Examples are emerging every day that demonstrate how the COVID-19 situation is bringing out the best in people. Take, for instance, students in Nebraska making get well cards for those in quarantine, Disneyland employees donating excess food to Second Harvest Food Bank, and even a Charlotte man volunteering to run errands for the elderly.

With all that good, also comes some not-so-good. Many fraudsters are taking advantage of the uncertainty to target nonprofits and their constituents. Follow these tips to help protect your organization and supporters:

Beware of the unsolicited email

Did you receive an email asking you to click a link or attachment in order to update your merchant services, credit card, or bank account information? What about one claiming to be from the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC) with important coronavirus updates? Phishing attacks like this are used by fraudsters to install malware and gain access to your personal data (and that of your constituents).

To mitigate your risk



A void clicking links and attachments from unknown senders .

Carefully review the sender’s email address.

Hover over (don’t click!) hyperlinks to determine if web addresses are being spoofed.

Review the email for poor grammar and spelling.

And, most importantly, contact the organization you think sent the email by phone or through their website to verify authenticity .

You can also visit the Cybersecurity and Infrastructure Security (CISA) Agency website for additional suggestions. And if you have employees that are now working remotely for the first time, take advantage of the free resources provided by SANS Security Awareness.

Strengthen and securely store your passwords

If you’re using the same password for all your accounts both work and home it’s time to make a change. Your passwords should be unique, long, and contain a mixture of numbers, symbols, and upperletters. The more unique, the harder they are to crack. You should also use multi-factor authentication (MFA) for password resets, especially those related to any type of financial account or personal email. In addition, store your passwords in a password manager and don’t rely on your browser to keep them safe. Click here for more ideas.

Monitor your merchant services account

Malicious actors often target your supporters by posing as your nonprofit during natural disasters and global health events like COVID-19. Using phishing emails, they can pretend to be affiliated with your charity and solicit donations from well-meaning constituents. They can also use your donation forms for credit card testing, allowing them to validate stolen payment information. CharitiesNonprofits are at an increased risk for this since donation forms don’t require logins, passwords, or shipping information; the contribution amount is editable; and the constituent is less likely to dispute a nominal charge from a nonprofit or other social good organization. So be on the lookout for multiple transactions submitted:

In quick succession

For a minimal amount

With the same constituent name on different cards

Put your fraud management tools to work

To stop the fraudsters, you can start by using the tools offered by your payment processor, such as:

Card Security Code (CSC) check : Set up your donation forms to require t he threefour-digit number that appears only on the constituent’s credit card and nowhere else .

Set up your donation forms to require t Address Verification Service (AVS): Require AVS to ensure the billing address of the cardholder matches the address on file with the credit card company.

Require Three-Domain Secure (3DS) Authorization: Take advantage of the additional card brand authentication options, which require cardholders to register their cards through the issuer’s website and specify credentials when completing online transactions.

While these basic settings help, even more sophisticated layers of fraud protection should be used to keep you safe by screening for:

Anonymous proxies: Anonymous proxies , or proxy servers, act as Internet relay stations and are used to hide the true location of a malicious actor.

High-risk countries: Certain countries have a high risk of scams and credit card frau d.

Bank Identification Number (BIN)/Issuer Identification Number (IIN) Country Match: If the BIN/IIN the first six digits of the credit card number don’t match the country of the cardholder’s billing address, they should be rejected.

If the BIN/IIN the first six digits of the credit card number don’t match the country of the cardholder’s billing address, Account Velocity: The same credit card data card number, card type, and expiration date used in a short window of time is indicative of card testing.

By staying vigilant, you can protect your organization and constituents from a different kind of threat: fraud.