A money-laundering fraud ring is targeting donation sites, taking advantage of the outpouring of charity sparked by the global pandemic.

The fraud leverages guest checkout options on donation sites to steal money and launder stolen payment cards.

The scheme is very straightforward: Fraudsters first set up recipient accounts on various donation sites. They then create and post fake causes for which to receive donations.

The hackers then use stolen credit cards and fake usernames/emails to “donate” money to their own made-up causes.  They do this with the use of automated scripts. The donations are typically made in small denominations, usually $5 or less. By using the option to check out as a guest, the hackers skip the step to create an account that would make the account easier to track.

This fraudulent activity has 2 purposes:  hackers test stolen payment information to make sure it’s valid AND allows them to launder the money from stolen accounts.  

Unfortunately, the time is right for such an approach because charitable giving is skyrocketing.

Cybercriminals in general have evolved their payment-fraud tactics during 2020.  Based on data from more than 34,000 apps and websites, researchers found over a 50% increase in average attempted fraud value, across multiple verticals. This kind of rise in activity is a clear sign that hackers are using automation such as bots, scripts and malware.  This automation takes advantage of easier-to-use checkout experiences and password reuse.

Hackers have become very knowledgeable in the mechanics of digital commerce.  They can accurately identify security vulnerabilities.  In 2020, the amount of money spent by online shoppers surged because of the pandemic and hackers saw an opportunity to wreak more havoc. 

Be sure to protect your own data by making sure the ecommerce sites you visit are securely protected with NIST standards.  And if you run any sort of ecommerce site yourself, make sure that your network is protected by up-to-date NIST security protocol.