Constant Vigliance: Be on the lookout for EFT Fraud
Bad actors on the internet are an unfortunate reality of the world we live in. Recently, one of our MSB partner stations was the victim of online donation fraud.
A common scenario includes:
A fraudster submits through a web donation form an EFT donation or multiple EFT donations, often of high dollar value (multiple donations are done to give the appearance of erroneously submitting duplicates).
Soon after making the donation(s), the fraudster will contact the station by email or phone requesting a refund on the single or duplicate transactions.
They purposely make the refund request before the settlement time period is complete in the hope that staff will issue an immediate refund.
In the fraud situation, the transaction(s) will fail by the end of the settlement period, but staff will have already issued the refund, resulting in revenue loss to the station.
CDP recommends taking immediate action by partnering with your Finance/Accounting teams to implement control measures, or ensure staff are educated and following existing control measures. This is particularly important for high dollar transactions.
Some recommended control measures and steps you can take to protect your organization from donation fraud are:
Never issue an immediate refund against an EFT transaction - always wait for the minimum 7-10 business days settlement period to ensure the donation(s) was deposited and the money is in your bank account.
Prior to the refund, conduct an Internet look up on the donor's name and address, particularly if the donor is new to the station, to rule out obvious red flags (e.g., address is a business not residence, out of state, etc.).
If the "donor" is communicating by email asking for the refund, take special note of the content and writing, looking for the same kind of red flags that you may see in organizational cyber security trainings for email phishing scams. It is advised to always engage in a phone interaction, not relying on email alone.
After at least the minimum settlement period, access the Worldpay iQ portal to view the original transaction to ensure there is no "Return" against it, which is the indication that it failed, and no donation was deposited to your bank (see important note below for more information).
Have an approval process in place with Finance/Accounting teams, or other appropriate management teams, to confirm organizational controls/steps are followed prior to issuing any EFT/eCheck refunds through the CRM or other sources.
It is important to note that Worldpay issues a conditional deposit on all EFT transactions, which may then appear as though your account has been fully credited; however, if the settlement period hasn't completed, the conditional funds will be debited out of your bank account at any time during the settlement period if the issuing bank (fraudster's bank) declines the transaction for Insufficient Funds or other Return/Decline reasons.