Imagine waking up to find your site bombarded by thousands of transactions

“Yipee!” you think. “My hard work is paying off.” But, you look closer and see that all the purchases are small, and for some reason, they don’t make sense. You realise they’re fraudulent.

At first, you aren’t sure it’s a big deal but your phone starts to ring with complaints from angry customers. When the calls have subsided, you start adding up all the chargebacks and authorisation fees and see that this month’s profits—and maybe even this year’s profits—are down the drain. For more and more businesses and organisations, this nightmare scenario has become all too real. The culprit? Card testing, often executed through botnets.

What is card testing?

Fraudsters use card testing to determine the validity of credit card numbers. First, they purchase or steal card details on the dark web, or via phishing or spyware software. 

Then, with the numbers in hand, they attempt small purchases on an unsuspecting merchant’s site to see if the card was approved.1

Since cards are often stolen weeks or month prior, this process reveals which cards have been cancelled by cardholders and banks—and which ones are available for use. Once the cancelled or declined card numbers are weeded out, fraudsters can move on to make larger purchases, or resell the validated information on the dark web.

What role do botnets play?

When you add botnets to the equation, card testing enters new realms of destruction.2

Manual testing is time consuming

Manual testing is time consuming and labour intensive—fraudsters can program networks of compromised computers (botnets) to run thousands of low-value transactions at a time.

Fraudsters obtain valid card numbers

Fraudsters come away from these attacks with valid card numbers, while merchants are left with a huge revenue hit from authorisation processing fees, not to mention serious brand damage and a major tax on their time and resources.

Who’s at risk?

Card testing attacks often target small and medium businesses as well as organisations that accept donations or even tuition. Because these types of merchants often lack the tools and technologies to protect themselves, they make easy prey.3

Businesses and organisations that don’t sell physical goods

Businesses and organisations that don’t sell physical goods tend to be particularly vulnerable because they assume fraud isn’t a worry—the fraudsters know this and deliberately target them as a result. Take nonprofits for example. Since many nonprofit donation pages collect little information from donors and fail to place minimum limits for giving, they provide an ideal environment for card testing.4

How can businesses and nonprofits protect themselves?

There’s no one component that can stop card testing. However, there are key steps you can take to stay ahead of the curve and avoid attacks. Check out part two of our card testing series to learn more.