The Invisible Problem in Digital Philanthropy

Online giving has grown into a significant force in American philanthropy. According to recurring surveys of nonprofit fundraising trends, digital channels now account for a growing share of total charitable dollars, and that share accelerated noticeably following the pandemic-era shift toward contactless everything. But alongside that growth came an uncomfortable truth: the internet made it dramatically easier for fraudulent actors to impersonate legitimate charities, create fake fundraising campaigns, and siphon donor dollars before anyone noticed.

The harm isn't abstract. After every major natural disaster — hurricanes, wildfires, earthquakes — a predictable wave of fake charity domains appears within hours. Some are crude scams dressed up with stock photography; others are sophisticated operations that clone the visual identity of well-established nonprofits, complete with mission statements, board bios, and logos designed to pass casual inspection. Donors who give in good faith often don't discover the fraud until they attempt to claim a tax deduction and find the organization doesn't exist in the IRS database.

The platforms that facilitate online giving — whether dedicated nonprofit fundraising tools, general crowdfunding sites, or payment processors with charitable giving features — sit in the middle of this problem. They are, in practical terms, the last meaningful checkpoint between a donor and a bad actor. Which means they need robust verification systems. And increasingly, those systems depend on APIs.

Why "Just Check the IRS" Isn't Enough

The standard advice has always been to verify nonprofit status through the IRS. The IRS maintains the Tax Exempt Organization Search (TEOS) database, a publicly searchable record of organizations that have been granted 501(c)(3) status. In theory, any platform could simply cross-reference an organization against this database before allowing it to accept donations.

In practice, it's more complicated.

The IRS database is updated periodically, not in real time. Organizations can lose their tax-exempt status — for failing to file Form 990, for example — and that revocation can take months to appear consistently across all accessible federal records. Meanwhile, an organization operating in the gap between revocation and database update might still appear legitimate to a platform checking TEOS.

There are also edge cases that a simple IRS lookup doesn't address:

  • Newly registered nonprofits that have received a determination letter but whose records haven't yet propagated fully through public data systems
  • Organizations operating under a different name than their legal entity, creating mismatch issues when platforms search by trade name
  • Fiscally sponsored projects, which are not independent nonprofits but operate under a sponsor organization's tax-exempt umbrella — a legitimate arrangement that nonetheless requires nuanced verification
  • State-level registration requirements, which vary significantly and which the IRS database doesn't track

A platform relying solely on a single federal lookup is leaving meaningful verification gaps open.

"Verification isn't a one-time checkbox. It's an ongoing relationship between a platform and the organizations it hosts — one that requires layered data, not a single source of truth."

How Verification APIs Fill the Gaps

This is where nonprofit verification APIs have become increasingly important infrastructure for giving platforms. Rather than requiring a platform to build and maintain its own web-scraping logic against multiple government and third-party databases, a verification API aggregates data from multiple authoritative sources and delivers a structured, actionable response.

A well-built nonprofit verification API typically draws from several data sources simultaneously:

  • IRS TEOS for baseline 501(c)(3) status and EIN validation
  • IRS Business Master File (BMF) for detailed classification data, including foundation type and public charity status
  • Candid (formerly GuideStar) for organizational profiles, financial summaries, and Form 990 filings
  • State charity registration databases in states that maintain them
  • Sanctions screening lists, including OFAC designations, which matter for platforms operating internationally

The result is a composite picture of an organization's legitimacy that no single database can provide on its own. A platform can query an API at the point of registration, receive a structured response indicating the organization's verified status, relevant financial filings, any known compliance flags, and whether the EIN matches the legal name provided — all in a matter of seconds.

Some verification services have expanded their offerings in recent years. Pactman's Nonprofit Check Plus API, for instance, is one of several tools in this space that attempts to consolidate multi-source verification into a single API call, aimed at platforms that want compliance coverage without building and maintaining their own data pipelines. It sits alongside older, more established data providers like Candid, which has long been the de facto standard for organizational profile data and financial transparency in the U.S. nonprofit sector.

The key value proposition of any verification API is not novelty — it's operational efficiency. For a fundraising platform managing tens of thousands of organizations, automated verification makes the difference between a security process that scales and one that breaks under volume.

The Workflow Behind Nonprofit Onboarding

To understand why verification APIs matter operationally, it helps to walk through what a responsible nonprofit onboarding process actually looks like on a giving platform.

When a new organization applies to receive donations through a platform, a responsible workflow typically involves several stages:

Stage 1 — Initial Data Collection The organization provides its legal name, EIN (Employer Identification Number), address, mission description, and in many cases financial documents or proof of IRS determination.

Stage 2 — Automated Verification The platform's system runs the provided EIN and legal name against verification APIs. This check confirms whether the organization appears in IRS records, whether its tax-exempt status is current, whether there are any known revocations or compliance issues, and whether the name matches the legal entity on file.

Stage 3 — Risk Scoring Some platforms apply additional risk logic — flagging organizations that are newly registered (less than one year), that have no Form 990 on record (possible for very small nonprofits exempt from filing, but worth noting), or that operate in categories historically associated with fraud risk, such as disaster relief.

Stage 4 — Human Review Automated checks have limits. A human reviewer typically handles edge cases, organizations flagged as medium-risk, and any situations where the API response contains conflicting or incomplete data.

Stage 5 — Ongoing Monitoring This is where many platforms fall short. Verification at onboarding is necessary but not sufficient. Organizations can lose their tax-exempt status after they've been approved, and platforms that don't monitor for status changes leave themselves — and their donors — exposed. Some verification APIs offer webhook-based alerts or scheduled re-verification to address this.

"Onboarding verification is the entry gate. Ongoing monitoring is what keeps the door honest."

The Data Fragmentation Problem

One of the underappreciated challenges in nonprofit verification is how fragmented the underlying data landscape is in the United States. Unlike some countries with centralized charity registries, the U.S. distributes regulatory oversight across federal and state levels, with no single authoritative real-time database covering all nonprofits in all jurisdictions.

The IRS handles federal tax-exempt status. Individual states handle charitable solicitation registration — and requirements vary dramatically. Some states require any charity soliciting residents to register annually; others have minimal requirements or enforcement. A nonprofit legally incorporated in Delaware might need to file separately with the attorneys general of California, New York, and several other states if it solicits donors in those jurisdictions.

For verification purposes, this means a platform seeking complete compliance coverage needs to pull from multiple state-level databases that are often inconsistently maintained, updated at different intervals, and formatted differently from one another. Most platforms don't have the engineering resources to build and sustain this kind of multi-source pipeline internally, which is part of why third-party verification services exist.

The honest limitation here is that no current verification API covers every state database comprehensively. Aggregation has improved significantly over the past decade, and data partnerships with providers like Candid have raised the baseline of what's accessible. But gaps remain, particularly for smaller states and newer registration systems that haven't been standardized or made accessible via API.

Platforms should understand that verification APIs are powerful tools that substantially reduce fraud risk — but they are not complete substitutes for periodic manual due diligence on high-value or high-visibility organizations.

Automation and Its Limits

The appeal of API-driven verification is obvious: it's fast, consistent, and doesn't require a compliance team to manually look up every organization in multiple databases. For high-volume platforms, automation is the only practical path.

But automation introduces its own categories of risk.

A verification API can confirm that an EIN belongs to a registered nonprofit. It cannot confirm that the people currently running that nonprofit are operating it legitimately. There is a documented pattern of fraud involving the exploitation of dormant or lightly active nonprofits — organizations that maintained their IRS status through minimal compliance activity but that a bad actor gains control of and then activates for fraudulent fundraising. Against a pure EIN-lookup approach, these organizations pass verification cleanly.

This is why responsible platforms combine automated verification with qualitative checks: reviewing organizational websites, examining social media presence, assessing whether the stated mission aligns with the organization's historical Form 990 filings, and in some cases, making direct contact with the organization.

There's also the question of what happens when verification data is wrong or outdated. IRS data can lag. Third-party aggregators can contain errors. An organization that legitimately lost its tax-exempt status might still appear as active in a verification response if the revocation hasn't propagated through data pipelines yet. Platforms need exception-handling workflows and periodic re-verification to catch these cases.

The technology is genuinely useful — but it works best when it's understood as one layer of a broader fraud prevention system, not a complete solution in itself.

Transparency as a Donor Protection Strategy

Beyond backend verification processes, there's a growing argument that donor-facing transparency is itself a fraud prevention tool. Platforms that display verification badges, link to Form 990 filings, or surface Candid ratings give donors the ability to make independent assessments — which reduces the platform's sole reliance on its own verification as the only safeguard.

The Candid Seal of Transparency, for example, is awarded to nonprofits that voluntarily share financial information, board lists, mission statements, and strategic goals through Candid's platform. A donation page that displays this seal communicates something meaningful to an informed donor: the organization has chosen to be open about how it operates, not just compliant with minimum requirements.

This kind of layered transparency — where platform verification and organizational self-disclosure work together — is arguably more robust than verification alone. A fraudulent actor willing to fake an EIN lookup might not be willing to fabricate an entire history of Form 990 filings, audited financial statements, and board member records.

"The best fraud prevention isn't invisible to donors — it's visible enough to be reassuring and granular enough to be meaningful."

What the Verification Landscape Looks Like Today

For practitioners building or evaluating giving platforms, here's a practical overview of the verification tools and data sources currently in play:

SourceWhat It CoversStrengthsLimitationsIRS Tax Exempt Organization Search (TEOS)501(c)(3) status, EIN validationAuthoritative, free, publicUpdate lag; no state-level dataIRS Business Master File (BMF)Detailed classification, foundation typeComprehensive federal dataPeriodic updates, not real-timeCandid / GuideStarOrganizational profiles, Form 990s, ratingsDeep financial transparency dataRequires licensing for full accessState AG Charity DatabasesState registration statusJurisdiction-level complianceHighly fragmented, inconsistentOFAC SDN ListSanctions screeningEssential for international orgsU.S.-specific sanctions focusNonprofit Verification APIsAggregated multi-source dataOperational efficiency, single callCoverage gaps vary by provider

No single row in that table is sufficient on its own. The platforms doing this well are combining sources thoughtfully, with human review layered on top for edge cases.

The Road Ahead

Nonprofit verification technology is improving, but it's not keeping pace with the growth of the sector or the sophistication of fraud. A few developments are worth watching.

Real-time IRS data access remains a long-standing gap. Advocates in the nonprofit technology space have periodically called for more modern, API-native access to IRS tax-exempt data — the kind of real-time infrastructure that would make verification dramatically more reliable. Progress has been slow, partly because IRS modernization broadly has been a prolonged, underfunded effort.

Machine learning for behavioral anomaly detection is beginning to complement traditional data verification. Some platforms are experimenting with models that flag unusual patterns — a new organization suddenly receiving unusually large donations shortly after a disaster event, for instance — as a supplementary risk signal.

Cross-platform data sharing among giving platforms could create a form of distributed fraud intelligence, where a bad actor flagged by one platform is flagged across many simultaneously. The practical and competitive barriers to this are significant, but the concept is gaining some attention in fintech-adjacent nonprofit technology circles.

Conclusion

The shift to digital giving has been broadly positive for philanthropy — lower transaction costs, broader reach, and the ability to mobilize donations within hours of a crisis. But it has also created a verification responsibility that didn't exist in the era of mailed checks to known organizations.

Fraud prevention in online giving isn't glamorous infrastructure. Donors don't see it; most nonprofit professionals don't think about it daily. But when it fails, the consequences are real: donors lose money, legitimate charities lose trust, and the broader ecosystem of online giving suffers reputational harm that takes years to repair.

Verification APIs have become an important part of how platforms manage this responsibility at scale. They're not perfect, and they're not a replacement for thoughtful human oversight. But combined with clear onboarding standards, ongoing monitoring, and donor-facing transparency features, they represent a meaningful step toward a more trustworthy digital giving ecosystem.

The organizations and platforms that take this infrastructure seriously — that treat verification as an ongoing operational commitment rather than a one-time compliance checkbox — are the ones building the foundation that digital philanthropy needs to grow responsibly.