Nonprofit News

Online Fraud Protection for Nonprofits

May 04, 2020

68% of total charitable giving in 2018 in the U.S. came from individual donors, and over half of donors worldwide preferred to pay online via credit card. The predominance of online donations has been on the horizon for some time, and recent events have only accelerated this trend.

Many nonprofits depend on live fundraisers and cash donations for the majority of their revenue. However, the COVID-19 pandemic has made in-person fundraising and volunteering impossible for the foreseeable future, leaving many nonprofits no choice but to adopt virtual methods of fundraising and volunteering if they wish to continue operations.

Without online donations, your nonprofit would not be able to function. For this reason, it is essential to approach the donation collection process carefully and create an environment in which your donors can donate without fear of their money being misappropriated by online scammers.

Being on the receiving end of payments fraud will not only lead to monetary losses (In Canada, nonprofits lost an average amount of over $100,000 to fraud in 2018) but also reputational damage (Over 92% of donors say it is very important to them that organizations protect donor information). Given the economic damage done by the pandemic, maintaining good relationships with donors has become even more critical.

69% of nonprofits think fraud is a significant risk to the nonprofit sector, and 85% think they are doing everything they can to prevent fraud, but almost 50% do not have best-practice protections. As a nonprofit, it is your responsibility to make sure safety measures are in place.

Here's what you need to know about protecting your organization and donors from fraud.


Although you might consider your nonprofit different from a business when it comes to accepting donations and processing that income, your organization faces many of the same fraud risks as a for-profit company. Handling people's credit card information can open you up to being targeted by hackers, scam artists, and identity thieves. In fact, nonprofits are often explicitly targeted because they sometimes neglect payment security measures that businesses use as second nature.

Let's review two common scams that nonprofits should look out for.

ACH Fraud

Also called direct debit payments, ACH payments are an alternative to credit card payments that remove money directly from an individual's bank account.

Here are a few reasons why nonprofits might prefer ACH payments from donors:

  • Lower overhead

There are fewer fees associated with processing ACH payments than with credit card payments. When you conduct an ACH transaction, your organization incurs a single flat fee. When donating with a credit card, you are charged a flat fee and a percentage of the transaction, both of which vary based on the type of credit card used.

  • Convenience

All you need to conduct an ACH payment is an individual's bank account routing number. Nearly everyone has a bank account, but not all people use credit or debit cards. When soliciting donations, it is important to appeal to as many potential donors as possible, so it makes sense to accept payments via a medium most people can use.

  • Recurring donations

ACH payments are especially popular with nonprofits because they can easily be used to set up a recurring donation schedule. Because of their low overhead and convenient setup, many nonprofits are now encouraging recurring donors to give via ACH payments.

However, because nonprofits are increasingly using ACH payments for fundraising, scammers have taken note. Fraudsters can steal an individual's bank account routing number through phishing or database hacking. This is how the scam plays out:

  1. First, they will make a large donation using the stolen routing number.
  2. The next day, they will contact your organization and insist that the donation was an error. For example, they might say they intended to donate $10 but accidentally wrote $1000 or say that they did not authorize a donation at all.
  3. After making their claim, they will request a refund to a credit card or via check.
  4. They will also contact the bank associated with the routing number and state that the nonprofit withdrew an unauthorized donation, requesting a refund.

This way, they have doubled the amount of the fraudulent refund. Because it can yield such high returns, nonprofit ACH scamming has become popular with online thieves, and you need to take note of it when protecting your organization against fraud.

Donation Form Fraud

This type of online theft specifically targets nonprofits. Many scammers use online donation forms to test out stolen credit card numbers. Because some nonprofits prioritize ease of use over cybersecurity when creating donation forms, they inadvertently make it easier for thieves who want to test multiple stolen numbers in quick succession.

Similar to ACH fraud, donation form fraud involves requesting refunds for false donations made by the scammer. The con typically plays out like this:

  1. First, thieves will use your donation form to verify the validity of the card number they have stolen. They might attempt dozens of small donations using different cards; once one goes through, they know they can use it to complete their scam. This process is known as card tumbling.
  2. Next, they will make a false donation and request a refund in the same way an ACH fraudster would.

What mainly differentiates donation form fraud from ACH fraud is that it is easier to spot before it happens but can cost you more if a thief slips through the cracks. After the refund is processed, you will likely be charged a chargeback fee once the bank realizes the transaction was fraudulent.


Just because thieves might target your nonprofit for payment fraud does not mean there's nothing you can do to protect your organization and your donors. Here are a few core strategies to prevent thieves from successfully targeting you.

Improve Password Security

Your passwords should be unique and securely stored to prevent them from being cracked. Ideal passwords are long and contain symbols, numbers and upper and lower-case letters. You should also enable multi-factor authentication for password resets wherever possible. You should use password managers, which not only store passwords securely, but can assist in generating strong passwords and ensure you don't reuse passwords across sites. Here are some password managers you could consider.

Beware of Phishing Emails

Emails asking you to click on links or attachments and provide personal information can be used by fraudsters to install malware and gain access to sensitive information. Fraudsters can also pose as your nonprofit and solicit donations from well-meaning constituents. You should take the following steps to mitigate your risk –

  • Carefully review the email for poor spelling or grammar and the email address for errors
  • Do not click on any links or attachments. You can hover over them to ascertain if they are genuine
  • Separately contact the organization that sent the email to confirm its authenticity

Monitor Your Merchant Services Account

To better spot donation fraud, you should check for multiple donations with small, random amounts that occur over a short period. Such transactions are often made using the same name for many different card numbers. To protect against fraud, your nonprofit could require a minimum donation amount and CVV2 for online transactions. You could even enable Captcha in your online donation form.

If you use an online form vendor, work with them to ensure you're protected. iATS Payments works exclusively with nonprofit organizations, and our fraud tools are built to suit your needs specifically. Our free and easy-to-use protection tools prevented over USD 48,000,000 in potential losses from fraudulent transactions in 2019.

We offer the following free and easy-to-use protection tools -

  • Address Verification System (AVS)
  • Bank Identification Number (BIN) Blocking
  • Card Verification Code Requirement Capability (CVV2)
  • Card Number Tumbling
  • IP Blocking
  • IP Velocity Checking
  • Minimum Transaction
  • Limit Name Tumbling

Make Sure Donors Have Access to the Card They are Using

Most credit card thieves do not have stolen physical credit cards on hand. In most cases, they gain access to the card number and know very little about the cardholder or their card. For this reason, you can usually weed out fraudulent donations by making it harder to use card numbers illegally:

  • CVV2 verification

A card's CVV2 number is the short code found on the back of a credit card. Require that online donors input this number when entering their card information, and you will likely eliminate fraudsters who do not have access to the code.

  • Address verification

An address verification system (AVS) verifies a donor's billing address with the address their bank has on file. This verification can be done in seconds, and if the thief does not know the correct address, he will not be able to proceed with the scam.

Verify the Cardholder's Identity

Another way to make it harder for scammers to successfully target your organization is to require that donors verify their identity before completing a transaction. Here are a few steps you can take to verify a donor's identity:

  • BIN/IP address verification

Included in every card number is information identifying the cardholder's bank, called the Bank ID Number (BIN). When processing a donation, compare your donors' regional IP address against their BIN. If they are making their donation from a different country than their IP address, this could be a red flag.

  • 2-factor authentication

You can also confirm a donor's identity using a 2-factor authentication process. Before completing a donation, the user will have to verify their identity via SMS or another communication platform.

Make Your Donation Form More Sophisticated

Many nonprofits shy away from using sophisticated donation forms online because they do not want to make it harder than they have to for donors to complete a donation. However, the more simplistic your donation form, the more likely it will be exploited by scammers. You can make your donation form more secure by using these two strategies:

  • Require a minimum transaction amount
  • To prevent refund fraud tactics, you can require a minimum donation amount before completing a transaction. This might seem counter-intuitive, but most donors usually give more than $15 when they donate. If you do not accept small donations, you will not miss out on much.
  • Use encryption/tokenization
  • With encryption and tokenization, donors' payment information is turned into a code that only your payment processor can read. If thieves hack your data, they will not be able to extract a donor's information.

Note: Fraud prevention and protection strategies evolve quickly to counter advances made by online scammers. Don't content yourself just with what security measures work now. Think of fraud protection as a continuous process that you can always improve.

While these are measures you can take to protect your nonprofit, there are some things most nonprofits do not have the expertise or resources to accomplish. This makes choosing the right payment processor for you of the utmost importance.


Payment processors are online platforms that facilitate transactions.

Regardless of whether you already have a payment processor (you do if you already accept donations online), it is always helpful to consider what makes a payment processor the right fit for you.

Here are some of the essential fraud protection attributes you should look for in a payment processor:

  • PCI compliance

PCI compliance refers to a set of Payment Card Industry safety standards that all reputable payment processors must meet. These rules and regulations ensure that payments are secure, and that cardholder data is protected from scammers. Failure to abide by these standards can lead to your nonprofit facing fines between $5,000 and $500,000.

  • Data portability

Whatever data your platform saves on your nonprofit and your donors should be portable, meaning that you can transfer your donor data to a different platform if you choose to leave. You do not want to be held hostage to a platform that you might outgrow or lose all your data if the platform is compromised. Some payment processors, such as iATS Payments, will securely transfer PCI-regulated data like credit card numbers, whereas others will not do so. Failure to transfer credit card data means that your donors will have to register again to donate.

  • 24/7 security assistance

Your platform should provide reliable 24/7 security assistance if an attempt at fraud is ever made on your site. You can put forward all the security measures in the world, but if you do not have a dedicated team to solve issues as they arise, you will still be vulnerable to fraud.

  • Experience with nonprofits

Experience with nonprofits is the most important feature to look for when choosing a payment processor. As discussed before, nonprofits are uniquely vulnerable to online fraud, and your payment processor should be aware of the threats your organization faces.

Working with a payment processor that understands the unique challenges faced by nonprofits saves time and money, allowing your nonprofit to focus on its mission. While fraud protection for nonprofits is always necessary, now is the time to ensure you have protected your organization's donations and can safely and securely accept donations.