NetSafe is warning New Zealand charities taking online donations to be on the alert after receiving two reports this week of cyber criminals launching automated attacks that attempt to validate large numbers of stolen credit cards.
In the first incident, almost 50,000 attempts were made to rapidly submit fake donations through a website form with the aim being to test which credit cards could be used for subsequent online fraud or sold on to other internet scammers.
More than 2000 successful donations were made resulting in the charity having to enlist the help of their bank and merchant account provider to refund the fraudulent payments. They also spent time dealing with enquiries from cardholders around the world questioning the transactions.
A second incident yesterday saw another charity website hit with 11,000 payment requests resulting in more than 250 donations to their bank account.
In both cases, the automated attacks had been launched from a Brazilian IP address and NetSafe is encouraging charities and other small businesses that take payments online to take steps to secure their websites and contact their bank or payment provider about ways to prevent online fraud.
Online fraud a global problem
“Credit card fraud is an ongoing issue for any organisation that takes payments over the internet,” said NetSafe’s Digital Project Manager Chris Hails.
“The American security company PhishLabs warned that charity websites were being targeted by cyber criminals to validate stolen cards in November last year and they believe that these smaller organisations have fewer internet defenses in place than larger retailers and are thus an easy target.”
“Being the target of such an attack can mean hours of staff time cleaning up afterwards and could potentially cost your organisation money or find you blocked from taking future donations online,” said Hails.
The warning comes just a week after New Zealand’s Banking Ombudsman predicted that complaints to her office about scams would increase in 2015. Auckland-based NetSafe recorded more than 8000 incidents in 2014 including a wide range of cyber security issues ranging from phishing attempts to ransomware.
Protect your business online
NetSafe offers the following advice for charities and website owners:
- Talk to your bank or merchant provider about how their payment systems can be used to protect against online fraud
Enquire about options for monitoring payments and blocking such large scale automated attacks. If you can, consider using third party card verification services from Visa and MasterCard to add a second layer of protection.
- Talk to your website developer, IT staff or a security specialist about ways to protect your site and any payment forms you host
Using SSL to encrypt information submitted is essential so that forms operate at an https:// address. Discuss testing your systems for signs of common vulnerabilities and your options for fixing them.
- Use a CAPTCHA on your web form or require an account be created
Technical solutions like these can potentially slow down automated software ‘bots’ that are designed to validate card numbers in quick succession.
- Limit transaction volumes or website sessions by IP address or pre-screen payments from high risk countries if you are seeing fraudulent attempts to donate
Many New Zealand charities may only wish to accept donations from Kiwis using credit cards issued by NZ banks. Ask if you can filter payments by Bank Identification Number (BIN) to prevent overseas cards being accepted.
- Consider monitoring traffic volumes to your website
Talk with your website host about establishing an alerts services so that you’re aware if you receive a sudden unexpected spike in visitors.
- Investigate using a specialist online fraud management service
Sift Science offer an online service to assess transactions before handing them on to your merchant provider and may be an additional way to reduce fake donations.
- Weigh up the benefits of outsourcing your online donation process
Explore options from third parties with secure systems and dedicated resources to manage fraud such as PayPal or Givealittle. Givealittle.co.nz allows NZ charities and schools to register for a free fundraising page.
“Monitoring any payments received is an important way to detect fraud on your website. Be on the lookout for a series of small donations for odd values or random amounts. Real people tend to donate whole dollars – $20 rather than $4.73,” said Hails.
If your website has been targeted by credit card fraudsters speak with your bank or merchant provider. You can also contact NetSafe via their freephone telephone number 0508 NETSAFE or report an incident online at www.theorb.org.nz.