Spam donations can have a significant impact on organizations, both financially and operationally. Spam donations and fraudulent carding runs can cause an influx of constituent records and declined transactions in your Luminate site and integrated systems. Luminate Online offers a variety of ways to help prevent spam donations and mitigate the impact of fraud on your Luminate Online site. 

These donations most often happen when a person’s credit card was stolen and the thief wants to verify the card is valid. Unfortunately, these spammers tend to prefer making donations over making purchases through online shopping because donation forms are faster and easier to process. The majority of card testing seen is done by script or bot and they tend to hop across several hundred IP addresses, and use random but realistic names and emails. 

Add reCAPTCHA to all donation forms

reCAPTCHA is the first line of defense. Most carding runs are by script or bot, and reCAPTCHA is designed to identify machine behavior and prevent submission of the form. If the form is not submitted, a constituent record is not created, and a transaction is not attempted.

Luminate Online now has reCAPTCHA v3 available. Google reCAPTCHA v3 involves no visible task challenge from your user. Instead, an invisible analysis engine detects bot behavior and prevents malicious software activity. Once enabled users will see the reCAPTCHA logo on the bottom-right of the form.

Validate API Donation Requests

In the event of fraudulent attempts on a donation form via API calls, use this option to enforce validation on certain API requests to a donation form. For example, by adding a hidden honeypot field to a donation form, this validation technique baits bots into filling out the hidden form field and then rejects their form submission. Human users cannot see the field so they don’t fill it out and their submission will be processed.

Note: Do not use this for offline donations or if using the Facebook integration for TeamRaiser.

Setup Fraud Management

You can use the Fraud Management feature to monitor and clean up constituent records created during declined donation transactions.

• If set up, once fraudulent attempts are submitted, Fraud Management will flag any new constituent record created by the carding run. The record will be flagged as ‘Fraud Suspect’ and will be listed for your review under Data Management > Fraud Management.

Velocity Fraud Control settings

• The basic strategy of Velocity Fraud Control is that it watches transactions as they come in, looking for specific patterns and spikes in certain kinds of activity over a defined period of time commonly known as card runs. If the spammer is using a defined pattern, this tool will identify and decline all attempts from that user/IP for a set amount of time. 
• The default site settings are set to be less strict to not prevent legitimate transactions from being flagged incorrectly. 
• If there are questions about your existing Velocity setting or would like to change them, then an LO administrator will need to contact Blackbaud customer support.

Additional Suggestions

• Put limits on the amount that can be donated online
  • This is beneficial not only for security purposes but also for fees. Many organizations will set a donation limit of around $10,000.
• Unpublish forms that are no longer in use – these forms can be targeted for carding runs

What’s Next?

Need help implementing these spam prevention measures or auditing your Luminate Online account? Contact us to set up an introductory meeting. We’d love to work with you!