Stopping Sharon

Each morning, Watsi’s operations team scans our credit card transaction record for donations from a certain user, ready to block any new attempted payments. Over the past two years, someone—let’s just call this person Sharon—has attempted to make over 700 fraudulent donations.

Sharon is notorious in our office. Her prolific efforts to donate using stolen credit card numbers have made her the poster child for the 30,000 suspected fraudulent credit card donations we’ve combatted. In total, we've blocked over $67M in attempted fraudulent donations, including a few million dollar charges.

Everyone on our team is invested in stopping people like Sharon from making fraudulent donations. In developing processes to automatically block tens of thousands of charges, and manually refunding several thousand more, we’ve learned about why fraud is so common, why it’s a big problem, and what strategies we can use to effectively curb it.

Why are there so many fraudulent donations?

Nonprofits that accept online donations are a favorite place to validate stolen cards. Thieves test cards by making a $5 donation, which is likely to fly under the radar of the card’s owner and their bank’s fraud detection tools. Also, donations don’t require the donor to provide a shipping address. If the donations go through, then they are more confident about proceeding with that shopping spree on Amazon.

Fraudulent donations are problematic for many reasons. First, we don’t want anyone’s first introduction to Watsi to come from a curious line item on their bank statement. Although we’ve managed to turn some angry phone calls from credit card holders into friendlier conversations, this isn’t an ideal marketing strategy.

Furthermore, these charges cost us money. When a customer disputes a charge by reporting it to their bank as fraud, not only do we refund the money (of course!), we also pay a fine of $15. If we hadn’t caught and refunded Sharon’s 700 donations and the true cardholders disputed those charges, we would have been fined over $10,000.

In addition, high fraud rates could put us on a credit card network's fraud monitoring list—meaning we might be subject to more fines and fees, and could even be blocked entirely.

How we're using technology to combat fraud

Fortunately, we’ve developed strategies to outwit these fraudsters. Our first line of defense is our payment processing provider, Stripe. They help by blocking cases where there is an expired credit card, wrong security code, or some other egregious mistake. In addition to Stripe’s high-level tools, we have our own automated prevention system. We’ve implemented reCAPTCHA to validate that donations are being made by actual humans, not automated software designed to test credit cards.

Since adding reCAPTCHAs to our checkout flow in May 2016, disputed charges have decreased by 85%.

However, not everything we've tried has been successful. Requiring donors to enter zip codes had no effect on the amount of fraud, and we also wanted to be careful about rejecting legitimate charges.

How transparency and manual reviews are our secret weapons

After Stripe’s tools and our own automated screens have filtered out some fraudulent donations, it’s down to transparency and manual review for the rest. To bring transparency to this issue, we created a Slack channel to notify us every time a Stripe transaction occurs. This enables the entire team to have visibility into which donations are valid, automatically blocked, and which will require manual review.

Our manual review starts by reviewing the email associated with the donation. An address that looks like something a cat made up by stepping on a keyboard is a good clue that something may be off (hello, asdfgh@aol.com!).

Stripe displays the IP address for each donation, so we can see if a credit card from South Africa is being used in France. Stripe also tells us how long somebody spent on the site and if any previous charges were disputed as fraud. We can use this information to make a more informed decision on whether or not a payment is likely fraud.

As a final line of defense, we use Mailgun to verify whether our transaction emails are being sent to a real account and if they are being opened.

For every Sharon, there are thousands of donors who come to our website with only the best intentions. Help us overwhelm Sharon’s fraudulent charges by donating to a Watsi Crowdfunding patient today.