Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Consumer's Guide to Spotting "Fake" Charities

Published: 2012-12-20
Last Updated: 2012-12-20 20:32:43 UTC
by John Bambenek (Version: 3)
2 comment(s)

Earlier in the week we've mentioned that people should be on the lookout for "fake" charities trying to exploit the Sandy Hook tragedy.  About 150 or so domains have been registered that are "suspect" and about a dozen I can safely say are fraudulent.  Some basic steps we already know about how to deal with this:

  • Only deal with charities that are already known to you (i.e. the Red Cross) or that you have a personal relationship (your church or church-related organization, local civic group, etc).
  • Don't donate to charities simply by clicking on an e-mail; affirmatively go to website to donate directly.
  • Always be sure to check for real contact information, if you don't see anything, don't donate.

That said, let's say you find a website and you want to "verify" whether it is suspect or not.  There are several things you can do.  Advance warning, this is US-centric mostly because I don't know "charity" laws in other countries, if someone would like to clue me in how to do similar in other countries, feel free to contact me directly.

  • Check the domain registration using WHOIS.  One online WHOIS tool is here.  If it is a "private registration", it is suspect and move along.
  • Check with the IRS whether the organization is, in fact, tax exempt.  Their lookup tool is here.  If the website doesn't have an organization name, it's suspect.  If they are talking to you, try to get their tax ID (or FEIN) number.  Ask for a copy of their IRS Form 990 (which they are required to disclose).  Many states also require charities to register themselves and you can search those filings online as well.
  • Check with Guidestar which is sort of a Consumer Reports / Better Business Bureau for charities.

A couple of quick case studies.  First, let's use an example where you have information about the "charity" in question.  I haven't found anything this detailed for Sandy Hook, but here is one that came up a little while ago during an unrelated matter.  

I got this email forwarded to me recently which you can read at tinyurl.com -slash- vets4change. The organization purports to help veterans, and one of their newsletters quite helpfully it lists the address, Tax ID number and California business number.  Plugging in either Veterans for Change or the Tax ID number at the IRS Website shows nothing. Plugging in the CA corporation ID number (3340400) at the website of the State of California Attorney General results in some interesting records.  Apparently, they tried to get registration information from the person running the charity and they simply ignored the State and were fined.

In this case, you have someone who is purporting some things which are obviously not true, so we'd label this one suspect and move on.  Perhaps filing a complaint or two with the appropriate authorities.

Now let's try one of the various domains registered after Sandy Hook.  One such domain is hopefornewtown-dot-com. There is no identifying information on the website except a gmail email address. WHOIS shows the domain has a private registration and the PayPal donate button lists the name as Hope for Newtown.  The time it takes to get tax exemption from the IRS is many months so there is no way it's registered, but just in case, the IRS doesn't show such a registration either.  File this one under suspect and move on.

If you see any such organizations, you can report to your local state attorney general (which in general is the one who regulates charities, though this may vary), IC3.gov, and you can feel free to send suspicious emails and websites to us using the contact form.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

Keywords:
2 comment(s)
Diary Archives