Carding Attacks: What they are and how to prevent them

If you run an e-commerce site, you probably worry about things like SEO or abandoned carts. However, there is a quieter, more technical threat that can ruin your day and your bank account: the carding attack. I have seen these hit sites of all sizes, and if you are not prepared, the aftermath can be a nightmare.

What is a Carding Attack?

A carding attack is a type of automated fraud where bots test stolen credit card information on your website. Criminals buy lists of thousands of stolen card numbers on the dark web, but they do not know which ones are still active or have a high balance. To find out, they use a script to run small transactions through your checkout or donation form.

The goal isn’t usually to “steal” your product. Instead, they are using your payment gateway as a testing ground. If a transaction for $1.00 goes through, they know the card is valid and can move on to making much larger purchases elsewhere.

How to Tell if You Are Being Attacked

The most obvious sign of an attack is a sudden, massive spike in traffic or “failed” orders. Here are the red flags I tell my clients to watch for:

• A flood of small orders: You see dozens or hundreds of orders for very small amounts within a few minutes.
• High failure rates: Your payment gateway reports a massive number of “Declined” or “Invalid CVV” errors.
• Gibberish customer data: The names and addresses on the orders look like random strings of letters or do not match the credit card’s country of origin.
• The “Guest” checkout surge: Most bots do not bother creating accounts, so you will see a wave of guest checkouts from different IP addresses.

How to Stop an Attack on WooCommerce

If you realize an attack is happening right now, your first instinct might be to panic. Don’t panic, but do act fast. The easiest way to stop a bot in its tracks is to add a barrier that a script cannot easily bypass.

For WooCommerce sites, I recommend installing a recaptcha on the checkout page immediately. This forces the “user” to prove they are human before the payment is even processed. Another effective method is to use a plugin that limits the number of failed checkout attempts from a single IP address. Just today I installed and activated this recaptcha WooCommerce plugin on a site to stop a carding attack.

You should also check your payment gateway settings. Services like Stripe and Authorize.net have built-in fraud protection tools. Make sure you have “Radar” or similar fraud filters turned on. These tools can automatically block transactions that look suspicious, such as those with mismatched zip codes or those originating from known malicious IPs.

Protecting Your Gravity Forms

Gravity Forms is a powerful tool for order forms, but its simplicity makes it a prime target for carders. If you have a credit card field on a form, you must protect it.

The most effective move here is to enable the Cloudflare Turnstile or Google reCAPTCHA v3 integration within the form settings. This runs in the background and identifies bot behavior without making your real customers click on pictures of traffic lights.

Prevention is Better Than a Cure

The best time to deal with a carding attack is before it starts. If you are running a shop or taking payments, you should always have some level of bot protection active. Whether it is a security plugin like Wordfence, a firewall like Cloudflare, or just strict fraud rules in your payment gateway, being proactive will save you from a mountain of refund fees and a lot of stress.