As many individuals open their wallets and donate to a variety of charitable causes during the holidays, con artists and fraudsters are lurking online, using websites equipped with payments technologies, text messaging schemes and other methods to scam well-meaning do-gooders out of funds intended for worthy causes. It’s an ever-growing problem being addressed by e-commerce industry participants, law enforcement and other groups.
In addition to websites that collect donations for fake charities, schemes range from websites that mimic the sites of reputable organizations to spam emails and text messages designed to trick the recipient into giving up personal information or payments account data.
“When charity’s involved, there’s a trust element that is engaged and people just put their guard down and don’t suspect that there’s untoward activity here when that might be the case,” said Bennett Weiner, the chief operating officer of the Better Business Bureau Wise Giving Alliance, which vets charitable organizations and monitors for potential fraud schemes.
In many instances, websites trick victims into making bogus donations to their PayPal accounts. Other times, the fraudsters trick donors into giving up a credit card number and later use the information to make fraudulent purchases.
“They use both identity theft as well as credit card theft, among other things, to get money,” Weiner said.
The Wise Giving Alliance encourages donors to not only research whether a charity is legitimate, but also avoid Web links they receive in emails or on social media sites and instead navigate to the charity’s websites on their own.
“If you’re not familiar with them, it only takes a few minutes to look them up and check on them before you give to them,” he said. “If you don’t want to do any checking or don’t have time, then the fallback is always give to established groups with a track record you’re familiar with so there’s less risk of not getting assistance to those in need.”
In addition to its traditional e-commerce payments tools, PayPal offers a “Donate” button for websites to accept donations. While it’s a quick and easy way for charities to collect contributions online—PayPal’s website claims a button can be posted on a website in under 15 minutes—a fraudster could also use the tool to accept funds.
PayPal is constantly monitoring for fraud—the company owes its early success to a scammer called "Igor," whose ongoing fraud attempts forced PayPal to develop some of the earliest technology for monitoring online transactions. PayPal would not make a risk management executive available to comment for this story.
Another fraud scheme uses the websites of legitimate charities to test whether a stolen credit card is still usable. Known as “carding,” the con can be done with either stolen card numbers or with software to generate sequences of numbers for the fraudster to test.
In both carding schemes and when individuals are duped into giving money to a fraudster, the nature of the transaction makes it’s difficult to quickly identify because donors aren’t expecting anything in return for the money they’re giving.
“If you go to a false site to buy something and it never gets delivered, you’re going to know within five and 10 days that something’s wrong because you never got it and you find out now that you can’t even get in touch with the company," Weiner said. “But with a donation, you’re not expecting anything and you’re not going to know something’s wrong until you’re getting the credit card bills or other things are happening.”
“I think that may be one of the attractions that some of these con artists are recognizing and why they’re taking advantage of some of these forums to do this,” he added.
In the wake of Hurricane Katrina, a fraudster in Florida posing on the Internet as a veteran Air Force pilot attempted one such scam. According to the Federal Bureau of Investigation and Justice Department, Gary Kraser created a fraudulent website and using a PayPal account, received nearly $40,000 from 48 victims in just two days.
Kraser claimed the money would be used to pay the fuel expenses for flights he was making to transport medical supplies and evacuate those with medical conditions from New Orleans, but according to the FBI, “as our investigation revealed, the man wasn't a pilot and had made up everything to fill his own pockets.”
The FBI opened an investigation into the scheme after being alerted to it by PayPal. Kraser was the first person arrested on federal charges for Katrina-related Internet fraud and later sentenced to 21 months in jail, but he was far from the last. The wave of fraud cases after Katrina prompted the Justice Department to establish a National Center for Disaster Fraud and dozens of cases have been filed against fraudsters.
“After every major disaster, no matter where it is, whether it’s Sandy right here in the U.S. or overseas with the tsunami a few years ago in Japan, organizations and websites spring up right after these events,” Weiner said. “Some of them are unfortunately intended to be involved in phishing or some other activities not related to relief and they’re falsely representing themselves as collecting money to assist victims.”
In the days after Hurricane Sandy hit the Northeast, Internet security firm Symantec said it noticed a precipitous spike in spam using the storm to target would-be fraud victims. Messages intercepted by its Symantec Probe Networks email filters included offers of gift cards in exchange for donations and other schemes.
“We anticipate fake news, photos, donation requests, 419 scams, phishing campaigns, and malicious video link attacks will be seen over the coming few days,” the company wrote on its blog shortly after the storm.
Fraudsters looking to use online payments technologies to take advantage of natural disasters are at work even before the next catastrophe hits. According to Weiner, as soon as the World Meteorological Organization releases the schedule of names for hurricanes, fraudsters are quick to snap up website URLs that include the storm names.
“They go out and reserve the names so that they’ll ready to pop up a special site as soon a name’s used, because they never know which storm is going to be the big one,” he said. “These con artists plan way in advance and they’re good at what they do.”
Protecting Text Donating
A new frontier in charitable giving is donation services that allow mobile phone users to send a custom keyword to an organization’s five-digit short code to donate money that’s added to users’ wireless bill or deducted from a prepaid balance. But with this new opportunity for charities, fraudsters are also attempting new schemes, too.
In some mobile schemes, users receive a text message informing them they’ve won a gift card from a major retailer. The messages usually contain a link to a website that resembles the retailer but is really a phishing scheme.
Organizations like the Mobile Giving Foundation and the mGive Foundation seek to vet charities that want to collect text donations. This year, the Wise Giving Alliance developed a partnership with the Mobile Giving Foundation to enhance charity vetting procedures with the goal of better protecting text donors.
“Text giving is an activity that is still growing. It has not fully matured and there is an opportunity here to do things that were not able to be done with direct mail and telemarketing, like doing more thorough vetting of charities that participate in text giving before they engage the public,” Weiner said. “Verifying organizations from the get-go is certainly more effectively than warning the public afterwards, or even during.”