Harvey. Irma. Jose. Maria. Even those who were not directly hit by one of these recent, dramatic and devastating hurricanes are feeling the emotional impact after watching these mega-storms wreak havoc across the southern part of the U.S. and surrounding islands.
Well-meaning individuals empathize with the victims and want to help, and one of the easiest ways to do that is to click a “Donate” button on a charity website somewhere. Even easier – clicking straight through from a friend or family member’s Facebook page, or an email received from what appears to be a charity organization.
But those links aren’t always as good as the clicker’s intentions. Click too fast, and those in the hurricane’s path may not be the only victims. The aftermath of any natural disaster is a ripe opportunity for criminals who wish to swindle generous people out of their donation dollars.
How can consumers be sure the hard-earned money they share with a good cause is actually working to support that cause? Just as importantly, how can they protect their financial and personal identifying information while completing transactions with organizations and websites they don’t normally visit?
Experts weigh in. Perhaps unsurprisingly, many of them gave overlapping advice.
1. Watch out for fake websites and social media pages.
It happens every time. Justin Lavelle, communications director of BeenVerified.com and a frequent writer on how to avoid scams, noted that even back in 2005 (practically the dark ages when it comes to the internet), while the U.S. was bracing for Hurricane Katrina, scammers lost no time setting up fake charity websites before the storm even hit.
More than a decade later, thanks to the proliferation of social media, information (and misinformation) spreads faster than ever. If a friend or family member is sharing what appears to be a link to a charitable website, it’s still possible, no matter how trustworthy the friend, that the link could be harmful. Scammers know that people are more likely to click a link they believe a friend has vetted first.
Experts agree: those who wish to donate should do their own research and type the charity’s web address into the URL field themselves. Michael Lai, CEO and founder of the consumer protection website Sitejabber, said even Googling the charity can turn up the sites scammers want people to see alongside the real ones – that’s exactly where the bad guys want their fake sites to appear!
At first glance, would you have guessed that ‘https://thesalvationarmy.com/donate’ is not really the Salvation Army’s website? Despite the misleading “secure” designator “https,” Darrin Edelman, Token of Trust CEO, says this is a fake. This site and others are often designed to look exactly the same as the official site and/or to exploit common typos of the correct web address, Edelman said.
Fake URLs are often very close to the real ones and may be easy to mistake, Lavelle said. One dead giveaway? The web address ends in “.com.” Most legitimate charity sites end in “.org.” Also look for other small typo-like variations that could be leading your browser astray.
When it comes to Facebook and other social media platforms, look for the “Verified” checkmark. And for all of the above, check a site like Charity Navigator to confirm whether a charity is reputable, and/or cross-reference the Better Business Bureau (BBB) Charity Report to ensure it meets the bureau’s accountability standards.
Finally, never put personal identifying information on any website. If a site is demanding a Social Security number to process a donation payment, experts agreed: it’s definitely a scam!
2. Stick to charities you know.
It is tempting to fork over money when a charity asks for donations. The only problem? That’s not how charities operate. If someone claiming to represent an unfamiliar organization is soliciting donations, whether by phone or email, there’s a good chance they are not with a legitimate non-profit.
If the representative becomes belligerent or is overzealous about the sale, even more reason to run! Dan Lohrmann, chief security officer at Security Mentor, says real charities don’t insist upon immediate relief help. They will be just as happy to receive the donation later once the donor has done his research.
“Think before you click,” says Steve Durbin, managing director of the London-based Information Security Forum. “Does the email look real? Is this a site that you’ve seen or heard of before? It is far better to use a well-known brand or one you or colleagues/family/friends have used in the past. We all want to be sure that our donations actually go to the people and charities who need them. Just be sure you pay close attention to who you are donating to so that you don’t end up becoming another victim.”
Here’s one that wasn’t around in Katrina’s time: Crowdfunding. Campaigns on platforms like GoFundMe can be sketchy. Jerry Needel, president and general manager of consumer solutions for Blackbaud, said a sad story is often just that: a sad story. Unless the recipient is a direct contact or an immediately verifiable friend of a friend, he and others agreed it is safest to stick to the major charity relief efforts.
If the crowdfunding campaign claims to benefit a non-profit rather than an individual, Needel says to find out if a tax-deductible receipt will be provided. In fact, that’s a good policy all around. If the organization cannot provide a tax-deductible receipt, it’s safer to pass and take your donation elsewhere.
3. Social engineering is powerful – don’t be fooled!
Even in the best of times, it is generally good digital hygiene to delete emails from strangers asking for money. Don’t click links from strangers. Don’t open attachments. Just don’t. Fake links can lead to websites where fraudsters harvest passwords, credit card details, and online banking account info, while attachments can contain malware or computer viruses that harm the recipient in the long run.
Spear phishing is an even more targeted way for fraudsters to gain trust from victims. This is social engineering at its best (or worst). The message may appear to come from a friend, colleague, family member or bank and may include personal information like your name, place of employment, or phone number. Once again, giving money that has been requested by email is just a bad idea.
In the same vein, it’s never a good idea to give out personal information to a caller requesting a donation. Personal information should remain just that: personal.
As always, an emailer or caller asking for money to be wired via services like Western Union or MoneyGram should not be trusted. These are favorite conduits for scammers and are not used by legitimate charitable organizations.
“Cyber criminals are relying less and less on their technical skills and more on their victim’s lack of awareness,” said Alexander Jankovsky, Computronics VP of operations. The moral of the story? Don’t be caught unaware!