From California to Pennsylvania, from Wisconsin to Washington, colleges around the country were getting large online donations that turned out to be nothing more than credit card scams.
The Mississippi Secretary of State’s Office issued an alert on February 17 regarding about colleges and universities being targeted, after being contacted by a Mississippi university foundation. Colleges reported receiving online donations of as much as $10,000, only to be contacted later by a “donor” who claimed the amount was an error of too many zeroes. The “donor” then would request a refund of the difference but ask that it be refunded to a different credit card because the initial card was deactivated after a robbery.
San Francisco State University received the scam email as early as Feb. 23 and caught it the next day before the card was even processed, said Donna Blakemore, associate vice president, advancement. It started to look fishy once the refund was requested so she immediately alerted campus technology and security staff.
Other colleges noted the gift amount because it was out of the norm. Northland College never receives online donations of as much as $5,000, said Kristy Liphart, interim vice president for institutional advancement at the college in northern Wisconsin. “We knew it was not normal but maybe it was an innocent mistake,” said Liphart, so her gift coordinator called the phone number on the donation form. Northland was the only college to reach someone at a legitimate phone number. Others reported receiving the refund requests by email or calling phone numbers or companies that did not exist.
After the phone call, Liphart said the college started getting a flood of daily scam emails, all with $5,000 gifts, and knew it had to be a scam. The forms listed the same 678 area code (metropolitan Atlanta) but different names and email addresses. “We also don’t have any donors in that area. It’s easy for us, we’re a small school and pretty regional, although we do have students from all over, but we know our donor base pretty well,” said Liphart. Northland doesn’t do a lot of online fundraising and what it does comes in small increments of more like $25 or $50, she said.
“We’ve quarantined all of those and are working with the third-party payer we usually use for online gifts,” Liphart said, adding that the online donation form was taken down for a few days just to stop the scam emails.
“It’s just a hassle more than a financial issue,” she said, since the gift coordinator must keep quarantining the scam emails.
Liphart recalled hearing about similar incidents about a year ago, so she posted to a fundraising listserv to make other development officers aware of the situation.
Millersville University, outside Lancaster, Pa., received a gift on Feb. 27. The next day, they received the refund request from a “donor,” claiming that the initial card was no longer valid because of a recent robbery at his home in Georgia, in which he also lost his wife, according to Janet Kacskos, director of communications. Millersville had never seen the scam before and reported it to the Pennsylvania Secretary of State’s office, she said.
Sean Vincent, director of University Relations Information Services at the University of Puget Sound in Tacoma, Wash., said it was one of the more in-depth email scams he’s seen as it made it through the online form with a valid credit card number. The follow-up email indicated an email address and company name to refund the gift to that did not exist, he said.
Most phishing attempts tell you that your mailbox is full and ask to reset your password and send it, Vincent said. This was the most involved gift scam he’d seen since the scammer had to make a gift on a valid credit card to get it processed.
The email tried to look legitimate, providing a legitimate name and company with a title, but the tipoff for Vincent wasn’t much different from a typical phishing scam: the grammar was not quite right.
Anytime you see something in the age of identity theft, something that makes you pause, it’s a good idea to contact the donor directly, said Vincent. “Most donors, if they truly want to make a gift, won’t be offended if you call to reconfirm and make sure it’s them,” he said, adding that the merchant account vendor also should be alerted because they will have access to more resources than a nonprofit because of privacy laws. NPT