Fraudsters hoping for a quick payday this Christmas!

The run-up to Christmas has now well and truly started, not just because the top 20 Christmas songs are being voted for on our Facebook group, Donorfy Chat, and the shops are decked out with all that glitters, but there are also some rather less glittery types that are coming for your website in hope for some quick cheer that comes with misery for others!



Have you heard of card testing, card cracking, card dipping or force testing?

It’s the process fraudsters use to find the validity of credit/debit card numbers that they have either stolen or purchased.

Typically, they prey on a website that features an online payment system and use bots or scripts that can run thousands of transactions at a time to try to pay or donate form something at a low value. They can then find out the validity of the card number or CVC this way and even use ‘brute’ force to evade a checking process for a CVC number.

You may see one of two odd names and address details appearing in your system when they have been successful – they will then use this validated card to purchase goods, etc. via other websites or even sell the details on valid card details to other fraudsters.

This costs you money as you are subject to chargebacks and chargeback fees and of course there is the cost of the time involved to deal with any successful attempts, something that as charitable organisations will mean that your precious resources are diverted from the ‘front line’.


How can you tackle this? 

Donorfy offers a number of visual aides to keep an eye on what is happening in terms of transactions flowing into your system and has built-in SCA compliance to Campaign Pages and all newly created Web Widgets (see below).


Be watchful:

Summary of activity occurring online via your Campaign and Web Widget pages is visible via the Online Donations Tab – Financial > Online Donations

  • The History tab – supplies the name and transaction amount of online donations for the past 30 days
  • The Errors & Info tab – provides a summary of the activity that has occurred online via the campaign’s pages and your Web Widgets. Failed card attempts will appear as errors within this section.


Update your payment page security:

Ensure that your Web Widgets are up-to-date…

  • Campaign Pages – these have already been upgraded to incorporate SCA compliance
  • Upgrade your Existing Web Widgets (created before 12th September 2019) so that they are SCA compliant
  • All newly added Web Widgets since 12th September 2019 incorporate SCA compliance

Tweak your Web Widgets and Campaign page id’s:

  • Change the Web Widget ID
  • Ask for a reset of your Campaign page

See this article for help on this: Transactions Marked as High Fraud Risk by Stripe


Use the resources that Stripe offer:

Activate Radar to block transactions with null CVCs. It’s an additional 3p per transaction (waived for accounts with standard 1.4% + 20p pricing)*, but in the fight against fraud is a small price to pay.

See: Stripe's website page about Radar

In the event of transactions making it through contact Stripe Fraud Team to report suspicious activity and flag individual transactions

* Radar pricing taken from Stripe's website November 2019.


Have more questions? Submit a request


Powered by Zendesk