Configure Fraud and Spam Protection

The more people know about your campaign, the greater the chance that a malicious actor may find it.

Raisely continues to make substantial improvements to our anti-fraud measures to prevent malicious activity. These improvements, along with Stripe's fraud-prevention Radar, are usually enough to keep your campaign from being used for card testing. 

Though even with these protections in place, you might open your campaign dashboard to see a fraudulent activity message. So let's explore ways you can enhance your campaign's security. 

Skip Ahead To

Understanding Fraudulent transactions

Steps to Enhance Protection

Spam Protection Settings

Identifying Fraudulent Transactions

Understanding Fraudulent Transactions

Donation sites are popular with fraudsters, often used to check the validity of stolen credit cards. They attempt to make a small donation to test if the credit card they are still valid, or if the bank has blocked/removed the card.

The donation amount is usually quite small (less than $10) in order to avoid detection by both the card owner and the bank. Once they validate the card is still working, they go on to use the card to make larger purchases elsewhere.

Raisely will block suspicious donation attempts in order to protect your campaign from scammers and credit card testers.  If you see a warning appear on the dashboard, it's usually a sign that the system is working just fine.

Though we recommend you check your recent donations in case:

  • The transactions were legitimate donations, and you need those donations processed, OR
  • Not all of the fraudulent donations were caught by our filters

Steps to Enhance Protection

Raisely allows you to optimise fraud protection to suit your needs. These settings only affect Raisley's fraud protection systems. If a donation is blocked by Stripe or PayPal, you'll have to contact them for further information.

To access your fraud protection settings, from the campaign sidebar, select  Settings > Fraud Protection. Here are the settings explained:

Fraud Protection (Disable)

If you're running a fundraising event, or just taking lots of small donations in the same location, this could trip our anti-fraud protection and cause donations to be blocked. You may want to temporarily disable fraud protection to prevent this.

If you're concerned you might forget to turn it back on, don't be; we don't allow fraud protection to be disabled indefinitely, and the system will automatically re-enable it after 24 hours.  

Minimum Donation Amount

This setting can be very useful if you are experiencing sustained, high volume, low-value donation attempts. It allows you to nominate a minimum donation amount for your campaign. Any attempts to donate below this value will be automatically blocked regardless of any surrounding information or data.

If your campaign frequently receives lower-value donations, keep in mind that this setting can inadvertently block legitimate donations. So if you do enable this setting carefully consider this and the average donation amount that your campaign is currently receiving.

Enhanced Card Testing Protection

Enhanced Card Testing Protection takes a more aggressive approach to identifying suspicious transactions. If you're finding that card testers are making donations that aren't getting blocked, enabling this should help.

You can keep enhanced protection on for as long as you like, or indefinitely, but be sure to take a look at the blocked donations once in a while to make sure it's not stopping legitimate donors.

Spam Protection Settings 

In addition to financial fraud monitoring, Raisely provides built-in spam protection to prevent malicious bots from spamming your campaign with fake signups or blog posts.

Note: While no web-based form can block 100% of sophisticated spam, these settings provide a increased layer of mitigation to stop the majority of bot activity.

By enabling Captcha for your sign-up and blog forms, you can block automated "spam" submissions that can clutter your database and skew your campaign data. You can manage these settings directly from your Raisely Admin:

  1. From your campaign sidebar, go to Settings > Fraud Protection.
  2. Scroll down to the Spam Protection (Friendly Captcha) section.
  3. Toggle the switches to ON for the following options as needed:
    • Blog Post Captcha: Protects the blog comments and post submissions on your campaign blog posts.
    • Signup Form Captcha: Protects your campaign from fake fundraiser registrations.

The Signup Form Captcha is only compatible with the latest version of the Raisely Signup Form block. If your campaign is using a Legacy Signup Form, you will not be able to toggle this option on and you will see a prompt to upgrade to Signup Form V4 instead:

If you would like to upgrade to Signup Form V4, head to Pages → select your Signup Page → delete the existing Signup Form block and add a new one, which should look similar to this example:

P2P Fundraiser Profile Verification 

To help protect your campaign from spam accounts and bot activity, Raisely now offers P2P Fundraiser Profile Verification — a feature that requires new fundraisers to verify their email address before they can access their P2P dashboard. This feature is currently being rolled out in phases and is available as a Beta option within your Fraud Protection settings.

How it works:
When Profile Verification is enabled for your campaign, any new fundraiser who signs up via a P2P entry point will be placed into a verification-required state. Here's what they'll experience:
  • After signing up, they'll be shown a verification screen and sent an email containing a magic link
  • Clicking the link verifies their email and grants them access to their P2P dashboard
  • If they try to log in before verifying, they'll be redirected back to the verification screen
  • They can request a new verification link from that screen at any time

Until a fundraiser verifies their email:

  • Their profile page will not be publicly accessible
  • They will not appear on leaderboards or other public-facing campaign elements
  • Any blog posts from their profile will not be visible publicly
  • Their welcome email will be held until verification is complete
Note: Unverified profiles will still appear in your Admin dashboard under Profiles, so you can monitor sign-ups and identify any that haven't completed verification.
Enabling Profile Verification:
  • Navigate to your campaign's Fraud Protection settings
  • Locate the P2P Fundraiser Verification toggle 
  • Toggle the switch to ON
  • This setting applies to all P2P sign-up entry points, including legacy forms and custom API-based sign-up flows.
Note: You need to have the Account Confirmation Message set to active, otherwise fundraisers will not receive the verification message

Manual Verification Process

You'll also be able to manually verify profiles if the legitimate fundraiser is facing issues with verifying via the email link. To do so, go to: 
  1. Campaign > Profiles
  2. Next to the Profile Name, click on Verify

Note: We've also added a new filter that allows you to view all unverified profiles at a glance.

Form Name Field Validation

We have made improvements to how Raisely protects name fields on Signup, Lead, and Ticket forms. Additional front-end validations are now in place to help reduce spam submissions and keep your supporter data clean.

These changes do not affect donors or supporters entering legitimate names, and there are no changes to API behaviour for organisations using custom integrations.

If you or a supporter run into any unexpected issues with a form, please do not hesitate to reach out to our support team and we will be happy to help.

Keyword blocking (profiles & blog posts)

To help reduce spam content, Raisely may block a fundraiser profile or blog post from being saved if it contains words or phrases commonly used in spam or scam posts.

How it works:
  • The check runs when someone creates or updates a fundraiser profile or blog post (e.g. name, description, and body/content fields).
  • If blocked, the content won’t save until the wording is updated.
  • This check is not retroactive (it won’t scan content that’s already live), and it does not apply to donations, comments, or messages.
What fundraisers will see:
If a blocked term is detected, they’ll see an error such as:
“This content looks like spam. Please edit before you can submit, or contact support for help.”
If legitimate content is blocked:
Occasionally, genuine campaigns may use terms that overlap with spam patterns. If this happens, you can go to Campaign Settings Fraud Protection → Spam filter exceptions and enter the specific words and phrases that you would like our system to treat as safe and allowed through:

Spam fraud protection: API authentication requirements

View full section

To strengthen spam protection, Raisely is updating the public API requirements for campaigns with CAPTCHA enabled. The release date for this security enhancement is July 22, 2026.

This article explains which endpoints are affected, what authentication is required, and how to structure API requests so participant registrations, team member additions, posts, and lead-form submissions continue to work as expected.

What is changing

For campaigns with CAPTCHA enabled, the following public API endpoints will require your campaign API key (raisely-sk-*):

  • POST /v3/campaigns/:campaign/register
  • POST /v3/profiles/:profile/members
  • POST /v3/users/upsertlead-form submissions only
  • POST /v3/posts

The campaign API key must be stored in a backend service. Do not expose it on the front end.

You can find your campaign API key in Campaign → Settings → API keys.

Registration requests must include data.user

When registering a participant with a campaign API key, the request must include the participant's details nested under data.user.

At minimum, data.user must include the participant's email.

If the participant's details are not nested under data.user, the request will fail with a clear error instead of silently attaching the new profile to your admin account.

Correct request shape for a new registration

<code>{
  "data": {
    "user": {
      "firstName": "Jordan",
      "lastName": "Example",
      "email": "jordan@example.com",
      "password": "AtLeast12Chars!"
    },
    "profile": { "name": "Jordan Example", "type": "INDIVIDUAL", "currency": "AUD" }
  }
}

Registration requirements

  • Participant fields must be nested under data.user.
  • Values placed loosely at the top level, such as data.firstName, are ignored.
  • data.user.email is required.
  • The password must be at least 12 characters.

Team member and post requests should include data.userUuid

For team member requests using /members and post requests using /posts, pass the participant's user ID as data.userUuid.

This field is optional, but strongly recommended. If data.userUuid is not included, the record is attributed to the API key owner, which is your admin account, rather than the intended participant.

If you include data.userUuid, the user must belong to the same organisation as the campaign.

Lead-form submissions through /users/upsert

The /users/upsert endpoint is only affected when it is used to submit a lead form.

A request counts as a lead-form submission when it includes an interaction with:

<code>"categoryPath": "lead-form-submitted"

For these lead-form submissions, CAPTCHA-enabled campaigns will require your campaign API key (raisely-sk-*).

Other uses of /users/upsert are not affected. For example, you do not need an API key or CAPTCHA when using /users/upsert to:

  • Create or update a user
  • Add a tag

This remains true even on a CAPTCHA-enabled campaign.

Example lead-form request requiring a campaign API key

<code>POST /v3/users/upsert?campaign=<campaign-uuid>
Authorization: Bearer raisely-sk-xxxxxxxxxxxxxxxx

{
  "data": {
    "email": "jordan@example.com",
    "firstName": "Jordan",
    "lastName": "Example",
    "interaction": {
      "categoryPath": "lead-form-submitted",
      "detail": { "private": { "formName": "Stay in touch" } }
    }
  }
}

Required actions

Before July 22, 2026:

  1. Store your campaign API key (raisely-sk-*) in a backend service. Never expose it on the front end.
  2. Update registration calls to nest participant details under data.user, including email.
  3. For member and post calls, include data.userUuid so records attach to the right participant.
  4. For lead-form submissions via /users/upsert, include your campaign API key on CAPTCHA-enabled campaigns.

If these requirements are difficult to apply to your setup, contact support before the release date so we can help you work through them.

Identifying Fraudulent Transactions

You can filter your transaction listings to see only those flagged as fraudulent. From your campaign sidebar, select Donations > then click Filter (top bar) > Fraudulent. You can identify who blocked a suspicious donation by clicking it and checking the note at the top of the donation details.

For example, this donation was blocked by Raisely:

And here is a donation that was blocked by the Payment Gateway (in this case - Stripe):

Cannot find the support guide you are after? Head on over to our YouTube channel 📺 for more creative content to help you go further. You can even leave us comments, suggesting new content ideas 🤯

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.