If you are receiving fraudulent transactions, please contact your payment processor and bank immediately.
Please contact our support team for their assistance with blocking specific IP addresses that may be associated with the fraudulent transactions.
There are two types of online credit card transaction fraud:
- Computer-based. A computer bot, software application or automated program attempts to process an online transaction repeatedly in a short period of time. The security measures below can help block and prevent these attempts.
- Human-based. A person at a computer enters stolen or fake credit card information to process a transaction. While the security measures below can and should still be enabled, this type of online credit card fraud is the toughest to prevent.
Computer-based and human-based credit card fraud can access online transaction pages (i.e. online donation form) through an organization's website. Nonprofit online donation forms are designed to be simple and functionally easy to use for legitimate donors, but this also makes them a likely target for credit card fraud.
- You may be notified of fraudulent activity by your payment processor.
- You may see data in your Neon CRM system that is suspicious.
Fraudulent transactions in your Neon CRM are most commonly seen as multiple failed transactions (i.e. donations, event registrations, membership registrations, etc.) by the same name, email address or IP address in a short period of time.
Keep an eye on your number of declined or errored transactions with the Incomplete Transactions widget. Navigate to any dashboard, locating or adding this widget.
Select View Transactions to look for repeated failed transactions from one source.
The options below are immediate action you can take to stop fraudulent transactions from continuing and prevent them from happening in the future:
- Add a captcha to your online transaction forms (i.e. donation form). Navigate to Global Settings cog Global Settings Standard Forms Configure Fields & Sections choose the page you would like to configure. "Captcha" will be one of the available fields during Step 2 of this process.
A captcha is the "I am not a robot" checkbox:
- Enable Velocity Control. You can choose exactly how many submissions are allowed before an IP address is blocked, or before a captcha is automatically added to a form. Navigate to the Global Settings tab Global Settings Spam Prevention Velocity Control.
*Note: If you already have Velocity Control enabled and are still experiencing fraudulent transactions, we recommend adjusting the maximum numbers to be lower.
- Make your donation form a two-page flow. This will help disrupt the spammer's process by splitting the donation process into two pages--the first page will collect contact information, and the second page will collect payment information. Navigate to Forms & Pages > Links & Pages > Donation Forms. Select [Change] under the Navigation Flow column to view your options Select the two page option.
- Country IP Address Blocking. If your organization's database consistently receives spam and/or fraud requests from certain countries you do not work with, you can choose to block those countries. Navigate to the Global Settings tab Global Settings Spam Prevention Country IP Address Blocking.
Note: If you do legitimate business with a country, you should not use this method to block the country's IP addresses. Also, IP addresses associated with the United States cannot be blocked via this method; the United States is always on the whitelist.
You can use the bulk operations feature to bulk delete the fraudulent accounts and transactions created (instructions here). As for what criteria to choose when selecting accounts to delete, we recommend using a common indicator among the fraudulent accounts, such as email address or name.
If your payment processor freezes your account and changes your gateway credentials, you'll need to re-enter these new credentials in your Neon CRM. Navigate to the Global Settings cog Global Settings Payment Gateways and edit your existing gateway.