Boost recurring donations this giving season with the new upsell prompt!Learn How >>

Protecting against carding attacks and fraudulent testing of credit cards on Donations app pages


Unfortunately, not everyone submitting a donation form is doing so out of a spirit of philanthropy. Criminals may target a donation page as a means of testing the validity of stolen credit cards. This is called a "carding attack".  Often, this attack is accomplished through automation which attempts to submit donations quickly.

To reduce fraudulent and spam donations, Soapbox Engage includes a variety of different shields to protect your donation pages.  Below are the list of protections, from least to most impacting the user experience.

Implement a honeypot

A honeypot is a series of hidden fields which only spambots will see.  If they are populated, the form will not be successfully submitted.

To enable this functionality for on a Donations app page, do the following.

Use payment gateway fraud protection tools

Payment gateways ("credit card processors") often include anti-fraud features in their services. These features vary across providers, but include options such as instituting a minimum or maximum transaction amount, limiting transactions from a specific email address within a given time frame, or other steps to guard against nefarious activity.  Contacting a payment gateway directly is the best way to learn about options by each provider.

Implement reCAPTCHA

Among the more robust Soapbox Engage solutions is the reCAPTCHA feature.  This option requires the user to complete a reCAPTCHA question (typically checking a box) in order to submit a form. Please follow the steps in Enabling or disabling reCAPTCHA for your Donation forms support article.

Implement higher minimum donation amount

Fraudulent tests of credit cards often happen with very low amounts (less than $10).  One option to protect against fraud is to set a higher minimum donation amount required for donation pages.  The Setting a minimum transaction amount across all Soapbox Donation forms support article provides guidance on setting this feature.

Automatically block IP addresses

When the same IP address repeatedly provides different credit card numbers that are declined by the payment gateway, it's very typically related to fraudulent actions.  The Donations app allows for the setting of automatically adding IP addresses to the blocklist based on the multiple failed transactions.  The support article Adjusting parameters for automatically blocking IP addresses from submitting a Donation page provides guidance on configuring this feature.

Manually block IP addresses

When there is a clear pattern of the same set of IP addresses fraudulently using a Donations app page, blocking against IP addresses can be a potential shield to employ.  Please open a support ticket to submit a list of specific IP addresses to be blocked.

Manually block countries

When there is a clear pattern of fraud from  IP addresses within one or multiple countries outside the country of the Soapbox Engage account, blocking IP addresses by country can be a potential shield to employ.  Please open a support ticket to submit a list of specific countries' IP addresses to be blocked.

Activate Soapbox Engage Fraud Detection Pro service

When all other options have been exhausted, implementing the Soapbox Engage Fraud Detection Pro service (a paid add-on) is likely the best solution.  This add-on uses machine learning and artificial intelligence to analyze hundreds of data points per transaction to determine the likely validity of a transaction before submission to the payment gateway for processing.  Please open a support ticket to learn more about Soapbox Engage Fraud Detection Pro service.

Have more questions? Submit a request
Article is closed for comments.