Fighting fraudulent test donations is an ongoing cat-and-mouse game. The good news is that Donorbox and Stripe have made great strides in cutting down the number of scam donations significantly. Stripe has a native fraud blocking solution based on machine learning called Stripe Radar. Radar is highly effective at auto-blocking most fraudulent donations. However, scam donations can still pass through. There are additional fraud detection measures that Donorbox implements to complement Radar.
Billing ZIP/Postal Code Validation
Donorbox has the ability to utilize ZIP or postal code validation. This option will be enabled by default once you connect Stripe. You can see this on your Payment Methods page.
Also, collecting billing postal code is the best practice in the US. For other countries, billing postal code may not be common practice. If any of your donors are from countries that don't use postal code verification, you can reach out to our support team, so this feature can be disabled. Now, it's good to note that this verification can greatly help to reduce fraudulent donations - especially for US-based organizations. If you'd like this removed from your form, we'd recommend that you enable reCAPTCHA in your campaigns.
reCAPTCHA on Donorbox Forms
Please know that reCAPTCHA version 3 is auto-enabled on Donorbox donation forms. No extra steps are needed to make this tool available. This reCAPTCHA is done without being visible to the donor. It is based on fingerprint data and the donor's interactions with the form. If the score is above a certain threshold then the user won't be presented with a visual challenge.
With version 3 of reCAPTCHA, you can let all users log in without any intervention at all if their score is above some threshold, and only show a version 2 checkbox reCAPTCHA challenge (fall back to v2) if it is below the threshold.
If you want reCAPTCHA disabled for your Donorbox account. Please feel free to reach out to our support.
Please also note that Donorbox does not collect a billing address because it produces too many false positives. Some donors may forget which address they used for the card or could have a typo in the address on file with their bank. Plus, making the donor type in their full address can potentially lower your conversion rates. When it comes to the donation checkout, less is better.
Block Scammers who Frequently Test Cards
Even with the postal code check, some cards can still bypass the validation process. Scammers buy a massive number of stolen cards and may attempt to test them by charging various amounts on them to see if they work. To mitigate this, we have just come out with auto-blocking for scammers who try to donate frequently in a short period of time. Please see our blog post for more information: https://donorbox.org/nonprofit-blog/block-fraudulent-test-donations/.
Furthermore, we are working on improving our fraud blocking by permanently blacklisting frequent offenders in our network. We believe that these measures will significantly cut down on the number of scam donations.
That being said, there is not a lot that can prevent a scammer from successfully donating with a valid card on his first few attempts. For that reason, organizations should monitor all donations that they receive. Donorbox's donation details page lists the country that the donation comes from. The location of the donor's IP address and any weird formatting of the donor's name or email can be an indication that the donation is fraudulent. Please continue to refund donations that are clearly fraudulent.