If you are receiving fraudulent transactions, please contact your payment processor and bank immediately.
If any of the fraudulent transactions are successfully processed, refunds must be issued by Neon Pay or your third-party payment gateway provider.
Please contact our support team for their assistance with blocking specific IP addresses that may be associated with the fraudulent transactions.
What are fraudulent transactions? How does this happen? Why?
There are two types of online credit card transaction fraud:
- Computer-based. A computer bot, software application or automated program attempts to process an online transaction repeatedly in a short period of time. The security measures below can help block and prevent these attempts.
- Human-based. A person at a computer enters stolen or fake credit card information to process a transaction. While the security measures below can and should still be enabled, this type of online credit card fraud is the toughest to prevent.
Computer-based and human-based credit card fraud can access online transaction pages (i.e. online donation form) through an organization's website. Nonprofit online donation forms are designed to be simple and functionally easy to use for legitimate donors, but this also makes them a likely target for credit card fraud.
Detecting Fraudulent Transactions
- You may be notified of fraudulent activity by your payment processor.
- You may see data in your Neon CRM system that is suspicious.
Fraudulent transactions in your Neon CRM are most commonly seen as multiple failed transactions (i.e. donations, event registrations, membership registrations, etc.) by the same name, email address or IP address in a short period of time.
Keep an eye on your number of declined or errored transactions with the Incomplete Transactions widget. Navigate to any dashboard, locating or adding this widget.
Select View Transactions to look for repeated failed transactions from one source.
Stopping and Preventing Fraudulent Transactions
The options below are immediate actions you can take to stop fraudulent transactions from continuing and prevent them from happening in the future:
1. Add a captcha to your online transaction forms (i.e. donation form).
A captcha is the "I am not a robot" checkbox:
To add this feature to a donation form:
a. Select Forms & Pages in the navigation menu and then select Forms on the drop-down menu.
b. On the Form list page, select the donation form you wish to edit.
c. Select the Edit icon in the upper right corner (the pencil icon).
d. Select the Settings (gear) icon in the left side menu of the Form Builder and ensure the toggle for Always Show reCAPTCHA option is turned on.
2. Enable Velocity Control. You can choose exactly how many submissions are allowed before an IP address is blocked, or before a captcha is automatically added to a form. Navigate to the Global Settings cog > Global Settings > Spam Prevention > Velocity Control.
*Note: If you already have Velocity Control enabled and are still experiencing fraudulent transactions, we recommend adjusting the maximum numbers to be lower.
3. Make your donation form a two-page flow. This will help disrupt the spammer's process by splitting the donation process into two pages--the first page will collect contact information, and the second page will collect payment information.a. Select Forms & Pages in the navigation menu and then select Forms on the drop-down menu.
b. On the Forms list page, select the donation form you wish to edit.
c. Select the Edit icon in the upper right corner (the pencil icon).
d. Select the Form Editor icon in the left side menu of the Form Builder and ensure the Multi-Page (recommended) option is selected under the Select Page Flow heading section.
4. Country IP Address Blocking. If your organization's database consistently receives spam and/or fraud requests from certain countries you do not work with, you can choose to block those countries. Navigate to the Global Settings cog > Global Settings > Spam Prevention > Country IP Address Blocking.
Note: If you do legitimate business with a country, you should not use this method to block the country's IP addresses. Also, IP addresses associated with the United States cannot be blocked via this method; the United States is always on the whitelist.
Deleting Fraudulent Accounts & Transactions
You can use the bulk operations feature to bulk delete the fraudulent accounts and transactions created (instructions here). As for what criteria to choose when selecting accounts to delete, we recommend using a common indicator among the fraudulent accounts, such as email address or name.
Re-entering Payment Gateway Credentials
If your payment processor freezes your account and changes your gateway credentials, you'll need to re-enter these new credentials in your Neon CRM. Navigate to the Global Settings cog > Global Settings > Payments & Transactions > Payment Gateways and edit your existing gateway.