If you saw a $2 donation to a well-known charity on your credit card, but didn't remember making the gift, what would you do? Contest the charge as fraud to your credit card company? Or assume that perhaps your spouse was being generous and let it go?
Fraudsters are banking on the latter. Small transactions, or "microcharges," such as these are actually tests that indicate bigger fraud is still to come, says John Breyault, vice president of the National Consumers League and head of its fraud-fighting efforts, including Fraud.org. In many cases, the charity on your bill is real and it temporarily received a small donation from you, but that's only the tip of the iceberg.
In actuality, thieves have stolen your credit card number and are checking to see if it's valid. If you allow the $2 charge through or fail to notice it on your statement, fraudsters know they've hit the jackpot. Before you know it, says Breyault, you'll likely see expensive surprises such as electronics or jewelry charged to your card. The thieves will arrange for delivery of these items to an address of their choice and quickly sell the fraudulently obtained goods on the black market.
As with any suspicious charge, you should contest it right away with your credit card issuer. Once you fill out a statement that you didn't make the donation, your card issuer will refund your money and you'll be off the hook, says Breyault. In some cases, the bank may also issue you a new credit card. This is an important safeguard, but can be a bit of a hassle. If you were using the compromised card to pay automatic monthly fees such as your gym membership or your cable bill, you'll have to contact the companies and give them your new card number.
Why do fraudsters involve charities in their credit card schemes?
For one thing, "Scammers see fewer charge-backs -- people disputing the charges to their credit card company -- when a nonprofit is the recipient," explains Breyault. "Most cardholders assume somebody in their household or business must have made the donation."
Secondly, online donations are quick, they can be automated to test hundreds of stolen credit card numbers in minutes, and they don't require a physical credit card -- just a stolen card number.
But perhaps the bigger reason: "Charities are often easy prey, unfortunately," says Avivah Litan, a security and fraud analyst for Gartner, an international technology research and advisory company. "Nonprofits don't expect people to make online donations with stolen credit cards, so they often don't have sophisticated fraud prevention programs." If they did, the charity's online payment processing systems would likely flag certain transactions as suspicious and decline them, Litan says.
Old scam, fresh twist
Fraudulent credit card payments made to real charities are simply a fresh variation on a longstanding small-charge credit-card scam. In more traditional cases, the tiny "test" charges that show up on your card are usually payable to an unfamiliar business name, and that money can actually end up in the bank accounts of fraudsters. "The thieves charge a dollar or two to thousands of stolen credit card numbers at a time, and that ends up being a lot of money they've taken at the end of the day," says Breyault.
When charities are involved, the scam is slightly different. Legitimate nonprofits actually receive the donations -- temporarily. Eventually, though, they must return the money. "That's incredibly disappointing. A charity may think they just got an unsolicited $1,000 donation, and a week later, they have to give it back because it's fake," says Litan.
For instance, in May 2013, the Irish Jack & Jill Children's Foundation announced it had returned more than 130,000 euros in fraudulent credit card donations. The foundation received the contributions over a six-week period, in amounts ranging from 2 cents to 3,000 euros-- all fraudulently charged to private credit cards.
This type of large-scale fraud can temporarily scar a charity's reputation, since consumers may worry that the nonprofit's donation-accepting website is not secure. Credit card fraud can also cost charities time and money. When a consumer disputes a fraudulent charge to the charity (or the charity's credit card processor detects the fraud), the ill-gotten donations must be refunded. That process can be time-consuming for the organization's staffers. In addition, credit card processors and banks typically charge $15 to $25 for "charge-backs," or customer refunds, according to Breyault.
Greg Hammermaster is president of Sage Payment Solutions, a McLean, Va., credit card processing company that works with many large nonprofits. Hammermaster says most payment-processing firms waive charge-back fees if a charity is the victim of fraud.
In addition, Hammermaster says payment processors can do a lot to help their nonprofit customers prevent future fraud. For instance, credit-card processors with solid experience in e-commerce should be able to automatically detect suspicious online transactions, such as multiple donations coming from a single computer Internet Protocol address, or donations coming in unusually quickly. "If a charity typically gets 100 donations a day, then suddenly receives 100 donations in a minute, that's not normal," says Hammermaster. "That activity should immediately kick out an alert to have a fraud expert look at the transactions and figure out what's going on."
Charities that accept online donations can also set donation minimums in their fraud software. For instance, if a charity rarely receives donations under $5, the card-processing company can set its system to automatically flag any incoming donations less than that amount.
Like any online merchant, Hammermaster says every charity should verify transactions by requiring donors to enter the three or four-digit card verification code on the back of most credit cards, as well as their mailing addresses. These codes can help make sure the credit card being used matches the given address and, in the case of the three-digit code, is physically in the cardholder's possession. Scammers rarely get cardholders' addresses or verification codes, says Hammermaster.
Protecting yourself -- and others
You can help prevent charities -- and yourself -- from being victimized, too. In addition to contesting any unusual charges on your credit card statement, Breyault suggests doing everything you can to keep your credit card number away from fraudsters.
- Use secure websites to make online purchases. You should see an address beginning with "https" or a seal indicating that the site employs secure socket layers (SSL).
- Be cautious about storing your credit card number online for future purchases. Breyault won't go so far as suggesting that you never allow your card number to be stored by an online store, but says you should decide on a case-by-case basis which merchants you trust with this information.
- Avoid making online purchases over free Wi-Fi networks. Because these networks aren't usually password-protected, they're less secure. Your credit card number could be easily intercepted by a cyberthief.
- Keep your own computer software current and malware-free. Up-to-date operating and security systems are a good way to keep your computer free from hackers who might steal your financial information.