1. © 2005 Convio, Inc. NTEN Webinar: Protecting your organization and donors from online scams February 23, 2006

2. 2 © 2005 Convio, Inc. Online Fraud Techniques ■ Some current types of online fraud: ▶ 1. e-Commerce vendors can be defrauded of merchandise e.g. by people using stolen credit cards; this doesn't affect online donations, because there is no merchandise to be fenced / resold ▶ 2. Phishers trick people into giving them financial information ▶ 3. 419'ers use the internet to pitch victims ▶ 4. Carders use online donation websites to test stolen card numbers ▶ 5. Hackers break into computers to steal data ■ Many of these are of interest to nonprofits

3. 3 © 2005 Convio, Inc. Fraud is not a new, internet-related problem ■ A donation phishing scam is no different than: ▶ someone standing in the mall shaking a collection tin with your organization's name on the side ▶ a fake fundraiser soliciting “donations” door to door or on the telephone ■ Because the internet is a newer medium, the public is less “street-wise” about how to spot scammers ■ Technology will never prevent fraud, education is the key solution

4. 4 © 2005 Convio, Inc. What is a phishing scam? ■ Phishing is a technique used by online fraudsters to collect people's personal information to be used in subsequent fraud activities ■ Phishers try to obtain: ▶ credit card numbers ▶ names and addresses ▶ social security numbers ▶ passwords for online banking, PayPal, etc. ■ “Phished” data is now a commodity in online fraud circles – stolen credit card numbers sell for about $1 each in hacker forums

5. 5 © 2005 Convio, Inc. How does phishing work? ■ The phisher sends out spam emails which mimic those from a well known financial institution ■ A typical come-on line: “Come to our website to re-verify your login” ■ Links in the email take the unwary to a website run by the phisher, which collects their data ■ The non-profit connection: After major disasters, phishers target potential donors to well known relief agencies like the Red Cross

6. 6 © 2005 Convio, Inc. Phishing example Forged “From” address Link text is a PayPal URL, but clicking takes you to the phisher's site The usual pitch: “Your account information needs to be updated...”

7. 7 © 2005 Convio, Inc. How can I help protect my donors from online fraud scams? ■ Educate donors to take a few simple precautions ▶ Be suspicious of unsolicited or unexpected email ▶ Don’t click on untrusted email links – instead, go directly to the organization’s Web site, or use a reputable search engine ▶ Always review credit card statements for unauthorized charges ■ Arm donors with the information they need ▶ Provide guidelines for locating your official Web site ▶ Actively promote your URL ▶ Tell donors who your service providers are for email and donation processing

8. 8 © 2005 Convio, Inc. Common misconceptions ■ “Make sure the URL matches the organization” ▶ In an HTML email, the text of a link can be anything, including a different URL from the link target ▶ Many non-profits use a service provider, and their donation forms use the provider's secure URL ▶ Conversely, it's easy for a scammer to use a fake URL that's very hard to spot: remember paypaI.com (did you notice... “pay pie” with a capital “ I ” ? ) ■ “Nonprofits don't solicit donations by email” ▶ They certainly do, but only from opted-in list members... they don't spam

9. 9 © 2005 Convio, Inc. How can I help protect my donors from online fraud scams? (2) ■ Encourage donors to verify the legitimacy of an organization before donating funds ▶ GuideStar: www.guidestar.org ▶ CharityNavigator: www.charitynavigator.org ■ Publish Sender Policy Framework (SPF) information for your email “From” address ▶ Consult with your email marketing provider ■ If you discover a fraud site ▶ Contact the host ISP and request that it be blocked ▶ File a report with the FBI at http://www.ic3.gov/

10. 10 © 2005 Convio, Inc. Carding: How it works ■ Carders use online donation sites to test stolen credit cards, to make sure they are still valid, before using them for fraud ▶ Carders make a small donation, and see if they get a thank-you page or a rejection ▶ Often done in large volumes with automated software ▶ Some fraudsters just make up card numbers using generator software, and use carding to find out which ones are real

11. 11 © 2005 Convio, Inc. Carding: What should nonprofits do? ■ Carding does not defraud the nonprofit, but it is a nuisance to clean up after a carding run ■ What to do: ▶ Consult your service providers ▶ Anti-fraud technology can help to detect and block carding runs in progress ▶ If you get carded, you (or your provider) must refund the fake donations – keeping the money would be fraud, and will result in chargebacks

12. 12 © 2005 Convio, Inc. Defending against hackers: what should my organization be doing? ■ Make security of donor information a priority: ▶ Don't be tempted to build an amateur donation form, use a professional solution: - No excuses... Network for Good is free ▶ Never collect and store credit card numbers or SSNs, and especially not on your website – a hacker can't break into data you don't have ▶ Never email donor information ▶ Make sure your donor database is very secure ▶ If you are using SSNs as member id's... stop! ▶ Sloppy security is becoming less tolerated - example: California SB 1386 “Hacking Disclosure” Law