What is Transaction Fraud?
Transaction fraud is a growing issue for online payment services and companies who collect payment online. In a nutshell, online transaction fraud is when a fraudster attempts to steal the identity of another person and conducts a transaction in their name—like stolen credit cards.
One of the main reasons that fraud is so prevalent online is because verifying the identity of a person online is quite challenging. Traditionally, successful identity verification processes are high-friction and time consuming which can dramatically reduce revenue through a payment form. If you make your payment flow challenging enough to block fraudsters, you’re going to make it challenging for non-fraudsters as well.
In the case of nonprofit organizations, it’s not usually the case that a stolen credit card is used to make a big donation. More commonly, a list of stolen credit card numbers are run at high rates against a donation form so that fraudsters can test each card.
For example, a fraudster might have a large list of stolen credit cards—some of these cards may have already been reported stolen and have become inactive. To see if any cards are still active, these cards are run against a payment form at small payment amounts. If the donation is successful, the fraudster knows this card can be used for more fraudulent transactions. In many cases, fraudsters are quite sophisticated and use bots to conduct the testing.
It’s important to note that online transaction fraud is unrelated to the security of your data. Transaction fraudsters are not attempting to break into your database and steal you information—they are simply trying to conduct a transaction on your public-facing payment tool. The data hosted in your Funraise database is not at risk in the context of transaction fraud.
Online transaction fraud can expose your organization to chargebacks and fees. Besides financial losses, the amount of time it takes to deal with a large-scale fraud attack is significant.
While fraud is, and forever will be, an aspect of online payments, Funraise offers several strategies to mitigate the risk of online transaction fraud.
Ways that Funraise is reducing your exposure to fraudulent activity
There is no silver bullet tool to eliminate transaction fraud online. Just like any security protocol, it requires a collection of risk mitigation actions that target specific aspects of fraud attempts. Here are several methods we use to prevent fraud. Please note, not all methods are available for all payment configurations.
Rate limiting and IP banning
To limit fraud bots, Funraise bans IP addresses that exceed our set rate limits. Rate limiting can knock out IPs that are part of bot nets.
We also have a layer of fraud mitigation for Stripe transactions that bans IP addresses based on signals from Stripe.
Preventing fraud requires active monitoring from humans along with the use of automated tools. Our systems team monitors the logs and transaction success rates across all of our customers to proactively mitigate fraud.
Enhanced Fraud Mitigation with Machine Learning
Funraise utilizes machine learning technology to automatically fail transactions that appear to be fraudulent. After (machine) learning the behavior patterns of your online donors, we can identify behaviors that fall outside the norm. The benefit of this method is that your donation experience is easy and seamless, while top-tier fraud detection is running behind the scenes.
This method cannot stop fraud attempts altogether, but it can reduce your exposure to risk by automatically failing risky transactions.
Starting April 2020, we will be slowly rolling out Enhanced Fraud Mitigation to organizations who experience higher rates of fraud, before making this feature available more widely. We hope it's so good, you'll never know it's there.
While some gateways offer machine learning prevention, not all do and not all customers enable it. The major goal of Enhanced Fraud Mitigation is to provide blanket fraud protection to our customers across a broad range of gateways.
Funraise Giving Forms have a built in integration with Google reCaptcha. With Form V2, you just need to toggle it on. This tool reduces fraudulent activity from bots. The basic concept of a reCaptcha is to ask a human to complete a task that is particularly difficult for a basic bot to accomplish, think: identifying objects in pictures.
reCaptcha can usually stop bots, but it will not stop a human. So it offers some protection, but should be used with other fraud mitigation tools.
Gateway Level Fraud Prevention
Funraise is gateway agnostic. This means you can choose the gateway you would like to connect with Funraise—or even connect multiple gateways for complex strategies. This allows you to choose a gateway with the best fraud prevention tools for your needs.
Funraise's form is configurable so you can collect the information required for the gateway level verification methods appropriate for your use case. These include Address Verification Service (AVS) and Card Verification Value (CVV).
For example, we generally recommend Stripe as your main credit card gateway. Within Stripe you can activate Stripe Radar which is a fraud prevention tool managed by Stripe. It offers another layer of protection behind the scenes that doesn't interfere with your organization's donation experience.
Additionally, Funraise passes over the IP address of each online transaction, along with other transaction data. In the case of Stripe, you can use this manually block a specific IP address that has repeated fraudulent activity. Blocking an IP address is a short term method to quickly stop a high volume fraud attempt, but without other mitigation strategies, it might be a cat and mouse game; it is possible for the fraudster to change their IP address.
Alrighty! I bet you never thought we’d have a small army of people and tools protecting your organization from fraudulent transactions—now you know!