Last week, our fundraisers received a bunch of messages asking them to contact for “an opportunity to raise funds quickly.”
What happened is that on our campaign page, there’s a “Contact Fundraiser” button for our givers to reach out to fundraisers. This channel is usually used to ask for clarification and updates on the campaign. However, in this case, the feature was used by scammers to get to our fundraisers.
This is not the first time someone has tried to persuade our fundraisers to seek “easy” means off the Give.Asia platform to reach their fundraising target. What caught our eyes this time is the number of fundraisers sought after by the scammer, and the email used to reach fundraisers seems to come from a hired Fiverr account (Fiverr is a platform where you can hire freelancers for as low as $5 per job). We decided to add some new measures to make it harder for repeated attempts to contact a fundraiser. While the new measures might deter some truly inquiring givers from reaching out to fundraisers, given the new level of motivation and investment in insidiously contacting our fundraisers, an increased level of security measures is needed. This simultaneous escalation of attack and defense here is the cat & mouse (us vs. scammers) chase that we have been in since the inception of Give.Asia.
How do we decide whom we send the money to?
In the early days when we fundraised for individuals (instead of fundraising for charitable organizations), we used to send donations directly to the beneficiary. However, we found out that doing so would add an extra step to the money flow. The beneficiaries would need to temporarily hold a large amount of money and eventually send money to another party, such as to pay the medical bills issued by the hospital. The additional step leaves a window of vulnerability for scammers to approach. Furthermore, the beneficiaries would have the additional burden of collecting evidence and proving that the donations have been used for the campaign’s intended purpose.
Therefore, personal campaigns are now managed and supported by a member of our partnership team. We validate the beneficiary's identity and the reason for their fundraising, such as a medical condition. For medical cases, we directly verify the condition and treatment plan with the hospital caring for the beneficiary. After the campaign has finished, Give.Asia would send donations directly according to the official bill issued by the hospital and update our givers.
How do we keep your card information safe?
Many years ago, there was one time when I gave my debit card number to a school representative on the phone. I remember the person called me one afternoon, and I felt particularly “trusting” and somehow decided to share my card details with them. I'm definitely not the only person who has let my trust get the better of my judgment. We operate in the business of trust, and sometimes trust can make people let their guards down. Give.Asia’s primary job, as the platform for giving, is to protect our givers who have placed their trust in us.
One of the most common questions from our donors is how we keep their credit card details safe. Well, your credit card details are safe with Give.Asia because we don't store them.
Indeed, it’s incredibly hard to save credit/debit card information. Only a few payment processors that satisfy extremely rigorous requirements are allowed to receive and store card information. When you enter your card details on Give.Asia to make a donation, the information is not processed by our system. Instead, it is encrypted and sent directly to our payment processors (Checkout.com and Stripe). At no point during the payment process is your card information exposed. Our payment processors are certified to have top-tier security measures to safeguard credit and debit card information. They are subject to constant audits and monitoring, as they handle transactions for millions of merchants worldwide.
Regarding recurring charge s, when a donor authorizes a recurring donation, a unique identifier is established between Give.Asia and the payment processor. Each time a recurring donation is processed, we use this unique identifier to communicate the transaction's intent to the payment processor, which then collaborates with your bank to complete the charge. Throughout this entire process, Give.Asia does not have access to any card information. The identifier is unique to that specific subscription plan between Give.Asia and the payment processor. Even if a hacker somehow gained access to the identifier, they couldn't use it to make unauthorized charges for other purposes. We should also note that we always send a reminder email several days before an upcoming recurring donation, especially for our movements. We also send a confirmation email when the donation is processed, ensuring our donors are aware of the transactions.
Can we ever be fully secure?
At Give.Asia, we have had more than one moment of panic when spammers and scammers seem to find a way to use the system to disturb our users or test cards. Every time that happened, we used the lessons to upgrade our system to deal with the “mouse” and make the system a bit more secure.
Nonetheless, the nature of this cat & mouse chase is that it would never end. There’s always a tradeoff between security and convenience. For example, the “Contact Fundraiser” function was created as a communication channel between givers and fundraisers, but it also opened up a crack for bad actors. Of course, the other extreme we can take is to close ourselves off, but that defeats the purpose of keeping ourselves accountable and transparent.
One of my favorite answers when finding solutions to a technical issue is “it depends”. The solution for these cat & mouse situations is the same. Sometimes walling ourselves up is not always the perfect solution; sometimes having mice is good, as we can learn where the cheese is and better protect it.