Have you received one or more unauthorized credit card charges from Canvas Art Charities?
Like many organizations that accept donations and payments online, we recently fell victim to a new form of fraud called “Card Testing.” Over several weeks, a fraudster processed thousands of small transactions through our website using a list of stolen credit cards. They were doing this to test whether the stolen card details were still “valid,” i.e., to see whether the card had been canceled or blocked by the cardholder’s bank. Because of the small amounts involved, these transactions went mostly unnoticed until the first reports of disputed charges started coming into our payment processor. By that point, there were thousands of transactions, many of which had already processed through to the cardholders. We have learned that this incident is likely tied to several high profile credit card breaches that have happened late last year. Over 5 million cards were breached from a supermarket chain in August, and in November, over 4 million credit cards were obtained from breaches involving a chain of restaurants. Criminals most likely sold these numbers on websites on the “Dark Web,” some of which were then tested using our system.
We immediately took steps to contain the incident. This was not a hack or breach of security of any of our systems, nor did the criminals get your card information from us; it was a case of someone using our system for illegal purposes. We have since removed that system entirely from our website and disabled any transactions through our payment processor. We have also voided or refunded all transactions that had been accepted by the cardholder’s bank; however, some transactions had passed the point where an automatic refund could be posted. For those transactions, we are still waiting on the issuing banks to accept dispute requests to complete the refunds.
If you have received any unauthorized credit card charges from Canvas Art Charities in the past six months, please immediately contact your bank and report to them that your card information has been compromised. You can also dispute any charges you have received that look suspicious. We are approving any disputes automatically so your bank can issue any credits due back to you.
If your card was used in this fraud and you have any questions relating to it, or if you have not received a refund where an illegal payment was made, please contact us at firstname.lastname@example.org so we can investigate it further. Please note that it may take up to 30 days or more depending on your bank for the refunds to appear.