In March & April this year I’ve had to deal with a new problem that I’ve never dealt with before - credit card fraud. Apparently it’s somewhat common with nonprofits that accept donations online. Someone who has a batch of stolen credit cards will use an unsuspecting nonprofit’s website to validate whether the batch of cards are still active or not by making small donations. If the payment goes through, they know the card hasn't been cancelled yet. This resulted in some chargebacks and subsequent fees for me. It sucks. So far it’s cost $50.00 in charge backs and $47.36 in fees, bringing the total lost to $97.36. Here’s what I did wrong, I hope it helps someone else not make the mistakes I did.

I noticed a string of donations coming in from unusual email addresses:

The first warning sign should have been all the failed webhooks that preceded a successful donation. Strike one.

I should have reached out to Stripe as soon as I noticed questionable email accounts. Their customer support is amazing and incredibly responsive. They immediately confirmed my fears and although it was too late to do anything, offered help on how to avoid the fraud in the future. Strike two.

Now I know Stripe has the option to decline any payments that fail CVC or zip code verification. Simply check these two boxes under Account settings -> General:

I also should have voided any charge from what looks like a fake email address and reached out proactively. This would have saved me $47.36 in fees. Strike three.

I’m really appreciative of Stripe and their support, any time I’ve had to reach out to them they’ve been incredibly helpful. I hope that this will help prevent someone learning the hard way like I did. Dealing with fraud isn’t fun, but at the end of the day it could have been a lot worse. Like $170,000 worse.