5 Steps to Prevent Fraudulent Donations Online
These steps will help prevent fraudulent donations. If your non-profit has experienced fraudulent donations through your website, you are not alone. It doesn’t make a difference what software you use, fraudulent donations plague us all. We Are Immediate, frequently uses GIVEWP as our donation software of choice, and a staffer there gave us excellent pointers to help cut down or eliminate this annoying trend that plays havoc on our books, financials, and other non-profit record keeping. These steps will help prevent fraudulent donations.
My first recommendation when dealing with spam is to make sure you reach out to your payment gateway, especially if you need to process refunds. Running large numbers of refunds can trigger fraud alerts for most gateways, and you’ll want to check in with them about the best way to deal with refunding to avoid those triggers.
What you are experiencing is most likely what we call “donor spam.” This can happen for a wide variety of reasons, and it is sadly very common across all donation platforms. Let me give you some context and a broader picture of all the ways we address this.
1: Our Akismet Integration – For GIVE WP Only
Install or activate the free Akismet plugin. Then go to “Donations > Settings > Advanced” and ensure that our Akismet SPAM protection is enabled there and save changes. This will help deter known spammy email addresses from being able to donate.
2: Use Cloudflare or Sucuri
These are third-party services that help both speed up your website and provide protection against bot attacks like what you are experiencing. Some sites get added to bot lists and there’s nothing you can do to prevent them from just continually attacking your site, except using a strong and dedicated firewall/security service like these two. Cloudflare has a paid option, but it also has a free basic plan in case that is a better fit. We Are Immediate uses Sucuri and WordFence on all of our websites.
4: Set a higher minimum donation amount
Sometimes, simply increasing the minimum donation amount is a huge method of preventing these types of attacks. Bots tend to test forms with $1 or up to $5 amounts. If your form only accepts donations of $10 or higher you can prevent these low-hanging easy bots. We recommend this as well for all of our clients.
5: For WordPress websites, use a spam-stopping plugin
You can use these plugins: https://wordpress.org/plugins/
Additional steps to prevent fraudulent donations
Because donor spam can be very tricky to eliminate, I’m also going to share a next-level tip that has been helpful for some of our other users.
1: Payment gateways record donor locations and IP addresses.
You can view these IP addresses from your payment gateway account, and then block those that match your spam donations. You can also find these IP addresses in the donation record in GiveWP. You’ll need to navigate to Donations > Donations and then click to view the detailed view of the donation. You’ll see a meta box on the right-hand side that includes the IP address. You can use this to block those spam donors as well.
2: In the case of extremely persistent spam,
Enable/increase the fraud detection settings at your credit card processor. Stripe for example offers Radar, which uses Machine Learning to block attacks. Each payment gateway has its own method, so I would recommend reaching out to your payment gateway for this information.
3: Add rate limiting.
Most spam attacks are bulk verification attacks: plugins like WordFence, reverse proxies like Cloudflare and Web Application Firewalls (WAF) can detect abusive behavior and block attacks by IP.
4: As a very last resort, consider requiring a login.
This is a last resort because not every donor likes to create an account to give, but in cases of especially resistant spam attacks, this might be necessary. Essentially you would disable guest checkout or guest donations by requiring that all donors login to donate.