Checking the Boxes

WinRed, The Republican Party, Facebook, and Stripe

This is the first time I’ve had to add this disclaimer but - we’ve got a long one this week, so you might have to click out of your email to read the entire newsletter.


Shane Goldmacher at the NY Times dropped this exposé on the Trump campaign’s fundraising tactics before and after the 2020 election. It did most of its online fundraising through a platform called WinRed, a for-profit venture set up by a former Trump campaign official named Gerrit Lansing. Once it became clear Biden was going to secure the nomination the Trump campaign - which was also using campaign cash to pay legal bills and create slush funds for family members - needed to match their fundraising haul. Lansing and Trump campaign strategist Gary Coby came up with a plan:

The small and bright yellow box popped up on Mr. Trump’s digital donation portal around March 2020. The text was boldface, simple and straightforward: “Make this a monthly recurring donation.”

The box came prefilled with a check mark.

In one of my many past lives, I ran a payments company. This check box is called a prechecked upsell, meaning the customer is “agreeing” to be charged for another product or service, but it’s prefilled and if they don’t want it, they must opt out. This is called “presumed consent”, which has beneficial applications in other areas like organ donation and voter registration. However! That’s obviously not what was happening here - the Trump campaign was automatically opting people into monthly donations. And then, they took it a step further:

By June, the campaign and the R.N.C. were experimenting with a second prechecked box, to default donors into making an additional contribution — called the money bomb. An early test arrived in the run-up to Mr. Trump’s birthday, June 14. The results were tantalizing: That date, a seemingly random Sunday, became the biggest day for online donations in the campaign’s history.

Not surprising! Then what happened?

The two prechecked yellow boxes would be a fixture for the rest of the campaign. And so would a much larger volume of refunds.

Until then, the Biden and Trump operations had nearly identical refund rates on WinRed and ActBlue in 2020: 2.18 percent for Mr. Trump and 2.17 percent for Mr. Biden.

But from the day after Mr. Trump’s birthday through the rest of the year, Mr. Biden’s refund rate remained nearly flat, at 2.24 percent, while Mr. Trump’s soared to 12.29 percent.

In the payments world a 12 percent refund rate is unbelievably high. No standard merchant - a company processing credit cards - would survive a refund rate that high. It’s a giant waving red flag to a payment processor that a merchant is perpetrating fraud. Nothing happened to the Trump campaign, obviously, and so they did exactly what you’d expect them to do:

In early September — just after learning that it had been outraised by the Biden operation in August by more than $150 million — the Trump campaign became even more aggressive.

It changed the language in the first yellow box to withdraw recurring donations every week instead of every month. Suddenly, some contributors were unwittingly making as many as half a dozen donations in 30 days: the intended contribution, the “money bomb” and four more weekly withdrawals.

Weekly! Why not. This did make waves at the time, though I somehow missed it, probably due to terminal Election Brain and the 2nd wave of the pandemic, or whatever:

“They’re inventing new deceptive tactics to essentially steal money from people,” said Mike Nellis, a Democratic digital strategist with an expertise in fund-raising. “They’re going completely and totally scorched earth on their own supporters. I’ve never seen anything like this in my life.”

Mike’s right, I haven’t seen anything like this since the mid-2000s, and that was on porn sites. The double prechecked up/cross sell was a common tactic back then - before credit card processors imposed stricter regulations - to sign customers up for multiple sites or subscriptions at once. I’ve ruined my search history to find an explanation from adult reviews dot com, so you don’t have to:

One problem with this sort of scam is fraud is a trailing indicator - it can take weeks or months until victims notice the charges and start calling their banks to dispute them. Due to the incredibly aggressive nature of the Trump donations, it didn’t take very long:

Around the same time, officials who fielded fraud claims at bank and credit card companies noticed a surge in complaints against the Trump campaign and WinRed.

“It started to go absolutely wild,” said one fraud investigator with Wells Fargo. “It just became a pattern,” said another at Capital One.

So what did the Trump campaign do? You know what they did:

The Trump operation was not done modifying the yellow boxes. Soon, the fact that donations would be withdrawn weekly was taken out of boldface type, according to archived versions of the president’s website, and moved beneath other bold text.

As the campaign’s financial problems became increasingly acute, the yellow boxes became dizzyingly more complex.

By October there were sometimes nine lines of boldface text — with ALL-CAPS words sprinkled in — before the disclosure that there would be weekly withdrawals. As many as eight more lines of boldface text came before the second additional donation disclaimer.

It’s like watching a sci-fi movie and the creature has mutated into its final form - a terrifying beast of pure, unadulterated grift. It’d be comical if it wasn’t responsible for extracting over a hundred million dollars from people without their knowledge.

Setting aside the outright theft, in many cases the Trump campaign and RNC were forced to refund some of the donations because they exceeded the legal limit:

Records show that Mr. Biden’s campaign committee issued roughly $47,000 in refunds larger than $5,000 after Election Day; Mr. Trump’s campaign issued more than $7 million.

But that was a drop in the bucket compared to the total number of refunds:

In the final two and a half months of 2020, the Trump campaign, the Republican National Committee and their shared accounts issued more than 530,000 refunds worth $64.3 million to online donors.

In the end, Trump’s overall refund percentage rose to 10% of the $1.2 billion he raised, while the Biden campaign was 2%, a standard rate. That wasn’t the most eye-popping statistic, though:

Several bank representatives who fielded fraud claims directly from consumers estimated that WinRed cases, at their peak, represented as much as 1 to 3 percent of their workload. An executive for one of the nation’s larger credit-card issuers confirmed that WinRed at its height accounted for a similar percentage of its formal disputes.

That figure may seem small at first glance, but financial experts said it was a shockingly large percentage, considering that political donations represent a tiny fraction of the overall United States economy.

You’re reading that correctly - WinRed may have accounted for as much as 3% of all fraud claims in the United States at the peak of the campaign. If you think that’s anecdotal, here’s Jason Miller admitting it:

Jason Miller, a spokesman for Mr. Trump, downplayed the rash of fraud complaints and the $122.7 million in total refunds issued by the Trump operation. He said internal records showed that 0.87 percent of its WinRed transactions had been subject to formal credit card disputes. “The fact we had a dispute rate of less than 1 percent of total donations despite raising more grass-roots money than any campaign in history is remarkable,” he said.

That seems like a pretty specific number, and it’s conveniently .03% below the threshold for the Visa Fraud and Dispute monitoring programs according to WinRed’s payment processor, Stripe:

If you meet or exceed 75,000 USD in fraud volume and a fraud-to-sales volume ratio of .9% in a data month, you qualify for the program at the Standard level.

MasterCard has different thresholds the campaign may have snuck under, but I’ll refrain from going too far down the rabbit hole.

So, we’ve established that the Trump campaign and the RNC were allowed to run a wildly fraudulent donation drive. They kept it going for two more months after the election. Stripe claimed it cut ties with the Trump campaign in January after the Capitol riots, but they are still processing for WinRed, despite the company issuing 9 figures’ worth of refunds and maintaining fraud rates that would qualify it for monitoring programs.

So how did WinRed fare in all this?

Unlike ActBlue, which is a nonprofit, WinRed is a for-profit company. It makes its money by taking 30 cents of every donation, plus 3.8 percent of the amount given. WinRed was paid more than $118 million from federal committees the last election cycle; even after paying credit card fees and expenses like payroll and rent, the profits are believed to be significant.

WinRed even made money off donations that were refunded by keeping the fees it charged on each transaction, a practice it said was standard in the industry[…]

Not so bad for them. One thing the article does not mention is the fees associated with disputes. According to Stripe’s website, it charges merchants $15 per dispute. Jason Miller said they had 200,000 disputes. So that’s another $3 million in fees, on top of all the fees Stripe held on to related to the refunds:

There are no fees to refund a payment, but Stripe’s fees on the original payment will not be returned in case of a refund.

I realize Stripe is worth an astonishing amount of money, and the tech press is quite fond of its young founders, but it is surely unprecedented to issue over a hundred million dollars’ worth of refunds, pay millions in chargeback and refund fees, and have it all go unnoticed by banks and regulators. Not to mention, they continue to enable WinRed to keep the grift going.

The Republican Party

The National Republican Congressional Committee has decided, like many GOP candidates have, that it should get in on the act:

The political arm of House Republicans is deploying a prechecked box to enroll donors into repeating monthly donations — and using ominous language to warn them of the consequences if they opt out: “If you UNCHECK this box, we will have to tell Trump you’re a DEFECTOR.”

Tim Miller at The Bulwark received a text message offering Trump donors an invite to his new “social network” that does not yet exist in exchange for a donation. The ad features a different set of double pre-checked boxes:

The RNC slightly changed its language on its donation pages, putting a series of arrows towards it’s pre-checked donation option:

It’s unclear whether Trump has sanctioned the NRCC’s onslaught of ads using his name and likeness, since he filed a C&D against them last month. WinRed is still closely associated with Trump, and handles payments for his various PACs, so who knows what sorts of deals are being cut behind the scenes. Like many things in the Trump era, he and his cronies used highly questionable and probably-not-legal campaign tactics, and the national GOP immediately signed on.


Much of the reporting done about these campaigns has focused on emails and text messages sent to existing donors and supporters. But, as we know, Trump and the GOP spent hundreds of millions of dollars advertising on Google and Facebook last election cycle. If the Trump campaign had been using prechecked donation boxes on its landing pages since March, is Facebook okay with that?

The answer is - apparently yes, but they shouldn’t be. It is extremely clear in Facebook’s advertising policies that the use of pre-check subscription options is not allowed:

I can count a couple ways the WinRed donation pages violate Facebook’s advertising policies. Have they done anything about it since the NY Times report came out? Nope. If you visit the NRCC’s ad library on Facebook you will see multiple active ads soliciting donations, including one that leads to this page, which has a double pre-check donation box on it with opaque disclosures:

WinRed has added a pop-up disclosure prior to check out, though notably only on desktop computers, not on mobile phones:

As you can tell from the amount of the donation in my screenshot, I changed the dollar amount to far exceed the legal limit for a number of the 15 candidates listed on the NRCC’s page, and it attempted to charge a test card number I used for the full amount.

I’m not going to use a real credit card to test a $51,000 donation to some of the worst people in America, but it does appear that WinRed is currently allowing illegal donation amounts on its platform with prechecked boxes that flagrantly violate Facebook’s advertising policies. Google does not have specific rules around subscription services on its public ad policy pages, but I have to imagine they would not allow this sort of behavior from an advertiser selling consumer goods or services.


So where is Stripe in all of this? The payment processor for WinRed does have policies on their website for subscription services:

To prevent charge disputes and ensure compliance with the card networks’ requirements, make sure your website clearly describes your subscription services, and especially your free or promotional trial offers.

Perhaps WinRed and Stripe do not consider monthly recurring donations to political campaigns made in perpetuity to be subscriptions, but from a processing standpoint, that’s what they are. Therefore, the terms of the payments should be made clear to the consumer.

Taking a look at the NRCC page, the “terms” such that they are exist below “the fold” - the viewable area on a webpage before a consumer must scroll down - and are mixed in with a variety of other horrifying disclosures in small, light grey, non-bold font. Look at this mess:

Stripe has access to all of WinRed’s transaction details, and they would likely have signed off on the weekly recurring withdrawals the Trump campaign was making. A tool processors often use to prevent fraud is requiring merchants to submit new billing models for approval. Did Stripe give WinRed and the Trump campaign carte blanche to charge donors once a week, in any amount they wished, even as their refunds and chargeback rates were spiking?

After all the negative publicity and the business risk Stripe put itself in to enable the Trump fundraising machine, why does it continue to do so for the GOP? As the payment processor powering WinRed it could ban the platform from using these deceptive and possibly illegal billing methods. None of this would be allowed at a normal e-commerce business, or even on a porn site. It begs the question whether Stripe is more worried about making enemies of the politically connected than subjecting millions of Americans to hundreds of millions’ of dollars worth of credit card fraud.

Short Cons

NY Times - “Years later, the Internal Revenue Service got wind of the arrangement, which it condemned as an “abusive” tax shelter. The move by Bristol Myers, the I.R.S. concluded, would cheat the United States out of about $1.4 billion in taxes.

Guardian - “Dozens of people have been arrested, including an oil heiress and singer who was found with €300,000 (£260,000) in cash when her Rolls-Royce was pulled over in 2019, as Italian police disrupted a massive fuel fraud by mafia groups.

WSJ - “Sherman, a privately held enterprise, through its subsidiaries filed 15,420 more debt-collection lawsuits in those districts than during the year-earlier period. Those courts serve 13% of the U.S. population.

Tips, thoughts, unwanted donations to