It's around this time of year that most charitable organizations run their biggest fund-raising drives. In so doing, they're getting millions of contributions from many new contributors. Yet while they must make it as easy as possible for folks to donate, their limited personnel are overworked, making it difficult to thoroughly review all credit card authentication data.
Meanwhile, another group is working some holiday overtime too: Internet scammers. Because many consumers are shopping for goods they don't usually buy, fake websites pop up, taking advantage of this inexperience to harvest payment information. The biggest challenge is sorting out the real sites from the fake or canceled ones. These two problems may have more in common than you think.
A new report by security firm, Phishlabs, unveils a shocking new strategy for solving that hurdle. Hackers use a chat-based program to transmit credit card information to make a small donation. If the transaction is successful, the program confirms the data the hacker supplied is legitimate.
In essence, hackers are using charities as a trial run for stolen credit card numbers. To understand what this means for you, let's look at how the authentication process works, why charities are ideal targets, and how to keep yourself safe.
Before you make an online transaction, the retailer will take some steps to verify your identity. You provide a credit card number, a security code and some other information. The form might ask for your billing address or ZIP code, for example. The idea is to keep your account safe by requiring several authentication factors. It works fairly well at frustrating casual scammers.
That's why this bot is so useful to cyber-criminals. It can check data in low-risk, easily concealable ways. The operators of these services charge a fee in "credits" to would-be scammers. They earn these credits by paying for them or by performing a variety of "services" for the operator's criminal enterprise.
By making a small donation to a charity, the bot can check to see if the information a scammer stole works. These donations are usually between $1 and $5 to one of a selected range of charitable organizations. If the payment sends, the scammer is free to use the information to buy other, more expensive goods.
Charities are the perfect target for this kind of operation. They use the same authentication strategies as every other business, but they seldom have the resources to investigate fraud. They also want to make it as easy as possible for people to donate. This means they use static donation website names and don't use anti-bot software like Captcha. This makes them easy for a program to target.
Charities are also good targets because they have little at stake in stopping fraud. Defrauding a retailer puts them out the goods they sell. A fraudulent credit card used to buy a TV leaves the seller of that TV responsible for replacing the TV. Nothing like that exists for a charity. The donation amounts are usually miniscule, so their loss won't seriously affect budgets.
Finally, charities are good targets because they are innocuous. Average consumers are more likely to overlook small charges to charitable organizations. They might think of them as contributions they made without thinking about it.
If you take all the usual measures to keep your identity safe online, this shouldn't be much of an issue for you. If you think your information might have been stolen,though, consider taking the following steps:
1.) Watch for oddly specific amounts that have been sent to charities in your statement. Neither you nor your partner would give $4.48 to a charitable organization.
2.) Be preemptive in your giving. Donate to charities where you've done your research and only give to those that align with your values. Keep a list of charities you support and check your statement for any organization not on that list.
3.) Report these charges immediately both to your card issuer and to the charity on your statement. They can use a variety of indicators to track other fraudulent charges and catch other scammers in the act.
Beating this scam requires care and vigilance, just like every other scam. You need to know where your money's going and be careful with where you make your payments. Don't shop at websites you don't know and trust, and don't give out credit card information to anyone you don't know. Check your statements regularly and report any suspicious activity.