If you are receiving fraudulent transactions, please contact your payment processor and bank immediately.
If any of the fraudulent transactions are successfully processed, refunds must be issued by your payment gateway provider outside of NeonCRM. NeonCRM does not process payments, it simply maintains a record of transactions that are processed by a third party payment gateway provider.
Please contact our support team for their assistance with blocking specific IP addresses that may be associated with the fraudulent transactions.
There are two types of online credit card transaction fraud:
- Computer-based. A computer bot, software application or automated program attempts to process an online transaction repeatedly in a short period of time. The security measures below can help block and prevent these attempts.
- Human-based. A person at a computer enters stolen or fake credit card information to process a transaction. While the security measures below can and should still be enabled, this type of online credit card fraud is the toughest to prevent.
Computer-based and human-based credit card fraud can access online transaction pages (i.e. online donation form) through an organization's website. Nonprofit online donation forms are designed to be simple and functionally easy to use for legitimate donors, but this also makes them a likely target for credit card fraud.
- You may be notified of fraudulent activity by your payment processor.
- You may see data in your NeonCRM system that is suspicious.
Fraudulent transactions in your NeonCRM are most commonly seen as multiple failed transactions (i.e. donations, event registrations, membership registrations, etc.) by the same name, email address or IP address in a short period of time.
To view a combined list of all your Pending & Declined transactions, navigate here:
Account Home/Dashboard > To Do List > Failed Transactions
The options below are immediate action you can take to stop fraudulent transactions from continuing and prevent them from happening in the future:
- Add a captcha to your online transaction forms (i.e. donation form). Navigate to System Settings > System Settings Home > Forms & Web Pages > Standard Forms > Configure Fields & Sections > choose the page you would like to configure. "Captcha" will be one of the available fields during Step 2 of this process.
A captcha is the "I am not a robot" checkbox:
- Enable Velocity Control. You can choose exactly how many submissions are allowed before an IP address is blocked, or before a captcha is automatically added to a form. Navigate to System Settings tab > System Settings Home > Spam Prevention > Velocity Control.
*Note: If you already have Velocity Control enabled and are still experiencing fraudulent transactions, we recommend adjusting the maximum numbers to be lower.
- Make your donation form a two-page flow. This will help disrupt the spammer's process by splitting the donation process into two pages--the first page will collect contact information, and the second page will collect payment information. Navigate to Forms & Pages tab > Forms & Pages Home > Online Donation Forms > Click [Change] under the Navigation Flow column to view your options > Select the two page option.
- Country IP Address Blocking. If your organization's database consistently receives spam and/or fraud requests from certain countries you do not work with, you can choose to block those countries. Navigate to System Settings tab > System Settings Home > Spam Prevention > Country IP Address Blocking.
Note: If you do legitimate business with a country, you should not use this method to block the country's IP addresses. Also, IP addresses associated with the United States cannot be blocked via this method; the United States is always on the whitelist.
You can use the bulk operations feature to bulk delete the fraudulent accounts and transactions created (instructions here). As for what criteria to choose when selecting accounts to delete, we recommend using a common indicator among the fraudulent accounts, such as email address or name.
If your payment processor freezes your account and changes your gateway credentials, you'll need to re-enter these new credentials in your NeonCRM. Navigate to System Settings > System Settings Home > Payment Gateways and edit your existing gateway.