Non-Profits Contend with New E-commerce Fraud Threats

The non-profit industry faces an uptick in the threat of e-commerce credit card fraud. CDP and our Member Service Bureau (MSB) partner stations are no exception. The cause is a rise of fraudulent actors using artificial intelligence as well as a general increase of credit card data breaches. CDP is continually developing stronger safeguards against these risks. Before we discuss how, let’s better understand some specifics about the newly increased threats. Here are two we’ve seen:

(1). Non-profit donation forms, typically with low dollar minimums, have unfortunately become prime targets for fraudsters testing the validity of stolen credit cards.

(2). Donation forms can also be targets for what is known as BIN (Bank Identification Number) “brute force attacks.” In these scripted attacks, many submissions are made using the same BIN while cycling through different account numbers to try to hit upon valid credit card numbers. The consequences can be devastating as their volume and speed is typically higher than previous scams. A single BIN “brute force attack” can potentially cost a non-profits thousands of dollars in minutes.

If your organization’s donation forms are set up to charge instantly, that only makes sense. We want to capture funds efficiently in real time and provide a streamlined experience for our donors. Unfortunately, instant-charge design makes it likely, if not inevitable, that fraudulent stolen credit card testers will target your online donation form. When attacks occur, they come at a real cost to your non-profit organization’s mission. The following are the three most common costs:

You’ll incur tangible increases in credit card processor fees.

Each fraudulent card testing attempt, whether successful or not, can cost your non-profit well above 10 cents per attempt. A BIN attack where 100,000 account numbers are tested at a 10 cent per transaction rate, even if none of the attempts succeed, would cost $10,000.

You’ll have higher administrative costs.

Monitoring card testing attacks and cleaning up the bad data they generate is expensive. Prudent management of fundraising administration costs is, of course, important. You likely source paying for your team’s time, in part, with donor dollars. Increased administrative costs means less funds going to core mission activities. Each fraudulent credit card test that succeeds should be refunded as soon as possible to minimize the potential of chargeback activity, which takes more time and carries a higher per incident fee. Accounts created from credit card testing should also be purged, so your non-profit is not spending money soliciting bogus accounts generated by card testing. These cleanup activities are invariably more time-consuming than good e-commerce credit card fraud mitigation practices.

Participating in a credit card company’s excessive fraud programs can be very costly.

Credit card companies have created programs to combat excess fraud. Both Mastercard and Visa have excessive fraud programs that require participation if certain fraud thresholds are hit. Credit card testing fraud alone can require a merchant’s participation in these programs and that includes non-profits. Watch this 6-minute video that Mastercard produced for more context.

 

Here are two strategies worth engaging in to efficiently combat credit card testing on your donation forms:

1) Devise an emergency protocol for if or when your forms are attacked.

A clearly articulated protocol for handling emergency measures during an attack enables your team to act fast during a stressful time. You’ll also reduce the negative financial impact of high-volume attacks. Meet with all stakeholders responsible for implementing fraud countermeasures so your non-profit has a plan for handling an attack before one happens. Prioritize defensive actions based on an attack’s severity. A small card testing attack will have much lower costs and should not mean jeopardizing your donors’ experience during a critical fundraising period.

2) Have a fraud mitigation strategy roadmap.

Your non-profit should investigate the variety of card testing mitigation strategies and tools available. Understanding what the industry standards are and what strategies will be most cost-effective for your non-profit is well worth your time. You can implement numerous donation form measures, like CVV capture, velocity filters, CAPTCHAs and much more. Converse and collaborate with your vendors to determine which measures make the most sense to implement. There are also payment processor tools that allow you to deploy additional velocity filters and machine learning to proactively decline fraudulent transactions.

Finding the right balance between tight mitigation measures and a smooth donation experience for your financial supporters is crucial. Mitigation practices that are too austere could unintentionally block legitimate donations or create an online experience that frustrates your donors.

A non-profit co-operative model like MSB is ideally positioned to find and strike this optimal balance. By harnessing the collective strength and resources of the co-operative, CDP can deploy robust credit card testing prevention tools and strategies simultaneously across all MSB partner stations while keeping the costs of fraud prevention manageable for each one. Through monitoring attacks across stations, CDP can see which mitigation techniques are more effective and where our fraud protection protocols need to be strengthened. Once we detect an area that can be improved, we can do so agilely and implement for all stations in our co-op.

We’re leading the charge in state-of-the-art credit card fraud prevention tools, specifically tailored for MSB public media organizations. We continue to evolve strategies designed to maximize security at minimal cost, while maintaining, if not enhancing, positive donor experiences. MSB partner stations are protected from the costliest consequences of credit card testing fraud as well as other e-commerce scams.

Just like biological immune systems must evolve to meet newly occurring threats, so must non-profit credit card fraud prevention protocols. Extending the health analogy, preventative care is the best investment a non-profit organization can make. CDP makes sure our co-op’s donation forms get regular check-ups. We stand ready to consult with your public media organizations if you feel unprepared to contend with this threat or just want to learn more about it. Get in touch with us anytime to talk about this issue.

 

Further reading:

1. https://www.forbes.com/sites/forbestechcouncil/2024/05/28/card-testing-fraud-a-digital-peril/?sh=21b0eb8c3e37

2. https://www.nonprofitpro.com/article/how-nonprofits-can-protect-themselves-from-card-testing-fraud/

Freedom Holland