How nonprofits can prevent card-testing fraud
Cybercriminals view nonprofits as easy targets. Here’s what clients need to know to protect against a growing threat.
The ability for donors to go online and give to their favorite nonprofit has become a simple and convenient way to support an organization. And when the COVID-19 pandemic hit, many nonprofits moved their giving and fundraising campaigns online, allowing supporters to make donations via their debit or credit cards.
But while online contributions have been a solution for organizations to maintain financial continuity, it has also presented opportunities for cybercriminals who continue to view nonprofits as easy and vulnerable targets. As a result, card-testing fraud has become a major problem for organizations. Here’s what your clients need to know.
What is card-testing fraud?
Card-testing is a fraud strategy used to validate a stolen debit or credit card. Using a stolen credit card’s numbers, cybercriminals go onto a nonprofit’s website or fundraising platform and make small, indistinctive donations to “test” the payment method’s authenticity. Once it’s validated, the information can be sold for a premium on the black market or used by criminals to make fraudulent purchases.
Why nonprofits?
The nonprofit sector is considered the low-hanging fruit when it comes to cybercrimes. Why? Because organizations might not have the more stringent and up-to-date cybersecurity controls that their for-profit counterparts have. And because nonprofits accept donations that don’t include an actual exchange of products or services (where no shipping address is required), gifting/donation checkout platforms are generally very basic and simple to use and typically don’t include the types of safeguards as online merchants.
According to industry experts, the best line of defense against card-testing fraud is a multilevel approach that includes the following measures.
- Establish a minimum donation amount. The transactions processed by cybercriminals to test credit cards are generally $10 or lower. The simple act of setting a minimum amount can help to deter a cybercriminal who may be testing dozens of credit/debit card numbers.
- Add additional online technologies. Online technologies added to donation pages and websites can help to improve the security of donor transactions and interactions. For example, use a CAPTCHA feature to verify that the person submitting the donation is actually a human and not a computer running a script of credit card numbers. According to NonProfitPRO, authentication technologies can form the foundation of strong online security that will help deter cybercriminals and protect an organization from the monetary damage they can inflict through tactics such as card-testing.
- Require an address or ZIP code. Requesting that the donor includes a physical address or a ZIP code when contributing online can help verify the cardholder’s identity. If there is a discrepancy in matching the issuing bank’s records for a particular card number, the transaction will not be permitted to go through.
- Educate staff and volunteers. Organizations need to educate and train staff and volunteers on cybersecurity strategies, best practices, and modern protocols. This includes internal policies for how to report suspicious online activities and potential fraudulent offenses such as card-testing that could cause substantial reputational and financial damage to the organization.
- Mitigate the risks. It’s impossible to eliminate the risk of a cyberattack or fraudulent activity, and not all nonprofits are in the position to implement some or all of the safety measures listed above. For example, organizations might not feel comfortable suggesting a minimum donation amount to potential donors, or they might not want supporters to have to enter their address or other information online. Today, it’s more critical than ever for nonprofits to secure a cybersecurity insurance policy to help mitigate the increasingly threatening online landscape organizations face.
Conclusion
Online fraud comes in many different forms. Despite the very best safeguards and preventive measures, your nonprofit clients can unknowingly fall victim to a cybercrime. As more nonprofits modernize their websites and opt for virtual fundraising events, it’s important to educate your clients on how cybersecurity insurance can help protect their donors while mitigating the organization’s risk exposure.
Maureen Dyson is an area executive vice president at Charity First Insurance Services, Inc, a program manager, offering retail insurance brokers nationwide with markets and products to meet the nonprofit community’s unique needs. She can be reached at 415-536-8526 or Maureen_Dyson@charityfirst.com.
This piece first published on Charity First’s blog and is republished here with consent.
Related: