Payments

Securing Donations: A Nonprofit's Roadmap to Payment Fraud Protection

Did you know that 55% of Millenial and Gen X donors prefer to give online via credit or debit card, with Baby Boomers right on their heels at 54%? The predominance of online donations has been on the horizon for some time, with the rising popularity of virtual and hybrid events and the evolution of online payment technology only accelerating this trend.

 In fact, in addition to facilitating online donations and e-commerce for virtual fundraising events, online payment tools like mobile payment apps can now streamline transactions for in-person events as well.

 The convenience and efficiency of online payments increased their popularity, making it essential to safeguard the payment process and create an environment in which supporters can donate without fear of their data being misappropriated by online scammers.

 Being on the receiving end of payment fraud can have drastic monetary and reputational consequences for nonprofits, drying up public trust in a sector that relies so heavily on goodwill. However, few nonprofits seem to have the right strategies to deal with potential fraudsters.

 To help you confront this issue, we’ll explore what you need to know about payment fraud detection and protection to reassure donors and fortify your payment system:

 Let’s dive in with a brief overview of what constitutes online payment fraud.

Want to learn more about online payment fraud? Download our white paper on the subject!
Explore the meaning of online payment fraud

What is Online Payment Fraud?

Payment fraud is an umbrella term for the illegal payments made by cybercriminals on the internet. Typically, it involves stolen payment details being used to initiate unauthorized transactions and rob the victim of sensitive data, money, or other forms of property.

While most members of the public seem to be wary of the risks of payment fraud, concerns about fraud are especially high in the nonprofit sector. In fact, over 92% of donors say it is very important to them that organizations protect donor information.

Walk through a few major examples of payment fraud for nonprofits

Common Types of Nonprofit Digital Payment Fraud

In order to meet donors’ expectations and defend your supporters from fraudsters and cybercriminals, you must understand the major forms of payment fraud for nonprofit organizations.

Online Credit Card Fraud

Although you might consider your nonprofit different from a business when it comes to accepting and processing payments, you face many of the same fraud risks.

Handling people's credit card information can open you up to being targeted by hackers, scam artists, and identity thieves. In fact, nonprofits are often explicitly targeted because they sometimes neglect payment security measures that businesses use as second nature.

Let's review two card-related common scams that nonprofits should look out for.

ACH Fraud

Also called direct debit payments, ACH payments are an alternative to credit card payments that allow your organization to collect contributions and payments directly from an individual's bank account.

This can be an incredibly useful payment method for nonprofit organizations, with some of its key benefits being:

  • Lower overhead. There are fewer fees associated with processing ACH payments than credit card payments. During an ACH transaction, your organization incurs a single flat fee. By contrast, credit card donation processing incurs a flat fee and a charged percentage of the transaction, determined by the type of credit card provider used.
  • All you need to conduct an ACH payment is the donor’s bank account and routing number. This allows you to solicit more donations and increase payment accessibility, as approximately 95% of American households have at least one member with a bank account.
  • Recurring donations. ACH payments are especially popular because they can easily be used to set up recurring donation schedules. Due to their low overhead and convenient setup, many nonprofits encourage recurring donors to give via ACH.

However, because nonprofits are increasingly using ACH payments for fundraising, scammers have taken note. Fraudsters can steal an individual's bank account routing number through phishing or database hacking. This is how the scam plays out:

Walk through the steps of an ACH payments fraud scam
  1. First, fraudsters will make a large donation using the stolen routing number.
  2. The next day, they will contact your organization and insist that the donation was an error. For example, they might say they intended to donate $10 but accidentally wrote $1000 or say that they did not authorize a donation at all.
  3. After making their claim, they will request a refund to a credit card or via check.
  4. They will also contact the bank associated with the routing number and state that the nonprofit withdrew an unauthorized donation, requesting a refund.

 This way, the scammers have doubled the amount of the fraudulent refund. Because it can yield such high returns, nonprofit ACH scamming has become popular with online thieves, and you need to take note of it when protecting your organization against fraud.

Donation Form Fraud

Many scammers use nonprofit online donation forms to test out stolen credit card numbers. Because some nonprofits prioritize ease of use over cybersecurity when creating donation forms, they inadvertently make it easier for thieves who want to test multiple stolen numbers in quick succession.

Similar to ACH fraud, donation form fraud involves requesting refunds for false donations made by the scammer. The con typically plays out like this:

  • First, thieves will use your donation form to verify the validity of the card number they have stolen. They might attempt dozens of small donations using different cards.
  • Once a donation successfully goes through, they know they can use it to complete their scam. This process is known as card tumbling.
  • Next, they will make a false donation and request a refund in the same way an ACH fraudster would.

 What differentiates donation form fraud from ACH fraud is that it’s easier to spot before the final scam takes place. However, donation form fraud can cost you more if a thief slips through the cracks. After the refund is processed, you will likely be charged a chargeback fee once the bank realizes the transaction was fraudulent.

Explore strategies to detect and protect against payment fraud scams

How Do You Protect Against Payment Fraud?

While over 69% of nonprofits think fraud is a significant risk to the nonprofit sector, almost 50% do not have best-practice protections, such as anti-fraud tools or firewalls to repel fraudsters. As a nonprofit, it is your responsibility to make sure safety measures are in place to protect both your organization and donors from online thievery.

 Consider these effective measures for detecting, preventing, and protecting against fraud.

7 Payment Fraud Detection & Protection Strategies

1. Improve Password Security

Your passwords should be unique and securely stored to prevent them from being cracked. Ideal passwords are long and contain symbols, numbers, and upper and lower-case letters. They should also be a random list rather than distinguishable words or keyboard patterns.

 Enable multi-factor authentication for password resets wherever possible. We encourage you to use password managers, which not only store passwords securely, but can assist in generating strong passwords and ensure you don't reuse passwords across sites.

2. Beware of Phishing Emails

Emails asking you to click on links or attachments and provide personal information can be used by fraudsters to install malware and gain access to sensitive information. Fraudsters can also pose as your nonprofit and solicit donations from well-meaning constituents.

 You should take the following steps to mitigate your risk:

  • Carefully review the email for poor spelling or grammar and the email address for errors.
  • Do not click on any links or attachments. You can hover over them to ascertain if they are genuine.
  • Separately contact the organization that sent the email to confirm its authenticity.

3. Monitor Your Merchant Services Account

To better spot donation fraud, you should check for multiple donations with small, random amounts over a short period. Such transactions are often made using the same name for many different card numbers.

To protect against fraud, your nonprofit could require a minimum donation amount and CVV2 for online transactions. You could also enable Captcha on your online donation form to prevent computer automated break-ins.

If you use an online form vendor, work with them to ensure you're protected. iATS Payments by Deluxe works exclusively with nonprofit organizations, and our fraud tools are built to suit your needs specifically. Here are just a handful of our easy-to-use protection tools:

  • Address Verification System (AVS)
  • Bank Identification Number (BIN) Blocking
  • Card Verification Code Requirement Capability (CVV2)
  • Card Number Tumbling
  • IP Blocking

4. Make Sure Donors Have Access to their Cards

Most credit card thieves do not have stolen physical credit cards on hand. In most cases, they gain access to the card number and know very little about the cardholder or their card. For this reason, you can usually weed out fraudulent donations by making it harder to use card numbers illegally:

  • CVV2 Verification. A card's CVV2 number is the short code found on the back of a credit card. Require that online donors input this number when entering their card information, and you will likely eliminate fraudsters who do not have access to the code.
  • Address verification. An address verification system (AVS) verifies a donor's billing address with the address their bank has on file. Verification can be done in seconds, and if the thief doesn’t know the correct address, they can’t proceed with the scam.

5. Verify the Cardholder's Identity

Another way to make it harder for scammers to successfully target your organization is to require that donors verify their identity before completing a transaction. Here are a few steps you can take to verify a donor's identity:

  • BIN/IP address verification. Included in every card number is information identifying the cardholder's bank, called the Bank ID Number (BIN). When processing a donation, compare your donors' regional IP address against their BIN. If they are making their donation from a different country than their BIN address, this could be a red flag.
  • Two-factor authentication. You can also confirm a donor's identity using a two-factor authentication process. Before completing a donation, the user will have to verify their identity via SMS, email, or another communication platform.

6. Make Your Donation Form More Sophisticated

Many nonprofits shy away from using sophisticated donation forms online because they do not want to make it harder than they have to for donors to complete a donation. However, the more simplistic your donation form, the more likely it is to be exploited by scammers. You can make your donation form more secure by using these strategies:

  • Require a minimum transaction amount.
    • To prevent refund fraud tactics, you can require a minimum donation amount before completing a transaction. This might seem counter-intuitive, but most donors usually give more than $15 when they donate. If you do not accept small donations, you will not miss out on much.
  • Use encryption/tokenization.
    • With encryption and tokenization, donors' payment information is turned into a code that only your payment processor can read. If thieves hack your data, they will not be able to extract a donor's information.
  • Enable CAPTCHA. CAPTCHAs are automated tests designed to block automated bots. Fraudsters sometimes try to use bots to test stolen credit card numbers. Using CAPTCHAs on your online donation forms will give you an additional line of defense against fraud attempts.

Keep in mind that fraud prevention and protection strategies evolve quickly to counter advances made by online scammers. Don't content yourself just with what security measures work now. Think of fraud protection as a continuous process that you can always improve upon.

While these are measures you can take to protect your nonprofit, there are some things most nonprofits do not have the expertise or resources to accomplish. This makes it incredibly important to choose the right payment processor to protect donor transactions.

7. Choose the Right Payment Processor

Payment processors are online platforms that facilitate transactions. Regardless of whether you already have a payment processor—which you should already possess if you accept donations online—it is always helpful to consider what makes a payment processor the right fit for you.

Here are some of the essential anti-fraud features you should look for in a payment processor:

  • PCI compliance. PCI compliance refers to a set of Payment Card Industry safety standards that all reputable payment processors must meet. These rules and regulations ensure that payments are secure, and that cardholder data is protected. Failure to abide by these standards can lead to your nonprofit facing fines between $5,000 and $500,000.
  • Data portability. Whatever data your payment platform saves about your nonprofit and your donors should be portable, meaning that you can transfer your donor data to a different payment system if you choose to leave. You do not want to be held hostage to a platform that you might outgrow or lose all your data if the software is compromised. Some payment processors, such as iATS Payments, will securely transfer PCI-regulated data like credit card numbers, whereas others will not do so. Failure to transfer credit card data means that your donors will have to register again to donate.
  • 24/7 security assistance. Your platform should provide reliable 24/7 security assistance to make sure you’re on the spot if an attempt at fraud is ever made on your site. You can put forward all the security measures in the world, but if you do not have a dedicated team to solve issues as they arise, you will still be vulnerable to fraud.
  • Experience with nonprofits. Experience with nonprofits is the most important feature to look for when choosing a payment processor. As discussed before, nonprofits are uniquely vulnerable to online fraud, and your payment processor should be aware of the threats your organization faces.

Investing in a payment processor that understands the unique challenges faced by nonprofits ultimately saves time and money, allowing your nonprofit to focus on its mission. While fraud protection for nonprofits is always necessary, now is the time to ensure you have protected your organization's donations and can safely and securely accept donations.

iATS payments is one of the most secure and trusted payment processors in the nonprofit space

iATS Payments: Our Secure Payment Processing Solution

iATS Payments by Deluxe is a veteran of the nonprofit sector, offering the ultimate easy-to-use, Level 1 PCI-compliant payment solution tailored to nonprofit organizations.

The functionality and power of our integrated payment processing software is undeniable, supporting a wide range of domestic and international payment options and even coming equipped with a mobile payment solution.

Additionally, iATS Payments is a fraud detection and protection leader in the nonprofit space, leveraging an arsenal of anti-fraud tools to protect our clients and their supporters from the rapidly evolving threat of fraud. Some of these features include:

  • Tokenization & Encryption
  • Two-Factor Authentification
  • BIN and CVV2 Verification
  • IP Velocity Checking
  • Minimum Transaction
  • Limit Name Tumbling

At an afforable monthly rate, iATS users are able to not only streamline the online donation and e-commerce process, but also guarantee the security of their payment systems, reinforce donor trust, and increase fundraising success.

Take advantage of our robust anti-fraud tools—begin using iATS Payments

Additional Resources

Just because thieves might target your nonprofit for payment fraud doesn’t mean there's nothing you can do to protect your organization and donors. These core strategies and powerful anti-fraud payment processing tools will enable you to halt fraudulent schemes in their tracks, protect your organization, and discourage future attacks.

Eager to learn more about the nonprofit payment process and strategies to increase your nonprofit’s payment security? Explore some of our other valuable resources:

Become a customer of iATS Payments—a veteran of secure nonprofit payment processing and fraud prevention
iats-white-arrow-icon

NONPROFITS

TECHNOLOGY PARTNERS

COMPANY

LEGAL

RESOURCES
arrow-button Support Center
arrow-button Visit Our Blog
Copyright ©2024 iATS, LLC. All rights reserved. iATS, LLC is a registered ISO of Wells Fargo Bank, N.A., Concord, CA, First Data Europe Limited (trading as First Data Merchant Solutions), Chase Paymentech Solutions, Fifth Third Bank, National Association, Cincinnati, OH, and the Canadian Branch of U.S. Bank National Association and Elavon. iATS, LLC is an agent of First Data Europe Limited
We use cookies to ensure you the best website experience. By using our site, you agree to our Cookie Policy.
Ok, I understand
Do Not Track