As part of the Emailage, a LexisNexis Risk Solutions Company, virtual event series, Thomas Barnes, regional marketing manager for Emailage, EMEA presented on outsmarting charity fraud. The transcript below features the presentation and has been edited for clarity and brevity.
Well, good morning, everyone, and thank you for joining us today. My name is Thomas Barnes and I’m the regional marketing manager for Emailage for EMEA and I’m here today to talk to you about donation fraud.
So the big question that all of us want to get answered today is why are criminals spending millions of pounds donating to charities every year? Well, I can tell you the answer certainly isn’t because they have good intentions. They’re here to cause harm.
And unfortunately, they do this through donation fraud. Now, donation fraud comes under many terms and it can also be known as charity fraud and mandate fraud.
So in today’s agenda. We’re going to discuss the fraud and criminal landscape we live in. We’re also going to discuss why charities are targeted as a result.
We’re going to discuss how donation fraud actually works. And then some ways to prevent it.
The evolution of charity fraud
So firstly, if we look at how crime has evolved over the years, you can see that 40 years ago criminals were working as individuals.
So this would be your fraudster or a criminal going into a physical high-street shop and looking to try and steal something. Now these shops or charities would look to hire maybe a security guard to stop this happening. But as you can see, over the years, fraud and crime has evolved from individuals to collaborating as part of a team and then working as part of a global organised crime ring. Especially with the rise of the Internet in 2010, we saw a huge pink peak in online trends with regards to people buying online rather than going into physical stores.
And, you know, fraudsters / criminals have, unfortunately exploited this area and they now are operating as part of this organized global crime ring. And they can be doing it all from a room just a few doors down from where you live.
So it’s a scary world that we’re living in today.
And now one of the biggest trends in fraud that has been happening over the last few years is around global card fraud. What I mean by this is where card details have actually been stolen online due to data breaches. Now this could be credit cards, bank account information, but also debit card information. And you can see from even just 10 years ago in 2010, the rise in this type of fraud has gone up by 5X from 7 million.
Up to 32 million which is a huge problem in today’s world, not only in the charity sector, but also in the private sector.
Why donation fraud has seen an increase
So what’s causing this huge rise in fraud? Well, as I mentioned earlier, it’s down to the rise of the Internet and more and more transactions are happening online now. And you can see the graph on the right. How much it’s increased.
But this rise in online transactions has led to a loophole which fraudsters and criminals are now exploiting. By stealing bank account details from individuals, they’re then going and selling these details on the dark web.
You can see below the four squares that we’ve got there. So the first on bank account information that’s being sold online for anywhere up to a thousand pounds, so very valuable. But today, what we’re going to really focus on is donation fraud, using stolen credit card data, stolen debit card data and bank details. So you can see any active card details are sold on the dark web for anything up to 60 pounds.
So it’s very valuable for a criminal to be able to get access to your personal details.
An example, back in 2019, where British Airways in the private sector had a huge data breach, they had five hundred thousand bank and personal details of their customers stolen.
As a result of this stolen data, the fraudsters would then go online and perform a payment transaction to see which of those cards are still active and which ones are inactive. The reason for this is because as soon as the data breach happened, a lot of the customers would have then called up their banks and canceled their cards, making the cards inactive. Obviously, those cards are no longer valuable to the fraudster. So it’s really in the fraudsters / criminals interest to test which cards are either active or inactive. And we’ll explore that in a bit more detail on the next few slides. So why is a charity targeted with this type of card testing fraud, through donations on their websites? Well, a couple of reasons.
What makes charities a prime target?
The first one is having a lack of fraud controls in place. For some of the larger charities, this may not be the case because they have the funding to do this.
But certainly some of the smaller / mid-size charities don’t. They usually don’t have the financial backing to invest in these types of fraud prevention measures, especially big fraud platforms. They just don’t have the money and unfortunately, that’s the reality. And then I guess coupled with that is the resources as it’s very hard to get the in-house expertise to be able to manage and prevent this type of fraud.
Recruiting an individual that really knows how to prevent this type of fraud is also a challenge. And the other one that I’ve listed is police / law enforcement. So typically, police are overstretched and if charities are reporting, small frauds of say, a £2 donation. Typically, they’re not going to investigate that. Police / law enforcement will typically focus on what the public wants. And that’s around things like knife crime, burglaries and anti-social behaviour. So they’re not really so much focused on online fraud. That’s not to say that they have started to do more.
The point I’m trying to make here is it’s really the responsibility of all of us to prevent fraud. Both as individuals and organizations. And I’m not talking about just charities, but the private sector as well. Fraud really is a nasty thing because it funds things like human trafficking. And it really is a growing problem and something that we all need to be working together towards to combat. And then the last point is charities are very trusting of people, and that’s great. But what that does, is leave the door wide open for fraudsters to exploit and become a target by living by the mantra that all donations are welcome.
So if we look at the scale of fraud that’s happening in U.K. charities. And this is a report from the Charity Commission for England of Wales 2018. We’re currently seeing 2.3 billion pounds of frauds happening. And this is impacting the charity industry every year, which is a massive problem. Just to put this number into perspective, the industry on average discloses around about £80 billion a year in income. So almost 5 percent of the income is being lost to fraud every year. So clearly, it’s a massive and growing problem and one we all need to work together to do something about. Now, this figure covers many types of fraud including employee fraud, bank fraud, procurement fraud and grant fraud. A recent stat that I didn’t put on this slide reported by action fraud, which is the police hotline for reporting online fraud in the U.K.. reported that there’s £8 million worth of online donation fraud happening every year. But this is only a fraction of what’s actually being reported. There is actually 2.2 billion pounds worth of online donation fraud happening every year that goes unreported.
So what I want to do now is just to get you guys thinking as finance people about the impact that fraud has on your charity as a whole.
Examples of what charity fraud looks like
So let’s take this as the first example of a charity without any fraud measures in place.
So what you can see now in this Total Cost Of Fraud illustration is this triangle shape here. So in the bottom right. You’ve got lost donations £0. Now, the reason I put zero is because charities don’t want to be losing any donations due to friction on their website.
The key focus as a charity is to make sure those donations are coming in. Yes, it’s getting harder and harder to get those donations, but we certainly don’t want to impact any genuine donations by implementing any friction on the donation process when trying to reduce fraud. Let’s keep the donations coming in. But what that does, if we are going to say, right, let’s not do anything about fraud. Well, that’s going to push this triangle shape upwards. And we’re going to say, right, look, we’re happy just to accept this fraud because we certainly don’t want to stop any donations. So therefore, in this example, this charity could be losing anywhere up to 2 million pounds in fraud every year. And then in the far-left corner, we’ve got the operating costs.
Now, this is the cost of running your charity and onboarding employee’s / volunteers. And so what does this mean for the overall cost to running your charity? So the overall cost listed is £3 million within this example. Now, if we flip to example number 2 on the second slide which has got some fraud measures in place, you can see that the shape of the organization’s Total Cost Of Fraud triangle has shrunk and suggests, again, we’re still focusing on donations. We certainly don’t want to be losing any donations by creating any unnecessary friction to stop fraud. But what we have done in this example, if we’ve invested in some fraud prevention measures. And by doing that, we’ve managed to reduce the height of the triangle by 50 percent with a saving of £1 million.
So what does that mean for the overall cost to the charity? We’ve just saved ourselves nine hundred thousand pounds by implementing some fraud measures, most importantly without impacting any donations. You can now see how the height of the triangle has shifted down and the operating costs have shifted out slightly with donations remaining the same. I wanted to get you guys as finance people starting to think about these types of numbers and the potential there is to save money for your charity.
Charitable giving trends in the United Kingdom
So if we look now at some of the donation trends happening in UK charities.
A recent report from the UK giving firm CFF. We all know that donations are on the decline overall and have been for the last three years and it’s getting much harder. That’s not to say that some of the donors aren’t giving more money, that is true. But overall, it’s getting more and more difficult to get those donations coming in, especially online. And it’s also true that charities are now having to compete for donations. There’s many charities out there. So we certainly want to be investing in marketing communications and getting ourselves out there.
Consumer expectations have grown, so what I mean by that is someone like me or me or you are also expecting a frictionless user experience when we go on your Web sites to donate money. And this has certainly increased.
What’s the end result of all this? Well, let’s try and reduce some of the steps online in the donation process. And this should in turn cause less friction, which should actually increase your donations. That’s all well and good. But what this does is leave charities vulnerable to criminals.
Now let’s look at how donation fraud actually works. You’ve a fraudster at the start. And going back to the British Airways example of the data breach where the criminals stole five hundred thousand customers bank details, credit cards, debit cards. So this online crime gang would have sent the card details to this fraudster who would be operating as part of this global network. They would then have five hundred thousand credit cards to test online and see which ones are active and which ones are inactive. So the criminal really has two choices. So first choice, they could either go to a private sector e-commerce merchant such as a company like Amazon to test if the card works by buying something. And if the payment transaction goes through, the criminal then knows they have an active card and they can get rid of all the inactive cards. Option B is to go and donate on a charity website to test if the card is active. The fraudster is more likely to go to the charity website because a lot of the companies operating in the private sector have fraud prevention measures in place, different software, different fraud platforms that they invested in.
And so this is why fraudsters and criminals are going after charities with this type of fraud.
So you’ll see that the criminal will be able to put a small transaction / donation on the charity Website, say £2, usually a small amount and see if the donation was accepted or declined. Say half of those five hundred thousand cards were accepted. So that means they would be able to sell 250,000 active credit and debit cards on the dark Web for anything up to 60 pounds per card. So the motivation for the criminal is they’re going to make a lot of money selling the active cards. But what does this all mean for a charity? Well, unfortunately, the charity will lose the initial donation made by the fraudster, whatever the amount is. And then even more unfairly, the bank or the payment processor once the individual cardholder realizes it’s a fraudulent transaction will request a chargeback. The payment processor / bank will then go to back to the charity and charge them on average of £15 per transaction.
So you can see not only does the charity lose out on the initial donation, but they also get hit with a £15 charge. And you can imagine if this is happening at scale, the charities are losing a huge amount of money from this.
Fraudsters are ruthless. And so the other thing that they do is called the double dip when donating. An example of this would be where a criminal donates a large amount of money on a stolen card, say five thousand pounds to an online charity Website. The criminal would then report that donation as the wrong amount. So they will say, I was only meant to donate five hundred pounds and I donated five thousand. So then the fraudster will request the four thousand five hundred pounds back from the charity either onto their card or by bank transfer to another account.. And then the other thing that the criminal is doing is then calling up the bank and saying this payment wasn’t meant to happen. Please refund the money back to me. So, the fraudster is exploiting both the charity and the bank, and they’re now walking away with nine thousand pounds.
This is very unfair. But this is unfortunately the reality of what these criminals are doing to charities.
Best practices for outsmarting charity fraud
So what are some things that we can do to help charities prevent donation fraud?
Now we all know that charities large and small don’t have the funds or the resources to invest in these large software platforms that are typically created for the private sector. So firstly, by implementing a robust fraud risk management strategy – and there are a couple of things we can do here. Now, one of the things we can do is on your donation website, you can implement a step within the donation process to add the CVV number and that’s the three digit number found on the back of the credit cards and debit cards.
Fraudsters typically won’t have access to this data because it’s an extra step in the process. So this again, makes it just that much harder to commit fraud.
Another thing you can do that’s fairly straightforward is to insert a CAPTCHA phrase on your website. For example, there’s usually nine squares and it will say something like, please tick all the boxes that have images with traffic lights in. That may be three out of the nine squares or something like that. This helps stop bots from donating on your website at scale. Now, another thing you can do is work closely with your regular donors. So you might have someone that donates on an annual basis and what they will do is check their bank statement and might see that they don’t recognize the payment that’s gone out to your charity, maybe it could be that the name doesn’t match the charity, so confusion arises. Or it could be that they’ve forgotten that they’ve subscribed to donate to your charity. This can also happen when you have shared accounts between partners and the other isn’t aware of signing up to donate and as a result requests a chargeback from the bank. Constant communication by investing in marketing and holding different events can really help to keep that engagement going with your donors. Finally, by investing in digital fraud prevention solutions like Emailage, we can really help you to prevent this type of online fraud.
So we believe we are the answer to fraud prevention using the humble email address. Now, you might think, how is the e-mail address so powerful in preventing fraud?
Now by e-mail address. I mean, your Hotmail account or your GMAIL account. The e-mail address really is the only unique global digital identifier in fighting fraud.
The email address is a very sticky data point in providing information around fighting fraud. I personally have had my Hotmail.com account for the last 15 years and it’s linked to many different online accounts.
I’ve used it to sign up to my bank accounts. I’ve connected my e-mail address with Amazon, and done online shopping with Tesco.
So it’d be very difficult for me if I wanted to change my email address as I would have to go back and update all of my accounts. The average e-mail address is tied to over 130 accounts.
So it makes it very hard for fraudsters to replicate this kind of online activity with an email, as we’re able to track all of the activity from the past just based on the email address. So you can see it’s a very powerful tool for combating fraud.
Here’s an example of how our technology actually works and would be able to help you as a charity to identify and stop donation fraud from happening. If we take the example of a customer here, this would be a typical fraudster. So the fraudster would go on your website to donate some money, say £2, once they put in their contact details, their first name, last name, address and email address and then their card details to donate. Our solution would quickly do an API call to the network. We would then look in our global consortium network of fraud intelligence and we would correlate the e-mail address with other data points. We can then tell you if this transaction is likely to be fraudulent or not. You can see here in this example, the score that’s come back is very high risk.
So you would have confidence knowing that this transaction would be fraudulent.
The Emailage network is incredibly powerful. You benefit from fraud prevention on many fronts. Not only at an industry level with other charities, but also cross industry. So, for example, if you’ve got another charity that has already marked a particular email address as fraudulent in the past then you would be notified. Now, the other thing that you would benefit from is all of the data and the fraud signals within the private sector. And this is happening on a big scale because typically a criminal / fraudster will not just operate in the charity space. They will go online and book airline flights and holidays. They’ll buy things on Amazon. So we accumulate all of this data and network intelligence, which is powerful and in fighting fraud. I always like to give the example of a criminal who doesn’t operate alone now. They operate as part of a global organized crime ring. So we’ve taken that same model and turned it on its head. The more members that join our network, we become stronger.
As a global network we are able to combat fraud more effectively, just like the criminal does by working with multiple people as part of a gang. So we’re reversing that model and fighting back against them.
This is just a quick example of how scoring works. So it ranges from risk band one to six. Risk band means that transaction would be very low risk. Risk band six means the transaction would be very high risk. Now, as a charity, we certainly don’t want to impact any genuine donations. So we would tailor your rules / modeling with our data scientists to say that anything that falls in risk band six, we would certainly look to decline because that would be fraudulent, but that everything else we would we would look to put through as a genuine donation. Now, a lot of you’ve probably got some questions around GDPR, a lot of you might ask, do you need to get consent for this? And the answer is no. Typically a lot of people confuse consent for marketing purposes. GDPR clearly states for the purposes of preventing fraud, it is absolutely OK to process personal data.
And we have the certificates here to prove that.
So in terms of next steps, what I’d like to do is prove our value to your charity. And I want to run a test to show how much fraud we would have caught based on the fraud that you’ve marked as fraudulent in the past based on chargebacks with the bank. So if you would like to send me an email. My email address is Thomas.email@example.com . I will walk you through the next steps and process, and align you with our fraud manager. And we would like to prove to you how much fraud and how much money we can save you and stop these bad guys from getting through. So thank you very much and I hope you enjoyed the presentation today.