Menu
Business.com aims to help business owners make informed decisions to support and grow their companies. We research and recommend products and services suitable for various business types, investing thousands of hours each year in this process.
As a business, we need to generate revenue to sustain our content. We have financial relationships with some companies we cover, earning commissions when readers purchase from our partners or share information about their needs. These relationships do not dictate our advice and recommendations. Our editorial team independently evaluates and recommends products and services based on their research and expertise. Learn more about our process and partners here.
It's essential for small and midsize business owners with e-commerce storefronts to understand the potential threats and damage of bot activity.
As technology advances, internet bot activity — both good and bad — is growing. Unfortunately, advanced bots have made it easier for fraudsters to commit crimes. According to the 2023 Imperva Bad Bot Report, 22.7 percent of all internet traffic on e-commerce and retail websites in the prior year was attributable to bad bots. Because bot traffic affects many verticals, small and midsize businesses (SMBs) need to understand the potential threats posed by bots. Here’s a look at bot-driven credit card testing fraud, how these attacks work, and how you can protect your business and customers from this e-commerce threat.
Credit card testing fraud, also known as carding and card cracking, is when cybercriminals make a small online purchase to test whether a stolen credit card number is valid.
Credit card testing often goes unnoticed by fraud-detection solutions and is usually discovered only when it’s too late. Without proper measurements in place, credit card testing fraud can be costly and damaging to both SMBs and cardholders.
Fraudsters can potentially abuse any user-related function on your company’s website, such as the ability to enable payments. Once the scammer purchases a list of stolen credit card numbers, they test them to see which ones are valid by making small transactions on unsuspecting e-commerce sites.
Fraudsters can enable bots to do this work efficiently. A bot can automatically submit orders on multiple websites to check credit card validity much faster than a fraudster inputting card numbers one by one could.
The fraudster’s end goal is to find valid credit cards they can use to make large online purchases or sell the list of validated credit cards to other cybercriminals.
In 2019, a carding bot called the Canary Bot was was discovered by PerimeterX, a provider of solutions designed to curb online fraud. The Canary Bot was designed to to target e-commerce platforms. Mimicking a real shopper, the bot added products to an online shopping cart, set shipping information and completed the sale on multiple businesses within the platform.
The bot was discovered because its pattern differed from that of human shoppers. For example, activity increased before the holiday shopping season, which isn’t typical, since people usually wait for sales. The bot’s transactions also didn’t follow the usual human shopping time patterns; instead, the transactions happened randomly throughout the day.
Bot-driven credit card testing hurts your SMB with charge-backs, shipped goods that are never recovered, lost revenue from fraudulent sales and damage to your brand reputation. Additionally, operational costs rise, while customer service calls take up precious time. If your business unintentionally allowed fraudsters to enter the networks, it’s likely other cybercriminals will follow.
In the age of security breaches and hacks, data centers and credit card agencies unintentionally give hackers abundant access to credit card numbers. Typically, hackers sell a bulk list of stolen card numbers on the dark web, where a buyer — the fraudster — is lurking.
A fraudster can purchase lists of credit card numbers; the list’s resale value depreciates over time. Many cardholders and banks take preemptive measures to shut down credit cards if there is a breach, but a small, unauthorized purchase may go unnoticed.
Luckily, you can spot red flags when carding attacks occur. Here are some things to look for:
If you’re a small business owner, follow these tips:
Jennifer Dublino contributed to this article.