Fighting fraudulent test donations is an ongoing cat-and-mouse game. The good news is that Donorbox and Stripe have made great strides in cutting down the number of scam donation significantly. Stripe has a native fraud blocking solution based on machine learning called Stripe Radar. Radar is highly effective at auto-blocking most fraudulent donations. However, scam donations can still pass through. There are additional fraud detection measures that Donorbox implements to complement Radar.
Billing ZIP/Postal Code Validation
Donorbox has the ability to utilize ZIP or postal code validation. To enable this, please go to your account settings (https://donorbox.org/org/edit) and check the Verify billing zip / postal code box.
Collecting billing postal code is the best practice in the US. For other countries, billing postal code may not be common practice. If many of your donors are from countries that don't use postal code verification, it is better to keep this disabled.
Donorbox does not collect a billing address because it produces too many false positives. Some donors may forget which address they used for the card or could have a typo in the address on file with their bank. Plus, making the donor type in their full address can potentially lower your conversion. When it comes to the donation checkout, less is better.
Block Scammers who Frequently Test Cards
Even with the postal code check, some cards can still bypass the validation process. Scammers buy a massive number of stolen cards and may attempt to test them by charging various amounts on them to see if they work. To mitigate this, we have just come out with auto-blocking for scammers who try to donate frequently in a short period of time. Please see our blog post for more information: https://donorbox.org/nonprofit-blog/block-fraudulent-test-donations/.
Furthermore, we are working on improving our fraud blocking by permanently blacklisting frequent offenders in our network. We believe that these measures will significantly cut down on the number of scam donations.
That being said, there is not a lot that can prevent a scammer from successfully donating with a valid card on his first few attempts. For that reason, organizations should monitor all donations that they receive. Donorbox's donation details page lists the country that the donation comes from. The location of the donor's IP address and any weird formatting of the the donor name or email can be an indication that the donation is fraudulent. Please continue to refund donations that are clearly fraudulent.