Examples are emerging every day that demonstrate how the COVID-19 situation is bringing out the best in people. Take, for instance, students in Nebraska making get well cards for those in quarantine, Disneyland employees donating excess food to Second Harvest Food Bank, and even a Charlotte man volunteering to run errands for the elderly.
With all that good, also comes some not-so-good. Many fraudsters are taking advantage of the uncertainty to target nonprofits and their constituents. Follow these tips to help protect your organization and supporters:
1. Beware of the unsolicited email
Did you receive an email asking you to click a link or attachment in order to update your merchant services, credit card, or bank account information? What about one claiming to be from the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC) with important coronavirus updates? Phishing attacks like this are used by fraudsters to install malware and gain access to your personal data (and that of your constituents).
To mitigate your risk
- Avoid clicking links and attachments from unknown senders.
- Carefully review the sender’s email address.
- Hover over (don’t click!) hyperlinks to determine if web addresses are being spoofed.
- Review the email for poor grammar and spelling.
- And, most importantly, contact the organization you think sent the email by phone or through their website to verify authenticity.
You can also visit the Cybersecurity and Infrastructure Security (CISA) Agency website for additional suggestions. And if you have employees that are now working remotely for the first time, take advantage of the free resources provided by SANS Security Awareness.
2. Strengthen and securely store your passwords
If you’re using the same password for all your accounts—both work and home—it’s time to make a change. Your passwords should be unique, long, and contain a mixture of numbers, symbols, and upper- and lowercase letters. The more unique, the harder they are to crack. You should also use multi-factor authentication (MFA) for password resets, especially those related to any type of financial account or personal email. In addition, store your passwords in a password manager and don’t rely on your browser to keep them safe. Click here for more ideas.
3. Monitor your merchant services account
Malicious actors often target your supporters by posing as your nonprofit during natural disasters and global health events like COVID-19. Using phishing emails, they can pretend to be affiliated with your charity and solicit donations from well-meaning constituents. They can also use your donation forms for credit card testing, allowing them to validate stolen payment information. Nonprofits are at an increased risk for this since donation forms don’t require logins, passwords, or shipping information; the contribution amount is editable; and the constituent is less likely to dispute a nominal charge from a nonprofit or other social good organization. So be on the lookout for multiple transactions submitted:
- In quick succession
- For a minimal amount
- With the same constituent name on different cards
4. Put your fraud management tools to work
To stop the fraudsters, you can start by using the tools offered by your payment processor, such as:
- Card Security Code (CSC) check: Set up your donation forms to require the three- or four-digit number that appears only on the constituent’s credit card and nowhere else.
- Address Verification Service (AVS): Require AVS to ensure the billing address of the cardholder matches the address on file with the credit card company.
- Three-Domain Secure (3DS) Authorization: Take advantage of the additional card brand authentication options, which require cardholders to register their cards through the issuer’s website and specify credentials when completing online transactions.
While these basic settings help, even more sophisticated layers of fraud protection should be used to keep you safe by screening for:
- Anonymous proxies: Anonymous proxies, or proxy servers, act as Internet relay stations and are used to hide the true location of a malicious actor.
- High-risk countries: Certain countries have a high risk of scams and credit card fraud.
- Bank Identification Number (BIN)/Issuer Identification Number (IIN) Country Match: If the BIN/IIN—the first six digits of the credit card number—don’t match the country of the cardholder’s billing address, they should be rejected.
- Account Velocity: The same credit card data—card number, card type, and expiration date—used in a short window of time is indicative of card testing.
By staying vigilant, you can protect your organization and constituents from a different kind of threat: fraud.
To help the social good community prepare for and respond to any impacts of the COVID-19 outbreak, Blackbaud has compiled a list of resources from across the sector that may be useful. Visit www.blackbaud.com/covid-19 for more information.