Why Nonprofits Are Easy Targets for Card-Testing and How to Protect Your Organization

The ability for donors to go online and contribute to their favorite nonprofit has become a straightforward and easy way to support an organization. During the Covid-19 pandemic, many nonprofits have moved their fundraising campaigns online, allowing supporters to make donations via their debit or credit cards. Even though online contributions have been a solution for organizations to stay financially afloat, it has also presented opportunities for cyber criminals who continue to view nonprofits as easy and vulnerable targets. Because of this, card-testing fraud has become a major problem for organizations.

What is Card-Testing Fraud?

Card-testing is a fraud strategy used to validate a stolen debit or credit card. While using a stolen credit card, cybercriminals go onto a nonprofits website and make small, unalarming donations to "test" the payment method's authenticity. Once the information is validated, it can be sold on the black market or used by criminals to make fraudulent purchases.

Why Nonprofits?

Cybercriminals target nonprofits because they assume it will be like taking candy from a baby. Why? Because organizations might not have strict and up-to-date cybersecurity that large corporations would have. Also, nonprofits accept donations that don't include an actual exchange of products or services. Gifting or donation checkout platforms are generally very basic and typically don’t include the same types of security measures as online merchants. The best line of defense against card-testing fraud is a multilevel approach that includes some or all of the following measures.

Set a minimum donation amount. Cybercriminals test credit cards by processing transactions of $10 or less. The simple act of setting a minimum amount can help to deter a cybercriminal who may be testing dozens of credit card numbers.

Add additional security technologies. Online technologies added to donation pages and websites can help to improve the security of a donor’s transactions. For example, use a CAPTCHA feature to verify that the person submitting the donation is a human instead of a computer running a script of credit cards.

Require an address or ZIP code. Requiring the donor to include a physical address or a ZIP code when contributing online can help verify the cardholder's identity.

Educate staff and volunteers. Education and training for staff and volunteers on cybersecurity strategies, best practices, and modern protocols are crucial for organizations. This should include internal policies for how to report suspicious online activities and potential fraudulent offenses, such as card-testing, that could cause serious reputational and financial damage to the organization.

Mitigate the risks. It's impossible to eliminate the risk of a cyberattack or fraudulent activity, and not all nonprofits are able to implement the strategies above. Today, it's more critical than ever for nonprofits to obtain a cybersecurity insurance policy to help mitigate the threatening online landscape organizations face.

Online fraud comes in many different forms and despite safeguards and preventative measures, anyone can unknowingly fall victim to a cybercrime. As more nonprofits modernize their websites and opt for virtual fundraising events, it's important for organizations to understand how cybersecurity insurance can help protect your donors while also mitigating the organization's risk exposure.

At Hawley & Associates we pride ourselves on our unique approach to insurance. We ask the right questions and dig a little deeper in determining your cyber security risks and exposures and show you how Cyber Liability Insurance can help protect your mission from fraudulent activity and cyber threats. Contact us today to learn more about our risk mitigation and cyber insurance solutions.