Skip to content

How Safe is Your Text-to-Give?

“Can we all get along?” Unless you’re old enough to now legally enter a bar, you have no idea who said these famous words. But the plea is just as true today as it was back in 1992.

The harsh reality is that causes — no matter how benevolent — can be victims of someone, somewhere, with an ax to grind. Yes — we can all agree that the Federated Legion of United Friends of Feline Youths (FLUFFY) is a cause that we can all support. But unfortunately there have been many organizations who for inexplicable reasons were victims of disparaging if not downright malicious attacks.

Text-to-Give is fast becoming the preferred means of giving to non-profit, faith-based, and political organizations. It’s instant, it’s easy, and it’s mobile. As Text-to-Give gains popularity, malicious entities will start exploiting the vulnerabilities inherent in text messaging as a means of attacking — not the donors — but the organizations that the donors support.

The vulnerability is “SMS Spoofing.” This term, simply put, refers to the ability to modify a text message so that it appears to come from a cellphone number other than the actual originating number. Yes there are legitimate uses for SMS spoofing. But there are more bad uses than good. Websites and mobile apps abound enable pranksters to send a text message to a victim and make the message appear as if it’s coming from someone else.

SMS Spoofers attack an organization in a manner similar to the way that malefactors commit online display ad fraud. In the case of the latter, bots repeatedly load web pages and/or click on banner ads in a short span of time. Because an advertiser is paying for each ad impression or each click, its budget can be blown in just a few seconds. Considering the amount of money many companies spend on online advertising, this fraud can cost them hundreds of thousands of dollars.

Text-to-Give is becoming quite popular among churches who are seeking more modern ways for their members to abundantly share. Parishioners sign up for their churches’ Text-to-Give programs in order to easily give each time they attend services. As churches gain more and more worshipers who are raised entirely in the Mobile Age, it is becoming the preferred means of tithing.

Churches unfortunately can be victims of hate crimes, and most commercially available Text-to-Give services are vulnerable to SMS spoofing fraud. Cyber-haters can easily obtain a parishioner’s cellphone number and set up a bot to repeatedly submit hundreds of Text-to-Give donations from that stolen number in a matter of seconds. Commercially available Text-to-Give services typically ask the donor to confirm his action by replying with a follow up text message. But as text messages can be spoofed, they can be sniffed — that is, intercepted. A bot created by a determined entity can easily simulate the SMS donation submission and confirmation text message sequence.

The damage is more to the church than to the parishioner whose number was spoofed. Not only do they have to go through the hassle of reversing all the charges, but their interchange fee that they pay for online transactions goes up because their risk profile has just been elevated. (Not their fault, you say? Did it work for you the last time you told your insurance guy, “it wasn’t my fault”? What happened to your rates?) Churches operate on shoestring budgets. Any increase in their interchange rate — or worse, losing their merchant account — is devastating.

Get Started Today.

Sign up and start fundraising today! With straightforward, all-inclusive annual pricing and no hidden fees, you can do more and raise more for your cause.

SIGN UP

Worst of all, the trust in the Text-to-Give program is lost. And once lost, it can never be regained.

Text-to-Give programs should have some built in process that balances both security and ease of use. They should not have security restrictions that make them practically unusable. Carrier-mediated Text-to-Give programs have built-in security and are easy to use. But they are highly restrictive to the receiving organization, and out of reach for all but the few with the deepest pockets. The best Text-to-Give programs need to be affordable, easy to use, and highly secure.

Most security experts recommend 2-factor authentication. You’ve experienced it yourself whenever you’ve needed to log into a secure web site. You provide your login credentials on the web site (Factor One) and a pass key that you received from a different means (Factor Two — either via email or via SMS). Text-to-Give should use the same 2-factor authentication concept. Submit your donation via SMS (Factor One) and confirm your donation via some other means (Factor Two).

We at @Pay believe we have the best Text-to-Give service in the market today. It’s easy to use and easy to set up. It’s safe AND secure because our 2-Factor Authentication is built into our technology. Best of all, we don’t require the use of annoying login IDs and passwords nor do we require that the user download an app. We use the apps that are built into every cellphone regardless of manufacturer or operating system.

A malicious entity who steals a parishioner’s cellphone number can attempt SMS spoofing and submit repetitive Text-to-Give donations. But because our process requires confirmation of each donation via a separate channel, all that occurs is a bunch of donation attempts that never make it through to the payment gateway. Your merchant account — and more importantly — your trust is preserved.

Contact us if you’d like more information or to sign up for Text-to-Give powered by @Pay.

Learn more about related articles in: