8 Measures To Prevent Bots On Donation Pages
With #GivingTuesday less than 3 months away (December 3, 2019), most nonprofits are gearing up for their year-end giving campaigns. Creating and managing a dedicated donation page for Giving Tuesday is a vital part of these fundraising campaigns. But how does your nonprofit ensure that it does not fall prey to bots that are always trying to make fraudulent transactions on your donation page? Let’s find out together.
Fraudulent transactions are being submitted through an online donation form connected to a payment processor. This is due to a scammer(s) testing out credit card numbers on the donation form. This leads to concerns about security of web donate form and potential consequences to the payment processor’s continued processing of legitimate transactions. Some major concerns:
Payment processor freezing processing due to volume of fraudulent transactions:
Your payment processor may stop processing charges for your site and force you to prove that you’ve updated the site to prevent future bot hits
Staff time to review fraudulent transactions:
Ideally you don’t want them even coming to the point of Auth blocking them. Given that bots usually make thousands of hits in short spans of time to get one correct transaction, imagine how many transactions your staff would have to review.
Transaction fees if any fraudulent transactions are able to come through:
We know of a nonprofit that had 50,000 hits, at $0.10 each resulting in a transaction fees of $5,000. This number could be much higher based on the volume of transactions.
8 security measures to limit and prevent bots on your pages:
- Have payment processor filters – these are your first line of defense.
- Block IP addresses implicated in payment processor fraud. For added security you can also filter or flag them.
- Create a “Honeypot” field. A honeypot is a security mechanism (a decoy) used to lure hackers into revealing their origins and techniques. This honeypot should not accessible in UI (user interface) and have a processing-blocking error in place for when submission is triggered with the field populated.
- Do a quarterly audit of the credit processing log.
- Have a CAPTCHA/reCAPTCHA field on your donation page. This is the field that pops up right before a transaction is processed and asks you to fill in the exact text or audio that the CAPTCHA box has. This field significantly slows down and stops (in most cases) bots. The con here is that some people don’t like user experience of CAPTCHA, so may be seen as a barrier to donate
- Go a step further with invisible reCAPTCHA. This free service by Google helps detect bots on a page by tracking activity like mouse clicks and if something suspicious pops up then a reCAPTCHA appears.
- Use CDNs like Incapsula or CloudFlare that block bots block bots automatically from entering the site. A content delivery network (CDN) refers to a geographically distributed group of servers which work together to provide fast delivery of content over the internet. A properly configured CDN may also help protect websites against some common malicious attacks including those by bots. It is important to note here that most such CDNs do have associated fees
- Update Transaction Key periodically. A transaction key is a 16-character alphanumeric value that is randomly generated in the Merchant Interface and works in conjunction with your API Login ID to authenticate you as an authorized user of the Authorize.Net Payment Gateway when submitting transactions from your Web site. Just like passwords, transactions keys need to be updated periodically for added security.
Outcomes/Symptoms that could lead to early detection:
The payment processor blocks the payments successfully through its fraud detection suite filters
One of the biggest telltale signs is having multiple blocked payments. You can see blocked payments (some available for review and some outright declined) in payment processor filters.
Checking Salesforce for donation records.
If the donation form is connected to Salesforce, Salesforce will not create donation records for fraudulent transactions, but the system logs do record exceptions.
Need to understand how secure your donation page is? Contact your payment processor directly to understand potential implications of fraudulent submissions on system availability for legitimate transactions, and their assessment aligned with this. Need help implementing the above security measures? Get in touch with ECHO!