to make the conditional CAPTCHA challenges appear on donation pages whenever someone from the designated “high risk” countries visits the page.
A new feature (as of 24 January 2020) is the ability to list domains that your pages can be viewed over. By default, e-activist.com and netdonor.net can load your donation pages, advocacy pages and so on. However, many clients have added their own subdomains such as action.mycharity.org.
By whitelisting your own subdomain, rather than our default ones, you can help reduce spam attacks from spammers who use the sequential nature of our page URLs on the default domains to search for pages to plug data into. By whitelisting alternatives, it will display a not found message to the spammer and protect your page. You can read more here.
Other considerations and tips
Spam Trap – Add a field to your forms that is not visible to human supporters, but can help prevent spambots from submitting the page.
Donation amount validator – Fraudsters will often test credit cards using very small donation amounts like $1. Adding a donation amount validator with a minimum donation amount can help mitigate fraud.
Third party email validators – Spammers will often use correctly formatted but fake email addresses to submit pages. A third party email validation service such as Never Bounce can ensure that supporters use a legitimate email address when submitting pages.
Close pages that are not in use – Close pages after your campaigns have ended and the forms are not longer being used.
You can trust that Engaging Networks will continue to be extremely vigilant in doing everything that we can to minimize the impact of fraud on our client community. If you have any questions, please do let us know.