During the Christmas season, we all tend to use our credit and debit cards more online. We may not pay close attention to all of the charges on our statements. Hackers rely on the busy holiday season to help them get away with all kinds of fraud. This year, be wary of small, suspicious charges on your statement. Something as small as $3.00 could be evidence that a hacker tested your card number.
Hackers test randomly generated card numbers, or stolen cards online, and try to validate as many cards as they can. Entering a large amount may be a red flag to the cardholder, so they use small amounts to see if they’re valid. If a cardholder sees a small $5.00 donation to a church or charitable organization, it may not concern them. It’s a small amount, was given to a good cause, and few would bother to report it. Hackers depend on consumers’ behavior. The likelihood that these fraudulent donations won’t be reported, makes online giving and charitable donation sites more attractive testing areas for hackers.
Is this a victimless crime?
While it may seem there is little negative consequence to the cardholder or the church, both are victims here. Initially, the cardholder loses a small amount of money given to test the card. But, once the card is proven to be valid, the hacker will likely have a spending spree, causing the cardholder to experience more fraud and potentially suffer identity theft. The church or charitable organization may be fined chargeback fees of $15 to $25 per gift transaction. Depending on the extent that a site is used for card testing, and the relationship with the merchant provider who processes card transactions, these fees could be massive (1).
Signs of card testing for giving site managers
- Be on the lookout for small, suspicious amounts from unknown contributors. Your merchant provider may also alert you if there has been an unusuallyhigh number of failed attempts to donate to your site.
- We encourage you to refund the cardholder the money that was given to your organization.
- Ask your merchant provider if they offer and can enable the Address Verification Service (“AVS”) feature for your site. An AVS check compares the address used in the transaction with the cardholder’s address. A complete AVS match generally indicates that the transaction is valid.
|The AVS check should reduce the occurrence of fraud; however, it may also reject legitimate attempts to give if the cardholder has moved or is visiting your site from a new location.|
Signs of donation fraud for cardholders
- Be vigilant about reviewing entries on your card statement.
- Take the time to report any questionable entry as suspected fraudulent activity – especially if you don’t recognize the vendor. Most likely, you’ll be issued a new card and your old card number will be unusable for hackers to exploit.
- If the online giving site has not refunded the money that was fraudulently donated on your behalf, we encourage you to request a refund from them. Your credit card company or bank may also agree to help you with this if you ask.
(1) In 2013, the Jack and Jill Children’s Foundation lost €130,000 due to payment card testing.