Upload
dora-davis
View
212
Download
0
Embed Size (px)
Citation preview
© 2005 Convio, Inc.
NTEN Webinar:Protecting your organization and donors from online scamsFebruary 23, 2006
2© 2005 Convio, Inc.
Online Fraud Techniques
■ Some current types of online fraud:▶ 1. e-Commerce vendors can be defrauded of
merchandise e.g. by people using stolen credit cards; this doesn't affect online donations, because there is no merchandise to be fenced / resold
▶ 2. Phishers trick people into giving them financial information
▶ 3. 419'ers use the internet to pitch victims
▶ 4. Carders use online donation websites to test stolen card numbers
▶ 5. Hackers break into computers to steal data■ Many of these are of interest to nonprofits
3© 2005 Convio, Inc.
Fraud is not a new, internet-related problem
■ A donation phishing scam is no different than:▶ someone standing in the mall shaking a collection tin
with your organization's name on the side
▶ a fake fundraiser soliciting “donations” door to door or on the telephone
■ Because the internet is a newer medium, the public is less “street-wise” about how to spot scammers
■ Technology will never prevent fraud, education is the key solution
4© 2005 Convio, Inc.
What is a phishing scam?
■ Phishing is a technique used by online fraudsters to collect people's personal information to be used in subsequent fraud activities
■ Phishers try to obtain:▶ credit card numbers▶ names and addresses▶ social security numbers▶ passwords for online banking, PayPal, etc.
■ “Phished” data is now a commodity in online fraud circles – stolen credit card numbers sell for about $1 each in hacker forums
5© 2005 Convio, Inc.
How does phishing work?
■ The phisher sends out spam emails which mimic those from a well known financial institution
■ A typical come-on line: “Come to our website to re-verify your login”
■ Links in the email take the unwary to a website run by the phisher, which collects their data
■ The non-profit connection: After major disasters, phishers target potential donors to well known relief agencies like the Red Cross
6© 2005 Convio, Inc.
Phishing example
Forged “From” address
Link text is a PayPal URL, but clicking takes you to the phisher's site
The usual pitch: “Your account information needs to be updated ...”
7© 2005 Convio, Inc.
How can I help protect my donors from online fraud scams?
■ Educate donors to take a few simple precautions▶ Be suspicious of unsolicited or unexpected email
▶ Don’t click on untrusted email links – instead, go directly to the organization’s Web site, or use a reputable search engine
▶ Always review credit card statements for unauthorized charges
■ Arm donors with the information they need▶ Provide guidelines for locating your official Web site
▶ Actively promote your URL
▶ Tell donors who your service providers are for email and donation processing
8© 2005 Convio, Inc.
Common misconceptions
■ “Make sure the URL matches the organization”▶ In an HTML email, the text of a link can be anything,
including a different URL from the link target
▶ Many non-profits use a service provider, and their donation forms use the provider's secure URL
▶ Conversely, it's easy for a scammer to use a fake URL that's very hard to spot: remember paypaI.com(did you notice ... “pay pie” with a capital “I” ? )
■ “Nonprofits don't solicit donations by email”▶ They certainly do, but only from opted-in list
members ... they don't spam
9© 2005 Convio, Inc.
How can I help protect my donors from online fraud scams? (2)
■ Encourage donors to verify the legitimacy of an organization before donating funds▶ GuideStar: www.guidestar.org
▶ CharityNavigator: www.charitynavigator.org■ Publish Sender Policy Framework (SPF)
information for your email “From” address▶ Consult with your email marketing provider
■ If you discover a fraud site▶ Contact the host ISP and request that it be blocked
▶ File a report with the FBI at http://www.ic3.gov/
10© 2005 Convio, Inc.
Carding: How it works
■ Carders use online donation sites to test stolen credit cards, to make sure they are still valid, before using them for fraud▶ Carders make a small donation, and see if they get a
thank-you page or a rejection
▶ Often done in large volumes with automated software
▶ Some fraudsters just make up card numbers using generator software, and use carding to find out which ones are real
11© 2005 Convio, Inc.
Carding: What should nonprofits do?
■ Carding does not defraud the nonprofit, but it is a nuisance to clean up after a carding run
■ What to do:▶ Consult your service providers
▶ Anti-fraud technology can help to detect and block carding runs in progress
▶ If you get carded, you (or your provider) must refund the fake donations – keeping the money would be fraud, and will result in chargebacks
12© 2005 Convio, Inc.
Defending against hackers: what should my organization be doing?
■ Make security of donor information a priority:▶ Don't be tempted to build an amateur donation form,
use a professional solution:- No excuses ... Network for Good is free
▶ Never collect and store credit card numbers or SSNs, and especially not on your website – a hacker can't break into data you don't have
▶ Never email donor information
▶ Make sure your donor database is very secure
▶ If you are using SSNs as member id's ... stop!
▶ Sloppy security is becoming less tolerated - example: California SB 1386 “Hacking Disclosure” Law