For amoral scammers, the charity sector is an excellent target.

The COVID-19 pandemic, Black Lives Matter movement, flash floods, the Florida building collapse. These and other events all inspired philanthropists and charities to help in a myriad of different ways. Unfortunately, they were also all exploited by charity fraudsters.

Although charity fraud has been a standard path to profit for criminals at least since the early 20th century, regrettably for charities and their donors today, digital technology and greater availability of personal data online have made abusing philanthropic intent for ill-gotten gains easier than ever.

Data is being weaponized by fraudsters

Regardless of their mission, most modern charities are likely to be powered by personal data in one form or another. Information about donors, like their names, addresses, and interests, is often vital for keeping a charitable organization viable.

Unfortunately, this same data opens the doors to threats. Access to even a few data points belonging to a known donor, a charity employee, or a past contractor makes directing a targeted scam a scarily easy task for criminals. Showing the immense cost this kind of fraud can have on charities themselves, the Philadelphia food bank, Philabundance, lost almost $1 million after leaked data allowed criminals to impersonate a regular contractor.

Targeted scams are highly dangerous

Like most people, philanthropically inclined individuals are likely to have digital data footprints larger than 90% of them imagine. However, the exposure of specific information from donors' past giving habits (which can be gleaned even from donors’ social media interests) is of particular interest to fraudsters.

If a criminal knows or is able to accurately guess their intended victim’s donation history, the effectiveness of a scam naturally becomes far greater. Looking at how, in cybersecurity terms, targeted “spear-phishing” is responsible for the majority of successful cyber attacks shows just how powerful and convincing personalized charity fraud, which often uses voice or email phishing, can be.

Donor privacy is under threat

Some of the information that is maliciously leveraged by criminals comes directly from charities or charitable causes themselves. Online fundraising sites sometimes disclose the identity of individuals giving donations and donation lists are often made public for tax purposes, making it easy for a malicious actor to connect individuals with the causes they support. While some groups are advocating for greater donor privacy in this respect, certain states, like California, are vying for the opposite.

However, while easily sourced information can give criminals a partial picture of a person's identity, completing the picture is also worryingly easy. Unfortunately for charities and their donors, data brokerage, a morally dubious industry based on reselling an individual's personal information, exists to find, collate and sell this information for anyone not bothered doing all the hard work themselves.

Along with data available through social media, credit card companies, or third-party data collection firms, data brokers sell complete individual profiles to anyone willing to pay for them. Although data brokers’ services are primarily aimed at advertisers, the fact they do not discriminate between customers presents a clear risk for any organization facing fraud.

The No. 1 thing charities should do to mitigate charity fraud

For charities and their donors, personalized fraud has rapidly evolved to become a critical threat. When a fraudulent email, text, or even phone call is tailored to a specific individual, it is more likely to inspire trust, and the chances that a scam will succeed increases exponentially.

One easy way to take this ammunition away from scammers is to educate prospects about this issue. Charities should provide examples of past incidents of charity fraud and share tips on how donors can minimize their digital footprint, including setting social media accounts to private and deleting as much personal information from online sources as possible. While charities can supply donors with free guides on how to remove their data from sources like data brokers, it is a time-consuming and tedious process. As a result, it may make more sense to employ the help of professionals. Offered as a gift to regular donors, proactive data broker removal can stem personal information leaks.

4 things individuals can do to protect against charity fraud

With scammers increasingly pretending to be charitable organizations or individuals in need of help, donors need to be extra vigilant when it comes to donating to philanthropic causes. Here are some things to keep in mind.

1. Be careful who you donate to

To avoid falling prey to scammers, the FBI recommends only donating to charities you know and trust. In particular, law enforcement stresses the need to be cautious of organizations that purport to be helping victims of recent high-profile disasters.

If you’re going to donate to a charity you know little about, do your research. According to the Federal Trade Commission (FTC), you should Google the name of the charity with “review,” “rating,” “scam,” or “complaint” to see if anything suspicious comes up. 

You can also use BBB Wise Giving Alliance, CharityWatch, Charity Navigator, or GuideStar to see reports about how specific charities operate and use donations made to them.

2. Pay by credit card or check only

Scammers will often ask targets to pay by gift card, virtual currency, cash, or by wiring money (especially to a foreign bank), and they will often try to rush you. A better idea is to pay by credit card or check, says the FTC.

Ideally, you should also review your bank statements to make sure you donated the amount you thought you did and not more and that you haven’t accidentally signed up for recurring donations.

3. Be wary of phishing scams

Be skeptical of unexpected emails, texts, and calls that supposedly come from charities. Whatever you do, don’t respond to them with personal information and don’t click on any links or files within texts, emails, and even social media posts as these could contain malware.

Note that some scammers may use names similar to those of genuine and well-known nonprofit organizations and even create fake websites. The web addresses for the latter are likely to end with .net and .com, whereas the web addresses for real nonprofits typically end with .org.

A quick Google search should give you a good idea of whether the charity is legitimate or not. If you need to get in touch with a charity, use the contact information outlined on the charity’s official web page.

4. Delete your profile from data brokers

Often, fraudsters will use the information they find on data broker sites to craft more convincing scams. Some may even use your personal data to try to persuade you that you’ve already made a donation pledge.

To mitigate this risk, take the time to opt-out of data brokers and people search sites. There are plenty of free step-by-step guides available online, or you can employ the help of professionals.

A wake-up call

Despite growing pressure to rein in data brokers and increasing data privacy regulations at the state level, the data brokerage industry, which makes more than $200 billion of revenue every year, is showing no signs of slowing down.

Last year, for example, data brokers shelled out millions on lobbying, rivaling the spending of big tech companies like Google and Facebook, according to nonprofit The Markup. While it is unclear whether data brokers lobbied for or against specific bills that relate to the industry, experts think that their lobbying makes one thing clear: with their business model under threat, companies that buy and sell people’s data are going to do everything they can to protect their livelihood.

For cybercriminals, data brokers’ persistence is great news, not only because data brokers can provide them with valuable information about their targets but also because they are as easy to hack as any other company. In 2019, for example, the entire database of the data broker LimeLeads was made available on an underground hacking forum.

Regardless of how fraudsters get their information—whether through data brokers, social media sites, charities themselves, or other online sources—the rise in fraudulent fundraising serves as a wake-up call for charities and donors across the country.

Rob Shavell is co-founder and CEO of Abine/DeleteMe.