What is transaction fraud and how is my organization at risk?
First, let's just acknowledge that it's scary and confusing stuff! Transaction fraud is a growing issue for online payment services and companies who collect payments—or donations—online. In a nutshell, online transaction fraud is when a fraudster (what an amazing word) attempts to steal the identity of another person and conduct a transaction in their name—mostly in the form of stolen credit cards.
One of the main reasons fraud is so prevalent online is because verifying the identity of a person virtually is challenging! Traditionally, successful identity verification is a high-friction, time-consuming process that can dramatically reduce conversion rates. Here's the rub: if you make your payment flow challenging enough to block fraudsters, you’re going to make it challenging for non-fraudsters as well. Balancing these two is an art form.
In the case of nonprofit organizations, it’s not usually the case that a stolen credit card is used to make a big donation. Fraudsters use nonprofits as a testing ground; most commonly, a list of stolen credit card numbers are run at high rates against a donation form at low-dollar donation amounts. This allows fraudsters to test each stolen card.
For example, a fraudster might have a large list of stolen credit cards numbers—but some of these cards may have already been reported stolen and rendered inactive. To see which cards are still active, each number is run against a payment form at small payment amounts. If the donation is successful, the fraudster knows this card can be used for future fraudulent transactions. In many cases, fraudsters have sophisticated operations and use bots to conduct their testing.
Here's the good news? This type of online transaction fraud isn't threatening the security of the data you already have. Transaction fraudsters aren't attempting to break into your database and steal your information—they just want to use your public-facing payment tool so they can commit more crimes. The data hosted in your Funraise database isn't at risk in this context.
But it'll definitely hurt your organization in other ways. Like... Online transaction fraud can expose your organization to chargebacks and fees. Besides financial losses, the amount of time it takes to deal with a large-scale fraud attack is significant. And it makes you feel pretty awful.
While fraud is, and forever will be, an aspect of online payments, Funraise offers several strategies to mitigate the risk of online transaction fraud. (Yesssssss!)
Here are ways that Funraise reduces your exposure to fraudulent activity... and all fundraising technologies should, as well.
Hear us well: there is no silver bullet tool to eliminate transaction fraud online. Just like any security protocol, it requires a collection of risk mitigation actions that target specific parts of fraud efforts. Here are several methods Funraise uses to prevent fraud.
Rate limiting and IP banning
To limit fraud bots, Funraise bans IP addresses that exceed our set rate limits. Rate limiting can knock out IPs that are part of bot nets. Basically, if one IP address is making too many donations, Funraise will lock that IP out.
Fraud prevention begins at home. Preventing fraud requires active monitoring from humans plus automated tools. Our systems team monitors the logs and transaction success rates across all of our customers to proactively mitigate fraud.
Machine Learning Fraud Prevention
If it walks like a duck, swims like a duck, and quacks like a duck... Funraise utilizes machine learning technology to automatically fail transactions that appear to be fraudulent. After (machine) learning the behavior patterns of your online donors, we can identify behaviors that fall outside the norm. The benefit of this method is that your donation experience is easy and seamless, while top-tier fraud detection is running behind the scenes.
This method can't stop fraud attempts altogether, but it can reduce your exposure to risk by automatically failing risky transactions.
Starting April 2020, we started slowly rolling out Funraise Fraud Prevention to organizations who experience higher rates of fraud, eventually activating it across all customers. The goal is that it's so good, you never know it's there.
While some gateways offer machine learning prevention, not all do—and not all customers enable it. The major goal of Funraise's fraud prevention tool is to provide blanket fraud protection to our customers across a broad range of gateways.
Funraise Giving Forms have a built-in integration with Google reCaptcha, a tool that makes it hard for fraudsters to commit fraud using bots. With Form V2, you just toggle it on. A reCaptcha asks a human to complete a task that is particularly difficult for a basic bot to accomplish, think: identifying objects in pictures.
reCaptcha can usually stop bots, but it doesn't stop human fraudsters, which means it offers some protection, but should be used with other fraud mitigation tools. Not so hard to do when Funraise has your back.
Gateway-Level Fraud Prevention
Funraise is gateway agnostic, meaning you can choose the gateway you want to connect with Funraise—or even connect multiple gateways for complex strategies. This allows you to choose a gateway with the best fraud prevention tools for your needs.
Funraise's donation form is configurable so you can collect the information required for the gateway-level verification methods you need. These include Address Verification Service (AVS) and Card Verification Value (CVV).
For example, we generally recommend Stripe as your main credit card gateway. Within Stripe you can activate Stripe Radar, a fraud prevention tool managed by Stripe. It offers another layer of behind-the-scenes protection that won't interfere with your organization's donation experience. Now you got layers on layers on layers to repel fraudsters.
Additionally, Funraise passes over the IP address of each online transaction along with the other transaction data that drops into your database. In the case of Stripe, you can use this manually block a specific IP address that's attempting repeated fraudulent activity. Blocking an IP address is a short-term method to quickly stop a high volume fraud attempt, but without other mitigation strategies, it might be a cat and mouse game; the fraudster will change their IP address.