Didn't make that donation to charity? Watch out for fraud
Real charities and consumers fall victim to latest card fraud scheme
If you saw a $2 donation to a well-known charity on your
credit card, but didn't remember making the gift, what would you do? Contest the
charge as fraud to your credit card company? Or assume that perhaps your spouse was being
generous and let it go?
Fraudsters are banking on the latter. Small
transactions, or "microcharges," such as these are actually tests that indicate
bigger fraud is still to come, says John Breyault, vice president of the National
Consumers League and head of its fraud-fighting efforts, including Fraud.org. In many cases, the charity on your bill
is real and it temporarily received a small donation from you, but that's
only the tip of the iceberg.
In actuality, thieves have stolen your credit card number
and are checking to see if it's valid. If you allow the $2 charge through or
fail to notice it on your statement, fraudsters know they've hit the jackpot. Before
you know it, says Breyault, you'll likely see expensive surprises such as electronics or jewelry charged to your card. The thieves will arrange for
delivery of these items to an address of their choice and quickly sell the fraudulently obtained goods on the black market.
As with any suspicious charge, you should contest it right
away with your credit card issuer. Once you fill out a statement that you
didn't make the donation, your card issuer will refund your money and you'll be
off the hook, says Breyault. In some cases, the bank may also issue you a new
credit card. This is an important safeguard, but can be a bit of a hassle. If
you were using the compromised card to pay automatic monthly fees such as your gym
membership or your cable bill, you'll have to contact the companies
and give them your new card number.
Why do fraudsters involve charities in their credit card schemes?
For one thing, "Scammers see fewer charge-backs -- people
disputing the charges to their credit card company -- when a nonprofit is the
recipient," explains Breyault. "Most cardholders assume somebody in
their household or business must have made the donation."
Secondly, online donations are quick, they can be automated to
test hundreds of stolen credit card numbers in minutes, and they don't require
a physical credit card -- just a stolen card number.
But perhaps the bigger reason: "Charities are often easy
prey, unfortunately," says Avivah Litan, a security and fraud analyst for
Gartner, an international technology research and advisory company. "Nonprofits
don't expect people to make online donations with stolen credit cards, so they often
don't have sophisticated fraud prevention programs." If they did, the charity's
online payment processing systems would likely flag certain transactions as
suspicious and decline them, Litan says.
Old scam, fresh twist
Fraudulent credit card payments made to real charities are simply
a fresh variation on a longstanding small-charge credit-card scam. In more
traditional cases, the tiny "test" charges that show up on your card are
usually payable to an unfamiliar business name, and that money can actually end
up in the bank accounts of fraudsters. "The thieves charge a dollar or two to
thousands of stolen credit card numbers at a time, and that ends up being a lot
of money they've taken at the end of the day," says Breyault.
When charities are involved, the scam is slightly different.
Legitimate nonprofits actually receive the donations -- temporarily.
Eventually, though, they must return the money. "That's incredibly
disappointing. A charity may think they just got an unsolicited
$1,000 donation, and a week later, they have to give it back because it's fake," says Litan.
A charity may think they just got an unsolicited $1,000 donation, and a week later, they have to give it back because it's fake.
For instance, in May 2013, the Irish Jack & Jill
announced it had returned more than 130,000 euros in fraudulent credit card
donations. The foundation received the contributions over a six-week period, in
amounts ranging from 2 cents to 3,000 euros-- all fraudulently charged to
private credit cards.
This type of large-scale fraud can temporarily scar a
charity's reputation, since consumers may worry that the nonprofit's donation-accepting
website is not secure. Credit card fraud can also cost charities time and money.
When a consumer disputes a fraudulent charge to the charity (or the charity's
credit card processor detects the fraud), the ill-gotten donations must be
process can be time-consuming for the organization's staffers. In addition, credit
card processors and banks typically charge $15 to $25 for "charge-backs," or
customer refunds, according to Breyault.
Greg Hammermaster is president of Sage Payment Solutions, a
McLean, Va., credit card processing company that works with many large
nonprofits. Hammermaster says most payment-processing
firms waive charge-back fees if a charity is the victim of fraud.
In addition, Hammermaster says payment processors can do a
lot to help their nonprofit customers prevent future fraud. For instance, credit-card
processors with solid experience in e-commerce should be able to automatically
detect suspicious online transactions, such as multiple donations coming from a
single computer Internet
Protocol address, or donations coming in unusually quickly. "If a
charity typically gets 100 donations a day, then suddenly receives 100
donations in a minute, that's not
normal," says Hammermaster. "That activity should immediately kick out an alert
to have a fraud expert look at the transactions and figure out what's going on."
Charities that accept online donations can
also set donation minimums in their fraud software. For instance, if a charity rarely receives donations
under $5, the card-processing company can set its system to automatically flag
any incoming donations less than that amount.
Like any online merchant, Hammermaster says every charity
should verify transactions by requiring donors to enter the three or four-digit
card verification code on the back of most credit cards, as well as their mailing
addresses. These codes can help make
sure the credit card being used matches the given address and, in the case of
the three-digit code, is physically in the cardholder's possession. Scammers rarely
get cardholders' addresses or verification codes, says Hammermaster.
-- and others
You can help prevent charities -- and yourself -- from being
victimized, too. In addition to contesting any unusual charges on your credit
card statement, Breyault suggests doing everything you can to keep your credit
card number away from fraudsters.
See related: Disasters bring out charity scams
secure websites to make online purchases. You should see an address
beginning with "https" or a seal indicating that the site employs secure socket
Be cautious about storing your credit card
number online for future purchases. Breyault won't go so far as suggesting
that you never allow your card number
to be stored by an online store, but says you should decide on a case-by-case
basis which merchants you trust with this information.
making online purchases over free Wi-Fi networks. Because these networks aren't
usually password-protected, they're less secure. Your credit card number could
be easily intercepted by a cyberthief.
own computer software current and malware-free. Up-to-date operating and
security systems are a good way to keep your computer free from hackers who
might steal your financial information.
, Infographic: Credit card numbers still top thieves' wish lists
, 4 ways to safeguard personal information online
Published: July 16, 2013