Fraud Prevention Steps

What to do to combat card testing/fraudulent donations: June 2024

At times, our Fraud software may not catch Card Testing or Fraudulent Donations, requiring additional interventions to prevent these unauthorized transactions. To support non-profits in such cases, here is some info on how we can help stop fraud in its tracks.

How Do We Detect Fraud in iDonate?

Our infrastructure is built to alert engineering when a high number of payment attempts have failed. We can usually determine fairly quickly that card testing is underway and will notify the Customer Success team via #support_tech in Slack. 

Next Steps: Customer Success

If there is already an open Support ticket from the organization, the Support team can coordinate with the organization the following first lines of defense against fraudulent donations and card testing. Or, these steps can happen at the CSM's/Organization's discretions:

Notify CardConnect

The Risk Mitigation Team at CardConnect usually sees these velocity spikes and will proactively disable the merchant account. If this has not happened, send a HIGH priority email to Pat and Gina (patrick.bernicker@Fiserv.com; gina.turner@fiserv.com), along with the organization MID, and ask them to disable the account.

Pat (phone): 412-317-6297 or 484-584-4749

Gina (phone): 872-365-6465

NOTE: Send list of approved fraudulent transactions to these contacts before EOD and ask for them to be voided before they get batched and processed by CardConnect. This will avoid chargebacks and the need for refunds. Once confirmation of the voids is received, Cancel the Donations on the customer's behalf in iDonate.

Adjust the Minimum Gift Amount

Sometimes card testing will happen at the $5-$20 level, and can be stopped altogether by simply upping the minimum donation amount the org's giving form can receive. 

Note: we advise checking with the organization before making these changes, or empowering them to make the changes themselves on their giving forms.

  1. Open https://gms2.idonate.com and navigate to the organization 
  2. Go to Campaigns and click the campaign associated with the offending giving form
  3. Find the giving form channel card and click Edit
  4. Click Donation Options from the Element Library
  5. Scroll down to Custom Amount and adjust the Minimum Custom Amount to $10 or more (if needed)
  6. Publish Form to save changes

Enable CVV and AVS in CardConnect (if applicable)

Organizations on CardConnect can enable an extra level of security by requiring CVV and AVS (billing address) responses from CardConnect in order to allow the transaction. When these settings are enabled, CVV and AVS mismatches will automatically decline. This can help prevent against fraud if the bot/card tester doesn't have a valid billing address or card CVV.

Note: we advise checking with the organization before making these changes, or empowering them to make the changes themselves in their CardPointe.

  1. Login to https://www.cardpointe.com/ and open the organization's account
  2. Navigate to Administration > Security 
  3. Locate CVV / AVS Validation and check both to Active
  4. Click Save
  5. Notify the organization that CVV and AVS validation are now enabled

Disable the Problematic Embed

Sometimes organizations will switch out the form on their website, but the old form is still getting hit with card testing. To disable this embed:

  1. Login to https://donations.idonate.com/dashboard
  2. Click Organizations > All Organizations > Search for the org in question
  3. Once you are on the organization page in GMS Next, click Embeds
  4. Locate and select the form by embed ID 
  5. Look for the Enabled? toggle and switch it OFF
  6. Scroll to the bottom of the screen and click Save and Publish

Sift Interventions - Support Team

1. Adjust the Fraud Risk Tolerance Score in GMSNext

The Fraud Risk Tolerance Score in GMSNext is connected to our Sift account, and determines the system's tolerance for a specific fraud score on a transaction (0 being a legit donation and 100 being majorly suspicious and likely blocked). 

According to where the org's score is already set, you may choose to lower it down to 75, 50, or even 35 and watch closely to see if the rate of fraudulent donations improves. This means that donations that receive a score of this number or more will decline.

  1. Login to https://donations.idonate.com/dashboard
  2. Go to Organizations > All Organizations
  3. Type to search for the organization in question and click their name to open the organization page
  4. Click on the Fraud Management tab
  5. Locate the Fraud Risk Tolerance text box, and type in the desired score
  6. Click Submit
  7. Begin monitoring transactions

2. Mark fraudulent users in Sift as LOOKS BAD

Sift is one of the Fraud Prevention platforms we use. In sift, you can locate users by email address and block them from making donations through iDonate. This step is useful if fraudulent donations are coming from the same user. Check out these steps to mark bad users in Sift.

3. Install the bad IP address in our Sift Block order workflow

Sometimes, fraudulent donations will come from the same IP address, which can be blacklisted in Sift in order to block donations from that specific IP

Wrapping Up - Once the testing attack is over

Notify CardConnect

Send a HIGH priority email to Pat and Stephen (patrick.bernicker@Fiserv.com; Stephen.Neville@fiserv.com, along with the organization MID, and ask them to reenable the account. Include steps taken to mitigate the attack on iDonate and organization side:

  • Recaptcha is already present on the form.

  • CVV/AVS protection is already enabled for this organization on their CardPointe portal.

  • Dropped their fraud risk tolerance from xx to xx on GMSNext.

  • Increased minimum donation amount on form

  • Scanned for Malware/Spyware

  • If applicable - Blocked IP addresses related to the incident.

Create a Refund Ticket Request for the organization in CardPointe