Transaction fraud is a growing issue for online payment services and companies that collect payment online. In a nutshell, online transaction fraud is when a fraudster attempts to steal the identity of another person and conducts a transaction in their name—like stolen credit cards.

One of the main reasons that fraud is so prevalent online is because verifying the identity of a person online is quite challenging. Traditionally, successful identity verification processes are high-friction and time-consuming which can dramatically reduce revenue through a payment form. If you make your payment flow challenging enough to block fraudsters, you’re going to make it challenging for non-fraudsters as well.
​
In the case of nonprofit organizations, it’s not usually the case that a stolen credit card is used to make a big donation. More commonly, a list of stolen credit card numbers is run at high rates against a donation form so that fraudsters can test each card.
​
For example, a fraudster might have a large list of stolen credit cards—some of these cards may have already been reported stolen and have become inactive. To see if any cards are still active, these cards are run against a payment form at small payment amounts. If the donation is successful, the fraudster knows this card can be used for more fraudulent transactions. In many cases, fraudsters are quite sophisticated and use bots to conduct the testing.

It’s important to note that online transaction fraud is unrelated to the security of your data. Transaction fraudsters are not attempting to break into your database and steal your information—they are simply trying to conduct a transaction on your public-facing payment tool. The data hosted in your Funraise database is not at risk in the context of transaction fraud.

Online transaction fraud can expose your organization to chargebacks and fees. Besides financial losses, the amount of time it takes to deal with a large-scale fraud attack is significant.
​
While fraud is, and forever will be, an aspect of online payments, Funraise offers several strategies to mitigate the risk of online transaction fraud.

There is no silver bullet tool to eliminate transaction fraud online. Just like any security protocol, it requires a collection of risk mitigation actions that target specific aspects of fraud attempts. Here are several methods we use to prevent fraud. Please note, not all methods are available for all payment configurations.
​

To limit fraud bots, Funraise bans IP addresses that exceed our set rate limits. Rate limiting can knock out IPs that are part of bot nets. We also have a layer of fraud mitigation for Stripe transactions that bans IP addresses based on signals from Stripe.

Funraise also take proactive steps to ban transactions that appear fraudulent based on patterns of the transaction, for example a payment in a currency that does not match the location. Funraise's fraud team consistently reviews fraud activity to ensure our block rules and signals are evolving with fraudster's tactics. Funraise's fraud team can block transactions universally based on fraud signals or we can create a custom block rule set for an individual organization experiencing high rates of fraud.

Preventing fraud requires active monitoring from humans along with the use of automated tools. Our fraud team monitors activity logs and transaction success rates across all of our customers to proactively mitigate fraud.

Funraise enables machine learning technology to automatically fail transactions that appear to be fraudulent. After (machine) learning the behavior patterns of online payments, fraud mitigation tools can identify behaviors that fall outside the norm. The benefit of this method is that your donation experience is easy and seamless, while top-tier fraud detection is running behind the scenes.

The WAF has sophisticated listening capabilities that detect constantly shifting signals from HTTP traffic sources, determining the trustworthiness of the source as well as the validity of the request, and blocking them appropriately.

While Funraise’s WAF was intended to mitigate carding attacks, it also offers protection against malicious hackers—the WAF filters out web traffic by detecting the fingerprints of known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.

Funraise Giving Forms have a built-in integration with Google reCAPTCHA. This integration is automatically enabled and does not require configuration. The basic concept of a reCAPTCHA is to ask a human to complete a task that is particularly difficult for a basic bot to accomplish, like identifying objects in pictures. Learn more about manually activating reCAPTCHA.

Funraise's preferred payment processor is Stripe and our fraud mitigation toolset includes Stripe Radar. Funraise passes the payment IP address to Stripe which enhances Stripe's fraud mitigation performance.

​
Funraise's form is configurable so you can collect the information required for the gateway level verification methods appropriate for your use case. These include Address Verification Service (AVS) and Card Verification Value (CVV).

Unfortunately, carding fraud attacks will continue to occur. Like all security strategies, our goal is risk mitigation—it’s impossible to be free from risks online. Our team is consistently monitoring and enhancing our fraud protection strategies and technologies.