© 2005 Convio, Inc.

NTEN Webinar:Protecting your organization and donors from online scamsFebruary 23, 2006

2© 2005 Convio, Inc.

Online Fraud Techniques

■ Some current types of online fraud:▶ 1. e-Commerce vendors can be defrauded of

merchandise e.g. by people using stolen credit cards; this doesn't affect online donations, because there is no merchandise to be fenced / resold

▶ 2. Phishers trick people into giving them financial information

▶ 3. 419'ers use the internet to pitch victims

▶ 4. Carders use online donation websites to test stolen card numbers

▶ 5. Hackers break into computers to steal data■ Many of these are of interest to nonprofits

3© 2005 Convio, Inc.

Fraud is not a new, internet-related problem

■ A donation phishing scam is no different than:▶ someone standing in the mall shaking a collection tin

with your organization's name on the side

▶ a fake fundraiser soliciting “donations” door to door or on the telephone

■ Because the internet is a newer medium, the public is less “street-wise” about how to spot scammers

■ Technology will never prevent fraud, education is the key solution

4© 2005 Convio, Inc.

What is a phishing scam?

■ Phishing is a technique used by online fraudsters to collect people's personal information to be used in subsequent fraud activities

■ Phishers try to obtain:▶ credit card numbers▶ names and addresses▶ social security numbers▶ passwords for online banking, PayPal, etc.

■ “Phished” data is now a commodity in online fraud circles – stolen credit card numbers sell for about $1 each in hacker forums

5© 2005 Convio, Inc.

How does phishing work?

■ The phisher sends out spam emails which mimic those from a well known financial institution

■ A typical come-on line: “Come to our website to re-verify your login”

■ Links in the email take the unwary to a website run by the phisher, which collects their data

■ The non-profit connection: After major disasters, phishers target potential donors to well known relief agencies like the Red Cross

6© 2005 Convio, Inc.

Phishing example

Forged “From” address

Link text is a PayPal URL, but clicking takes you to the phisher's site

The usual pitch: “Your account information needs to be updated ...”

7© 2005 Convio, Inc.

How can I help protect my donors from online fraud scams?

■ Educate donors to take a few simple precautions▶ Be suspicious of unsolicited or unexpected email

▶ Don’t click on untrusted email links – instead, go directly to the organization’s Web site, or use a reputable search engine

▶ Always review credit card statements for unauthorized charges

■ Arm donors with the information they need▶ Provide guidelines for locating your official Web site

▶ Actively promote your URL

▶ Tell donors who your service providers are for email and donation processing

8© 2005 Convio, Inc.

Common misconceptions

■ “Make sure the URL matches the organization”▶ In an HTML email, the text of a link can be anything,

including a different URL from the link target

▶ Many non-profits use a service provider, and their donation forms use the provider's secure URL

▶ Conversely, it's easy for a scammer to use a fake URL that's very hard to spot: remember paypaI.com(did you notice ... “pay pie” with a capital “I” ? )

■ “Nonprofits don't solicit donations by email”▶ They certainly do, but only from opted-in list

members ... they don't spam

9© 2005 Convio, Inc.

How can I help protect my donors from online fraud scams? (2)

■ Encourage donors to verify the legitimacy of an organization before donating funds▶ GuideStar: www.guidestar.org

▶ CharityNavigator: www.charitynavigator.org■ Publish Sender Policy Framework (SPF)

information for your email “From” address▶ Consult with your email marketing provider

■ If you discover a fraud site▶ Contact the host ISP and request that it be blocked

▶ File a report with the FBI at http://www.ic3.gov/

10© 2005 Convio, Inc.

Carding: How it works

■ Carders use online donation sites to test stolen credit cards, to make sure they are still valid, before using them for fraud▶ Carders make a small donation, and see if they get a

thank-you page or a rejection

▶ Often done in large volumes with automated software

▶ Some fraudsters just make up card numbers using generator software, and use carding to find out which ones are real

11© 2005 Convio, Inc.

Carding: What should nonprofits do?

■ Carding does not defraud the nonprofit, but it is a nuisance to clean up after a carding run

■ What to do:▶ Consult your service providers

▶ Anti-fraud technology can help to detect and block carding runs in progress

▶ If you get carded, you (or your provider) must refund the fake donations – keeping the money would be fraud, and will result in chargebacks

12© 2005 Convio, Inc.

Defending against hackers: what should my organization be doing?

■ Make security of donor information a priority:▶ Don't be tempted to build an amateur donation form,

use a professional solution:- No excuses ... Network for Good is free

▶ Never collect and store credit card numbers or SSNs, and especially not on your website – a hacker can't break into data you don't have

▶ Never email donor information

▶ Make sure your donor database is very secure

▶ If you are using SSNs as member id's ... stop!

▶ Sloppy security is becoming less tolerated - example: California SB 1386 “Hacking Disclosure” Law