Are Carding Bots Using Your eCommerce Site To Commit Fraud?


Most of us are used to spam bots or even click bots on our websites. But what about carding bots?

Carding is an increasingly problematic issue for online retailers, with around $30 billion lost to credit card fraud in 2020. In fact, card-not-present fraud is now the most common type of credit card fraud, being around 81% more likely.

And with more businesses reliant on their online platforms, criminals can often find a way to exploit shoddy security to validate their gains.

But what exactly is carding, and how does it work?

What is carding?

Carding is a practice where stolen credit card or gift card details are used on retail websites or payment portals. The intention is for fraudsters to work out which stolen cards actually work, usually by processing multiple card transactions in a short amount of time.

This can result in fraudulent purchases, skewed analytics, false leads, and inventory problems. They can also result in chargebacks, which can have an impact on a company’s reputation with a card issuer.

The practice is also known as credit card stuffing, a card verification attack, and carding bot attacks.

Carding bots are automated scripts that carry out the task of inputting the card details to validate them for their owners. These stolen or fraudulently obtained cards can then be sold online for as little as $45.

If you manage a website with any form of checkout functionality, you are unfortunately at risk of a carding bot attack.

How are these stolen cards obtained?

The cards used in a carding attack can be both physical cards or from stolen data. Hackers who access poorly stored data can often collect thousands or even millions of credit card details in one attack.

Of course, not all of these cards are valid, so this is where carding is useful. By using bots for carding, fraudsters can quickly understand which stolen cards are worth selling or using.

There are many forums online, usually on the Tor network, where criminals can sell and exchange stolen card details.

How does a carding attack work?

Like any form of fraud attack using malicious bots, carding can be done quickly and in bulk.

To start with, the transaction will seem like normal human behaviour, which it often is. An account may be registered if required, and a few items may be added to a shopping basket. By mimicking genuine user behaviour, the bot can perform the duty that it is programmed to do.

At the point of checkout, the bot will take over.

This is where multiple credit cards or debit cards are processed to build a list of functioning cards.

The bot usually carries out a low-value transaction, typically just a few dollars. Once this low-value transaction is confirmed, the card can then be used for more high-value or high-risk purchases.

Carding is a way for fraudulent actors to verify stolen credit cards online

How to spot a carding attack

Like most bot activity, there are often several signals that suggest something is amiss.

By keeping an eye out for these signs, you can tell if your site might have been a victim of a carding attack:

  • A high volume of failed payment authorizations
  • Smaller average basket size
  • A spike in the number of abandoned shopping carts
  • The same user IP causing a large number of failed payment authorizations
  • Multiple visits to the same checkout page in relation to site visits
  • Cards with different addresses being used or cards rejected due to address mismatch

Although the carding bot might exhibit what seems like genuine user behaviour, to a point, it’s at the checkout where the truth comes out.

These bots might also be cyborgs. This means a human user operates them until the checkout step, when the fraudster just runs the bot code.

Of course, this is where it’s too late for many bot prevention platforms. The damage is done, and you’re left with fraudulent orders, countless chargebacks, or an analytics dashboard that is a mess.

So what can you do?

How can you prevent carding bot attacks?

Preventing carding bot attacks

There are a number of ways a site owner can prevent this kind of bot attack.


One of the original ways of preventing bots from clicking on your website, Captcha, is still effective. However, it can be off-putting for genuine customers who are used to one-click checkout.


The Address Verification System (AVS) helps to match the card user’s address with the account or delivery address. Because carding bots will often be trying to verify multiple cards from different people, it’s very likely that the addresses won’t match.

Behaviour analysis

Using an external fraud solution that analyses genuine user behaviour is a good way to block carding bots. This form of fraud prevention uses machine learning to spot signs of bot behaviour and block activity in real-time.

Browser validation

Many bots operate from within their own window. This means that they may need to pretend they are using a specific browser, such as Chrome, to be able to access your site. Browser validation software can check to see if the user is really using the browser they say they are and eliminate these types of fraud bots.

API security

Most sites with integrated payment often have API certificates to validate payment information. This is vulnerable to brute force attacks from carding bots, so e-commerce sites use Transport Layer Security (TLS) and other authorization mechanisms to check transactions.

Velocity checks

This simple fraud-checking solution helps block someone from trying to use multiple cards in a short time frame. A genuine user (e.g., a human) is unlikely to make more than a handful of transactions on any platform. You can specify the threshold for this type of transaction with your payment processor, which is one of the easiest ways to prevent carding fraud on your site.

Preventing bot clicks

However you’re managing your business online, bots can be disruptive and damaging. From clicking on your ads or spamming to fraudulently inflating your analytics, blocking bots (carding bots included, of course) has become increasingly important to businesses.

Sign up to CHEQ Essentials for free to prevent bot clicks on your Google and Facebook Ads.

Latest Posts

Block invalid traffic with CHEQ Essentials