Credit Card and ACH Fraud: How Nonprofits Can Detect and Avoid It

Each year, U.S.-based nonprofits lose an average of $85,000 due to fraud. Think about all the projects that could be finished and all the people that could be helped with that $85,000!

It’s unlikely that nonprofits will be able to stop all fraudulent activity any time soon, but with new fraud protection and prevention methods, charitable organizations can see a dip in credit card fraud and bring in more legitimate donations.

We’ll be going over some of the basics of credit card fraud and tell you how your nonprofit can detect and avoid it.

Table of Contents

Looking for Even More Information?

Check out this helpful infographic that describes the other types of fraud that nonprofits face.

What Is Credit Card Fraud?

Understanding the Basics of Credit Card Fraud

Credit card fraud is a broad term that describes any kind of theft or illegal use of credit card information. It can encompass anything from the physical act of taking someone’s credit card to more sophisticated forms of online credit card fraud.

For our purposes, we’ll only be talking about online credit card fraud.

Unfortunately, online credit card fraud is set to spike in coming years. Because of the introduction of the EMV (Europay, MasterCard, Visa) chip card in the U.S., physical, in-person credit card fraud is only going to become more difficult.

Because of this difficulty, fraudsters will start to turn to online credit card fraud. The EMV chip card doesn’t erase fraud; it just moves it to a different location.

Donation Form Fraud

While a lot of online credit card fraud happens for the purpose of buying hundreds and even thousands of dollars worth of merchandise under false pretenses, many fraudsters will first test stolen card numbers on nonprofit donation forms.

Many scammers choose to test these cards on donation forms, not because they are philanthropic individuals, but because it’s easier than testing the card on an online retailer’s payment form.

Many donation pages are meant to be easy for donors to use. They don’t have a lot of “required” fields, because nonprofits don’t want to prevent donors from filling out the form. Conversely, online retailers often require (or suggest) making an account, filling out billing and shipping addresses, and inputting an email address and a phone number.

Because online retailers create more hoops for consumers to jump through, credit card thieves turn to nonprofit donation pages to test those cards in small and often random amounts (think tiny donations, like $1.47).

If that small donation goes through without a hitch or a red flag, the fraudster knows that the card is good to use (at least for a little bit longer) and will go on to make large purchases using that stolen card.


A credit card refund scam typically goes like this:

Steps of Credit Card Refund Scam

  • A donation is made using a stolen credit card. Usually this donation is for a large amount, like $2,200.

  • The fraudster then pretends to be the donor and contacts the nonprofit via phone or email. They insist that the large donation was a mistake and that they only meant to give a portion of the amount. For instance, if they “gave” $2,200, they might claim that they only meant to give $200 and accidentally hit the “2” twice.

  • The fraudster requests a partial refund on a different credit card. In our example, they might say that the nonprofit can keep the “original” $200, but that the $2,000 should be refunded to another credit card.

  • The credit card thief makes off with a large donation. Additionally, the nonprofit gets hit with a chargeback fee for the original transaction since it was made using a stolen card.

This type of online credit card fraud has only started cropping up in recent years, but nonprofits should pay special attention to it, since it has the potential to severely affect a their financial situation.

Learn More About Credit Card Processing.

What is ACH Fraud?

How ACH Fraud Works

While most financial fraud that occurs on a nonprofit’s donation page comes from credit card scammers, ACH fraud is another type of deception that nonprofits should still be looking out for.

ACH fraud is on the rise, since more donors are using ACH to set up recurring donations or monthly bill payments. Criminals use ACH fraud, because all they need are the bank account and routing numbers.

To obtain these numbers, a thief will send out emails with malicious code. Often, these emails appear to be from the individual’s bank; they will have proper logos, addresses, and phone numbers and will seem legitimate.

The code within this email tracks the individual’s keystrokes and gives the fraudster access to that person’s financial information.


The rest of an ACH scam is similar to the credit card refund scam mentioned in the previous section, but with a twist:

Steps of an ACH Scam

  • Once the victim’s bank account information is in the fraudster’s possession, they will use it to make a large contribution to a nonprofit, sometimes in the thousands of dollars.

  • The following day, the scammer will contact the nonprofit and tell them that the donation was made in error.

  • The scammer will ask the organization to refund the money, either to a credit card or via check.

  • After telling the nonprofit about the “mistake,” the scammer will contact their bank and tell them that the charity took the wrong amount.

  • The thief ends up with two different refunds: one from the nonprofit and another from the bank.

Why Should Nonprofits Care About Fraud?

The truth is, many leaders in the nonprofit world (upwards of 80% according to one study) have listed online security as one of their top 10 risks. However, this same study found that only 11% of these same nonprofit leaders have someone who is knowledgeable about technology risks sitting on their board of directors.

This disconnect indicates that perhaps nonprofits should be paying more attention to fraud risks than they currently are.

Here are three primary reasons that nonprofits should care about online credit card and ACH fraud.


Nonprofits can face tons of chargebacks and other fees when it comes to online credit card and ACH fraud.

For each fraudulent credit card charge that a nonprofit faces, they have to pay the credit card company a chargeback fee to process the refund to the victim. These chargeback fees can be as high as $25!

Additionally (and obviously), the nonprofit has to refund the stolen donations to their rightful owners.

For a one-time case of online credit card fraud, these fees and costs might seem insignificant or merely annoying. But as they accumulate over time, a nonprofit could start losing a lot of money thanks to fraudulent activity.

Damages to Reputation

Not only will your nonprofit face monetary losses during a string of fraudulent donations, but supporters might start to view your nonprofit in a different light.

Nonprofits that experience a lot of online fraud will be perceived as unsafe, and donors will be less likely to offer their monetary support.

Donors will be hesitant to give to your organization, and you’ll end up missing out on more donations in the long run.

If your organization experiences a series of problems related to online credit card or ACH fraud, your donors and prospects will begin to distrust your nonprofit.

PCI Non-Compliance Fees

PCI compliance speaks to the payment card industry’s data security standards (PCI DSS). These standards protect consumers and donors who use online forms to buy merchandise or give to nonprofits. They deal with the storage, processing, and transmission of data.

Failure to comply with these standards can result in up to $500,000 in fines and a revocation of your payment processing abilities.

Failure to comply also leaves your nonprofit more vulnerable to security breaches and theft of sensitive information related to your organization and your donors.

How Can Nonprofits Detect Fraudulent Donations?

As we discussed earlier, it’s going to be a long time before a nonprofit (or anyone for that matter) can detect and eliminate all fraudulent online activity.

However, there are key indicators that can tip your organization off to a scam. If you can easily detect fraudulent activities, you can assess where you may need to beef up your online security measures.

Let’s look at a few of the most common fraud detection methods.


Checking for Small, Random Donation Amounts

When it comes to online credit card fraud, scammers will usually input small, random amounts in the donation field.

If you start to see a lot of donations in amounts like $1.23 or $2.36, it could be a sign of fraudulent charges making their way through your online donation page.

Comparing Addresses

Your online donation page likely asks donors for their billing address.

Your payment processor might offer an address verification system (AVS) that checks this address against the address that the donor has on file with their credit card company.

If these addresses don’t match or raise a red flag for any reason, the payment processor will alert your organization.

Watching for Large Refund Requests

If an individual claims they mistakenly made a large donation and asks for a refund, it could be a sign that they are a scammer.

The key to identifying this specific type of online credit card or ACH fraud is when the donor requests refunding the money on a different credit card or sending it via check.

If an individual makes this request or demand, it could be a sign of a fraudulent donation, and your nonprofit should proceed with caution.

How Can Nonprofits Avoid Receiving Fraudulent Donations?

Now that you know how to detect fraudulent activity, let’s talk about how you can avoid receiving these types of transactions.


Require a Minimum Donation Amount

An easy way to deter fraudsters from using your donation page to test stolen cards is to require a minimum donation amount.

Setting your minimum donation amount at $15 will help to reduce the number of fraudulent donations that your nonprofit receives.

Plus, as an added bonus, it automatically boosts your average donation size!

Ask for Security Codes

Asking donors to input this security code on your online donation form can be an extra way to safeguard your nonprofit from fraudulent transactions.

Some credit card scammers use a process called credit card tumbling to try several credit card numbers in quick succession. Once they get a match, the transaction can be processed.

Unless they have the physical card with them, it is much more difficult to use credit card tumbling to test a fraudulent transaction if a security code field is present on a donation form.


Work With a Great Payment Processor

The truth is, if you want to deter fraudsters from using your donation page as a testing ground, you need to partner with a reliable and PCI-compliant payment processor.

Not only will a great payment processor be able to offer your nonprofit a whole host of fraud protection tools, but they will also make sure that your donation page is in line with the payment card industry’s data security standards (PCI DSS).

Work With a Great Payment Processor

The truth is, if you want to deter fraudsters from using your donation page as a testing ground, you need to partner with a reliable and PCI-compliant payment processor.

Not only will a great payment processor be able to offer your nonprofit a whole host of fraud protection tools, but they will also make sure that your donation page is in line with the payment card industry’s data security standards (PCI DSS).

Discover All of iATS' Top-Notch Security Features.

Now that we've demystified credit card and ACH fraud, take a look at the measures iATS takes to keep your donors safe.