Not-For-Profits and Charities Are High-Risk Targets for Costly BIN-Bashing Fraud. Here’s What to Do About It


By Ralph Kooi, Australia Country Manager, ClearSale and Matt Humphries, Head of Sales and Marketing, Bambora

Payment card fraud is a well-known problem among ecommerce retailers, but—maybe surprisingly–charities and not-for-profit organisations are often the targets of this kind of fraud as well. This problem gets less media attention than ecommerce fraud, but it’s important to address. Card-not-present fraud can inflict financial losses on charities and NFPs that are proportionately larger than those affecting many retailers—and many non-profit groups are less prepared than retailers to combat this type of fraud.

Why do fraudsters target charities and NFPs?

Because not-for-profits want to encourage donations, they often have open pages on the web that don’t require a sign-in to donate. Some accept small minimum donations as low as $1, to help maintain a steady stream of revenue.

Unfortunately, the ability to make quick, anonymous, low-dollar-value donations appeals to professional fraud rings who want to commit a particular type of fraud known as card testing. They’re not looking to steal anything from the charities they target. They’re just exploiting the payment process as a steppingstone to bigger fraud.

Payment fraud against NFPs and charitable groups

One type of card testing fraud that’s often done on charity and NFP sites is “BIN bashing.” A BIN is the bank identification number on a payment card, usually the first 4 to 6 digits of the card number. All the cards from a specific issuer will start with the same BIN. Ordinarily, the random nature of the remaining digits prevents anyone from guessing a particular cardholder’s full card number.

BIN bashing aims to get around that safeguard. Criminals start with a verified BIN number from a particular issuer and use bots to quickly try out different combinations in search of a random sequence that matches an existing payment card. To test their computer-generated numbers, they make a flurry of small donations to charity websites—all handled by their bots.

When a donation goes through, it confirms that the bot-generated card number used is valid. Each number that’s validated this way can be used by fraudsters to buy merchandise from online retailers for resale or to defraud digital product merchants like game networks.

Because the test amounts are so small, they don’t usually trigger alerts the way a large, unexpected purchase might. A cardholder reviewing a monthly statement or recent activity might not notice them. However, these small attacks can add up fast. Some not-for-profits we’ve spoken to report seeing bot-driven attacks with rates as high as 10,000 tests per minute.

How much damage does card-testing fraud cause?

In a typical two year period, 10% to 15% of Australian not-for-profits have been the targets of fraud, with an average loss of $23,000, according to data from the Australian Charities and Not-for-profits Commission. Card-testing isn’t the only fraud threat charities face, but it’s one that can quickly do a lot of damage.

The reason that fraudulent donations for a few dollars here and there are so harmful to charities is because of the follow-on costs. Once fraud occurs, the NFP must pay a chargeback fee imposed by the card issuer, at a cost of anywhere from $20 to $100 per transaction. The charity is also out the cost of the transaction fee they paid to process the fraudulent donation, as well as any money they were paying for fraud protection that failed.

Although the dollar value of card-not-present fraud against Australian merchants declined in 2019, global CNP fraud rose dramatically during 2020 as more shoppers moved online. As Visa notes in its report on fraud risk and the pandemic, the rapid move to ecommerce shifted the payment mix and customer behaviour in ways that made some fraud screening tools less useful. The economic fallout from the pandemic also created more financial motivation for organized criminals to ramp up fraud activities. If the risk is rising for merchants, it’s likely rising as well for the charities where fraudsters first test their data.

How can charities and NFPs prevention fraudulent online donations?

The ideal fraud protection for NFPs is inexpensive and blocks fraud attempts without rejecting good donations. A system that uses AI and machine learning can quickly spot patterns that indicate bot attacks and other potential fraud as well as good donors.

This kind of system can evaluate transaction attempts based on things like velocity – how many attempts have been made from the same device, card number or IP address in the past 24 hours – which can quickly flag BIN bashing attempts and reject all orders that fit that behavioural profile.

By limiting the number of checkout attempts a user can make within a certain amount of time and identifying potential fraud sources, charities can reduce their immediate risk of card testing fraud. These limits can also encourage fraudsters to move on to other, less well-protected targets, which reduces the charity’s fraud risk over time as well. When the AI system is backed by manual review of flagged transactions, that can ensure that good donors aren’t turned away on suspicion of fraud.

Having an AI-based fraud screening program in place is a cost-effective alternative to the high fees, revenue losses and brand damage that result from BIN bashing attacks. And because this kind of protection program is always learning to spot new patterns, it can protect charities against whatever card testing tactic fraudsters try next.

Ralph Kooi is the Country Manager Australia at ClearSale, a full-service cloud based platform that automates Fraud Prevention, allowing businesses to increase sales while reducing risk. ClearSale is the only company that never automatically declines an order before a manual review process, which allows us to achieve industry-high approval rates while eliminating false declines and brings in additional revenue for our customers. Ralph Kooi has previously worked for several International SaaS businesses while based in Australia.

Matt Humphries is the Head of Sales and Marketing for Bambora in Australia, part of the Worldline Group – one of the largest payment services providers globally. Bambora has a long history supporting many of the top Charities and Not-For-Profits in Australia, enabling millions of online donations for many of Australia’s top charitable organisations.