I provide the website software and IT support for a non-profit which has also seen a spate of disputed donations under $5, mostly $1 & $2, beginning in Sept 2017. I've investigated donations from 61 different donors and found a number of curious things: All of these donations came through a donation page on our website. The page requires you to enter the donation amount and click a PayPal Donate button. If you wish to make a regular donation, you must select the donation frequency from a drop down. Some of the disputed donations had been set up as $1/week regular donations. Upon clicking the Donate button the form is submitted to PayPal where the donor must either login or opt to pay with a credit card without a PayPal account. Therefore each payment results from a conscious act. PayPal requires those signing up for regular donations to have a PayPal account, so those $1/week donors must have an account. Our webserver logs reveal that for these disputed donations our donation page is the ONLY page in the browser session. The form we submit to PayPal includes a "return" URL to a Thank You page. That page is never viewed upon completion of the transaction for any of these disputed donations. As part of this investigation I have been capturing the "referrer" URL provided by browsers. To date none of the sessions which generated disputed donations has had a referrer URL. This means that the browser was launched directly to our donation page, either from a link in an e-mail or some other way. They did not arrive at the donation page from another website or from another page on our website. I have followed-up by e-mail with all 61 donors (so far) to ask how their donation(s) came to be made, how they realized they were "unauthorized" and what changes we might make to the website to avoid the problem in the future. So far not ONE of the 61 has responded. I find this quite suspicious. Per the organizations privacy policy, donors are added to the mailing list. Each of the donors has received one or more e-mail messages. None of the e-mails has bounced due to a bad address. Each e-mail we send out includes an Unsubscribe link and the headers to enable the "Unsubscribe" button in some mail readers. To date all 61 remain subscribed to our mailing list. I've been capturing the remote IP address of the browser submitting the donation form and looking up the ownership. To date 51 of 93 donations have come from addresses owned by vultr.com, which appears to offer a VPN service. Other have come through common broadband providers like Charter, Cox, Comcast, Time Warner etc. Not sure what to conclude here. The geo-location for the non-VPN IP addresses span the country from Wisconsin to Texas. I matched one IP address to a city in Texas and found the donor with a distinctive name had addresses in both Texas and Louisiana. WhitePages.com produced a phone number, so I called and whoever answered the phone said they did not know anyone by that name even though it was provided by WhitePages.com. I've contacted PayPal support about this to no avail. The first couple of attempts received a boilerplate response which was obviously triggered by keywords in my message without actually reading the message. Finally I got a response that said, in short, (a) yes, you are getting disputed donations, (b) we have no choice but to refund them when asked, (c) no, we can't tell you anything about these donations and (d) all you can do is keep reaching out to the donors by e-mail. So we can't even determine whether the one-time donations came from PayPal account holders or people using a credit card without a PayPal account. I am at a loss to explain what is going on and I've exhausted every avenue I can think of to gather more information about this situation. If anyone has any suggestions, insights or can share a similar experience I'd be very interested.
... View more