Written by As digital donations continue to rise, so too does the interest of those with malicious intent. As naturally more trusted organisations, charities are increasingly attractive online targets for fraudsters. These ‘bad actors’ seek to exploit their online fundraising efforts for illegal gains. From card testing scams to phishing schemes, fraud in the donation space is evolving, and fast.
Why Charities Are Prime Targets for Fraud
Unlike retail businesses, charities don’t typically attract the same level of security scrutiny from the public. This can make them seem like “softer” targets. But more importantly, donation platforms handle card payments and personal data. Which makes them ripe for abuse by fraudsters seeking to test stolen card credentials or exploit weaker compliance protocols.
For instance, “card testing” is one common method: criminals use automated bots to attempt small transactions on donation platforms to verify stolen card details. When successful, these cards may later be used for larger fraud elsewhere and the charity is left bearing the reputational and administrative fallout.
Unfortunately, the open, welcoming nature of donation pages, designed for simplicity and ease of use, can also provide an opening for these types of attacks.
Evolving Threats, Smarter Defences
Cybercriminals are increasingly using more advanced tools, including AI-powered bots and scripting, to carry out these attacks at scale. At goDonate, we’ve seen this trend growing across the sector, and we work closely with our partners and charity-clients to stay ahead of it.
Security and trust are fundamental to our platform. We take great care to ensure our systems are aligned with industry-leading standards — including full support for PCI-DSS v4.0.1.
This most recent version of the Payment Card Industry’s Data Security Standard includes enhanced requirements for stronger authentication, secure scripting practices, and real-time monitoring — all of which are critical in the defence against modern fraud attempts.
How AI Can Help Protect Charities
Artificial Intelligence doesn’t just pose risks; we appreciate how it also plays a vital role in defence. AI helps identify and intercept card testing attacks in real-time. AI can unusual donation patterns, abnormal transaction speeds, or mismatched geographic data. The more data an AI engine analyses, the smarter it becomes at spotting anomalies before damage is done.
When paired with ongoing human oversight, AI-driven fraud prevention offers an effective layer of protection. Especially in a donation environment that needs to balance user-friendliness with robust security.
What Charities Can Do To Protect Themselves
While platform providers like goDonate handle much of the technical infrastructure and compliance, there are still key steps charities themselves can take to strengthen their fraud defences — many of which don’t require heavy investment.
Low-Cost / No-Cost Tips
- Use Captchas on Your Donation Forms
Adding reCAPTCHA or other bot detection tools to donation forms can help block automated card testing attacks. This is a simple but effective line of defence. - Limit Low-Value Donation Attempts
Consider setting a minimum donation amount (e.g. £2 or £3). Fraudsters frequently use very small amounts, when attempting card testing attacks, which may otherwise go unnoticed. A minimum donation amount can help block or slow down bulk automated testing scripts, especially those programmed to try ultra-low amounts. - Monitor Donation Activity Regularly
Look for spikes in failed transactions, unusual patterns in donation timing, or repeated donations from the same IP address. These can all be signs of attempted fraud. - Train Staff and Volunteers
Awareness matters. Ensuring your team can spot phishing emails, social engineering tactics, or suspicious activity on your CRM can prevent simple mistakes from escalating into bigger issues. - Keep Your Website Updated
If you host any part of your donation journey yourself, ensure your website’s plugins, CMS, and security certificates are up to date. Outdated software is a common attack vector.
Invest in protection
- Web Application Firewalls (WAFs)
If your website handles high traffic or accepts donations directly, a WAF can help filter out suspicious traffic before it ever reaches your donation page. - Partner With a Platform That Prioritises Security
Work with providers that are PCI-DSS compliant, like goDonate, who actively monitor fraud patterns, and invest in AI-driven detection tools. This often pays dividends in preventing issues before they arise!
Ultimately, it’s about being proactive. Fraud prevention is not just a technical problem — it’s an operational mindset. The more layers you can add between your donors and potential bad actors, the more secure your fundraising will be.
A Shared Responsibility
Charities, platform providers, and donors all have a role to play in fighting fraud. Ensuring that your donation partner is proactive about compliance, particularly with PCI-DSS v4.0.1, is one important step. At goDonate, we’re committed to helping charities stay informed, secure, and resilient in a fast-changing threat landscape.