Why credit thieves love giving to charity
When you think about fraud targets, charitable donations aren’t exactly top of mind. After all, credit thieves are supposed to be self-interested jerks, right? Who would steal a credit card just so they could give to a worthy cause?
Thing is, there are a lot of selfish, despicable reasons why a credit thief might want to do a seemingly good deed. In fact, fake donations are a huge area of online fraud, and something nonprofits and crowdfunding sites ignore at their peril.
But to understand why, first you have to understand something about the nature of credit fraud.
What you probably don’t realize about credit fraud
There’s a misconception about credit thieves — a mistaken belief that they’re small timers primarily interested in using your card to buy themselves cool stuff.
The reality is that credit fraud is big, big business. According to The Nilson Report, global losses from fraud totalled $16 billion in 2014. The vast majority of that fraud is the result of global cartels operating at scale.
A pretty significant portion of credit theft actually comes from hacking attacks against institutions, which can result in millions of card numbers getting stolen all at once. The Home Depot hack of 2014 exposed more than 52 million credit cards over a period of a few months, for example. Target is another great example: It discovered its own hack in 2013 exposed some 40 million accounts.
Credit thieves often find that selling stolen card numbers is a safer way to profit from their crimes than charging cards themselves. A robust black market exists, with credit card numbers being sold in lots of a hundred or a thousand.
Stolen card numbers quickly become useless as the victims discover the theft and have their banks issue new cards. For that reason, every sale of stolen card lots is made with an understanding that only a portion of the card numbers will still be able to make transactions.
Doesn’t work? Tough luck for the fraudsters. Illicit criminal markets aren’t known for their return policies.
The testing problem
The practical upshot of all this is that anyone who wants to charge a stolen card number probably has a ton of them, and no idea which he can actually use. He faces a tough challenge: determine which card numbers still work, without getting caught, and before the true owners catch on and shut them down.
The answer to this problem is card testing: trying a small transaction with each card number to identify which can be used further and which should be discarded. These card testing transactions are kept tiny, because small transactions are less likely to be noticed and acted upon. And they can be for just about anything, since the goal is simply to verify that a transaction will go through. Since there are often hundreds of cards to be tested, the process is usually automated — fraudster organizations write specialized programs, or bots, that can target online payment forms and funnel thousands of test transactions through them in a short amount of time.
Donations: helping the thieves to help themselves
Compared to a traditional e-commerce checkout, online donation forms have a number of attributes that make them ideal targets for card testing attacks:
- They’re static and low-friction: Your average e-commerce shopping cart is a fairly complicated affair. There’s lots of dynamic content, because it has to display things like the items you’re buying, accept discount codes, and update the price to reflect shipping. In contrast, donation forms are simple — sometimes requiring little more than a name and a card number, with none of the dynamic code that could trip up a bot. As a consequence, donation forms are relatively easy to build automated card testing programs to target.
- Virality is expected: If an ordinary e-commerce site suddenly sees a huge spike in the number of low-value transactions, all kinds of warning bells go off. But spikes in relatively low-value transactions are actually pretty normal on many donation pages, especially when donation campaigns go viral on social media or get covered by the news.
- Fraudulent donations often don’t get reported: Which are you more likely to notice and report: a $400 shopping spree on Zappos, or a $5 donation to the Red Cross? Credit theft victims often assume that card testing transactions are donations made by someone else in their family, or even a donation they made themselves and forgot about. Incredibly, even when they do realize they’ve been robbed, many victims are reluctant to initiate a chargeback because they don’t want to take the money away from a good cause.
These small transactions might not seem as bad as someone using your card number to buy themselves a jet ski. But they are just as bad. The big problem is that almost every fraudulent transaction generates a chargeback when it is discovered and cut off, and each chargeback comes with an additional fine — typically $15-$25. These losses are put to the charity, or to the crowdfunding site or donation management software provider depending on how the payment scheme works.
And that all adds up. For example, an Irish Charity called the Jack And Jill Children’s Foundation lost about $170,000 to card testing donations in 2013. Most of the loss came from transactions under $7.
Of course, card testing isn’t the only kind of donations fraud. Crowdfunding sites in particular run an additional risk: shell selling.
Under this scheme, a fraudster sets themselves up with a false donation page, so that they can then pay themselves with stolen cards and pocket the cash.
This is a common pattern of fraud on platforms, but in some ways it’s even more of a concern on crowdfunding sites, since it’s easier to pretend to be collecting for a cause than selling goods or services.
Shell selling is a pretty involved topic in and of itself. If you’re interested, check out our blog post about shell selling and how we’re using computer learning to stop it.
Stopping donation fraud
Donation fraud is hard to stop, because fraudulent donations often don’t look very different from regular donations, and the organizations that test cards have serious resources to throw at the task.
Here’s some of the things we’ve learned about fighting donation fraud:
- Donation amounts can be a clue. Normal donors usually donate whole number amounts, but fraudsters often generate the amounts dynamically to avoid automated fraud measures. This can lead to weird donation amounts like $4.23 or $11.37 that stand out against normal donation traffic.
- Velocity measures are very useful in spotting this kind of fraud — sudden spikes in donations can indicate a charity or crowdfunding campaign is being targeted by fraudsters and should be examined carefully.
- Normal people don’t make a large amount of tiny donations in a short time. So seeing many small donations coming from a single source is highly suspect. Anything you can do to tie donations to specific identities will be helpful in spotting fraud — IP addresses are the bare minimum, but consider more advanced measures like device ID.
- Social media is a great fraud signal — most donations are made by people with a pre-existing relationship to a charity or crowdfunding campaign, and people love to tweet their support for charities. If you see a large increase in donations without a corresponding increase in social media attention, that’s a warning sign.
- Consider captchas — those forms that ask you to prove you’re human by typing what you see in a picture — as a tactic to fight bot activity. This isn’t going to be a full-proof solution, however. Some credit thievery rings are large and profitable enough that they actually employ real humans to test cards for them.
Donation fraud is a very real problem, and it’s important for anyone raising money online to be aware of it. If you’re a charity and you’re setting up online donations, you should ask your payments provider how they deal with it. Depending on your setup, you might need to implement additional fraud-fighting technology.
Of course, many donation management software platforms can handle this for you, as well, so choosing a solution like our partner Classy might be a preferable to going it alone.
If you’re a platform that does donations, and here’s a shameless plug, you should definitely check us out. We provide all the tools to fight donation fraud with no additional cost or overhead, and we’re specialists in dealing with this kind of risk. Drop us a line at firstname.lastname@example.org to hear more about how we can help.