From time to time an automated program (a bot) may attack your payment form. This happens when an e-commerce form is available for public use, such as on your web site. The public website leaves the payment form readily accessible to fraudsters looking to test credit card information. This does not mean that hackers are attempting to break into our secure server. Rather, they are testing credit card information they have previously stolen or bought on the black market.
Because fraudulent activity is a possibility, you should periodically monitor your transactions for suspicious activity. When you see such activity, you should:
- First and foremost, process a credit (refund) for any approved fraudulent transactions.
- Ensure that reCaptcha is enabled on your donation form.
- Notify us at firstname.lastname@example.org of the activity so we may block the bot's IP addresses or take other appropriate steps to prevent continued attack.
- Finally, you may receive a request from a "donor" to refund a portion of a transaction to a different card or to issue a partial refund by check. Don't fall for it -- it's a scam!! We do not have the ability to refund to a different card, but more importantly, this is a key indicator that the card from the original transaction was stolen.
How to recognize a fraudulent transaction
Here's a few tips:
Multiple, small, declined transactions in a row then suddenly one that is approved (not from a known donor). Many times you will see the same name repeated on these transactions.
- Multiple transactions under the same name, but different card numbers. Look for the last 4 digits of the card in the detail page.
- Obvious problems in the address info: street address, inconsistent city/state/country combinations (see the example below).
- Giberish in one or both name fields.
- Bogus company name or email address. (These could simply be typographical errors, but if combined with other indicators it should be apparent.)
When nonprofits are targeted for eCheck fraud, someone makes a donation - usually a large one - using the eCheck payment method on your donation form. Unlike a credit card transaction, which can be verified by the card issuer within seconds, an eCheck may take a week to be verified through the banking system. Before the eCheck clears the bank, the person contacts you to say they've changed their mind about the donation or to give you a really sad story about someone else making an unauthorized donation. The person then asks either for a full or a partial refund. They are counting on your sympathy and compassion and hoping you will cut a paper check for the refund and mail it to them.
If you fall for the fake donor's story, it will probably only be to find out that the eCheck bounces. In this case, you have collected no money from the original donation and you have sent money to the fraudster.
How to avoid an eCheck scam
Never write a paper check for a refund for any donation made from your GiveDirect donation form. If someone makes a donation on your donation form and asks for a refund, only issue a refund back using the refund option in your GiveDirect control panel.
Before taking any action, wait until the eCheck has completely cleared the issuing bank before processing a refund or spending the proceeds. Seven business days is the typical time frame. But, if you feel you are dealing with someone who is trying to pull a scam, it would not be out of line to wait up to 10 business days.
Depending on the timing of the donation (say one that is made the last few days of the month) you may receive funds from the eCheck transaction in your 10th-of-the-month deposit, along with the rest of your donations. But until at least seven days have passed, there is no assurance that an eCheck might not bounce and your account debited for the transaction.