Crooks Use Online Donations To Test Credit Card Fraud

When about a dozen online donations came in to Equality Now on one day in June, Andrea Edman didn’t need Spider-Man-like ESP to realize something was amiss. “I could tell they were fishy because they came from the same ZIP code in Florida, different cities that didn’t exist,” she said. All of the information typed into forms was lower case and each had email addresses with animal names, like FunkyDuck27 and GrizzlyBear42.

As development and communications associate, Edman processes the online donations received at the New York City-based charity focused on legal and women’s rights around the world. A thief had gotten hold of a file of stolen credit card information and was using Equality Now’s donation page to test the validity of the credit card numbers. The thief masked location by making attempts from different IP addresses and altering credit card information, so blocking the IP address or credit card information didn’t work.

The hacker attempted about 7,000 donations totaling $60,000 over a week-and-a-half as Equality Now’s CRM vendor Salsa Labs tried to figure out how to stop them since they still had access to the URL. About 5 percent of the attempts went through, Edman said, and the charity was able to refund all of the donations that were processed — about $4,000 — and is working to have charge-back fees waived.

Donor information was safe because the hacker didn’t get into the iinternal system, Edman said.

The issue took over the organization for three weeks and with a small staff, Edman said they needed that support. Equality Now has about 15 employees in its New York City office and another 20 in offices in London and Nairobi. One employee on the marketing team handles IT for the marketing side and two other staff mostly handles the internal systems.

The donation page was open for about a week (June 12-19) while Salsa Labs tried to re-route the fraudster through a new URL with no success, according to Edman. At that point, she said, they shut down the donation link and the page was down until June 30.
Equality Now reactivated the page with a new key to the link, thinking the thief wouldn’t be able to access it. After a few days with no fraudulent donations, Edman said illegitimate donations reappeared July 4 and the link was immediately closed again. The page was re-activated with the addition of Captcha on July 7 and they haven’t had any fraudulent donations since.

Captcha is a program that helps distinguish humans from bots, prompting users to solve a simple arithmetic problem, type in a word presented to them, or check a box to indicate they’re not a robot.

Equality Now likely missed out on about $10,000 in donations, which is what was received in online gifts during that week in the previous year, according to Edman. “Luckily, our referring donors were not affected,” she said, estimating the charity has about 40 donors who give automatically each month.

Even more fortunate for Equality Now was the timing of its mid-year appeal, which had yet to launch. It was postponed more than three weeks until their donation page issues were resolved.

After going through the experience, Edman suggested that other nonprofit managers understand personally all of the security measures on the organization’s website. “We have a technical person on our team who understands websites but this never happened to us so we never looked in depth into what those security measures mean. This is now our most important issue,” she said.

For instance, Edman learned that it might help to set a limit on the donation page, limiting how many donations can be made during a certain time period, say more than one per minute.

Through conversations with other nonprofit leaders, Edman said she learned it can often happen at small nonprofits. Fraudsters understand that at small organizations, they might not have the budget for security that a large charity might possess.

Though smaller nonprofits are at risk, more likely targets tend to be higher-profile organizations whose name is out there with easy to find web sites, according to Phillip Schmitz, CEO and founder of BIS Global, which created the Charity Engine platform. More sophisticated thieves also understand that the higher profile means it’s easier for them to blend in. Being able to masquerade IP addresses across geographic regions is not a simple implementation, he said.

Donna Myers, chief operating officer for at Salsa Labs, said such fraud attacks are random and uncommon. While she could not comment directly on the Equality Now incident, Myers said nonprofit technologists often try to make it as easy as possible for website visitors to make a donation and might not turn off address verification services or the CVV on their payment gateway.

Conventional wisdom usually holds that the more information a donor must enter, the more likely they are not to convert into a donation. “As these fraudsters get more sophisticated, additional safeguards really need to be put in place,” Myers said.

Retailers have a tolerance from customers to input CVV codes and add verification services because there’s a strong business need to do so. “For nonprofits, that has a very negative impact on their donations,” Schmitz said. What ends up happening is an abandonment rate that might puzzle nonprofits,” he said.

Schmitz dealt with fraud in a different way after a background in retail during the 2000s. “We had no idea until we started working with large organizations that these organizations are targeted constantly. It’s very easy for [thieves] to leverage nonprofit donation pages to test stolen credit cards,” he said. The challenge as a nonprofit is they don’t sell a product so it’s critical to have the least amount of barriers as possible for a person to make a gift, which is why organizations are moving to one-click giving and complete optimization. “That way there’s nothing that stands in the way of a donor getting approval on that credit card.”