Earlier in the week weve mentioned that people should be on the lookout for fake charities trying to exploit the Sandy Hook tragedy. About 150 or so domains have been registered that are suspect and about a dozen I can safely say are fraudulent. Some basic steps we already know about how to deal with this:
Only deal with charities that are already known to you (i.e. the Red Cross) or that you have a personal relationship (your church or church-related organization, local civic group, etc).
Don affirmatively go to website to donate directly.
Always be sure to check for real contact information, if you dont see anything, dont donate.
That said, lets say you find a website and you want to verify whether it is suspect or not. There are several things you can do. Advance warning, this is US-centric mostly because I dont know charity laws in other countries, if someone would like to clue me in how to do similar in other countries, feel free to contact me directly.
Check the domain registration using WHOIS. One online WHOIS tool is here. If it is a private registration, it is suspect and move along.
Check with the IRS whether the organization is, in fact, tax exempt. Their lookup tool is here. If the website doesnt have an organization name, its suspect. If they are talking to you, try to get their tax ID (or FEIN) number. Ask for a copy of their IRS Form 990 (which they are required to disclose). Many states also require charities to register themselves and you can search those filings online as well.
Check with Guidestarwhich is sort of a Consumer Reports / Better Business Bureau for charities.
A couple of quick case studies. First, lets use an example where you have information about the charity in question. I havent found anything this detailed for Sandy Hook, but here is one that came up a little while ago during an unrelated matter.
I got this email forwarded to me recently which you can read at tinyurl.com -slash- vets4change. The organization purports to help veterans, and one of their newsletters quite helpfully it lists the address, Tax ID number and California business number. Plugging in either Veterans for Change or the Tax ID number at the IRS Websiteshows nothing. Plugging in the CA corporation ID number (3340400)at the website of the State of California Attorney Generalresults in some interesting records. Apparently, they tried to get registration information from the person running the charity and they simply ignored the State and were fined.
In this case, you have someone who is purporting some things which are obviously not true, so wed label this one suspect and move on. Perhaps filing a complaint or two with the appropriate authorities.
Now lets try one of the various domains registered after Sandy Hook. One such domain is hopefornewtown-dot-com. There is no identifying information on the website except a gmail email address. WHOIS shows the domain has a private registration and the PayPal donate button lists the name as Hope for Newtown. The time it takes to get tax exemption from the IRS is many months so there is no way its registered, but just in case, the IRS doesnt show such a registration either. File this one under suspect and move on.
If you see any such organizations, you can report to your local state attorney general (which in general is the one who regulates charities, though this may vary), IC3.gov, and you can feel free to send suspicious emails and websites to us using the contact form.
bambenek \at\ gmail /dot/ com
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.