What is a Carding Bot?

A carding bot is an automated script that nefarious organizations use to test the validity of stolen card data.  Also known as carding fraud, card stuffing, credit card stuffing, and card verification, cyber-criminals run thousands of small purchases by using stolen credit card numbers, then later resell the “successful” cards to organized crime rings. This type of attack can lead to poor merchant history, chargeback penalties, and other problems for online merchants, including charities.

I've Been Hit! Now What?

If you've noticed a spike in fraudulent contributions or donations, there are two things you should do immediately:

  1. Try to stop the carding attack.

  2. Refund or void all authorizations that have come through because of the card bot.

Stopping and Preventing a Carding Attack

There are two ways you can use Givecloud to mitigate against card blocking attacks. First, you can use 🔒 Checkout Security Measures (read below) to make payments and donations a bit tougher for bots, as well as humans.  Or, you can use our 📈 Authorization Rate Monitoring (read below) to automatically increase your Checkout Security Measures when it detects a possible attack.

🔒 Checkout Security Measures

There are four security measures you can manage:

  • Require CAPTCHA

  • Require Billing Country to Match IP Country

  • Minimum Checkout Value

  • Stop Accepting Payments


A CAPTCHA is a method used to distinguish humans from machines.  Givecloud uses Google's reCAPTCHA method.  It works by requiring the user to check a box. Then, depending on a variety of factors determined by Google, a second step may be required to force the user to prove they are human.

This method is an effective deterrent - thwarting most carding bot attacks. However, one drawback is that it can be a bit cumbersome for your supporters to have to complete every time they want to pay or give.  For this reason, you can manage how the CAPTCHA technology behaves.  For example, you could require that every supporter must complete the CAPTCHA.  Alternatively, you could only require the CAPTCHA if the user has one failed payment attempt or more.

Require Billing Country to Match IP Country

This can be an effective tool in thwarting a card bot.  Typically, card bots run from outside North America but are testing cards with billing addresses in North America. By forcing the billing country to match the IP country, you stop someone from charging a North American card from a computer using an IP in a non-North American country (for example).  However, use this carefully as there are plenty of legitimate reasons why someone may give to your organization or shop on your site from outside their home country.

Minimum Payment Amount

Carding bots typically charge a nominal amount to each card that is being tested as not to raise any flags ($1 or $2, typically).  You can prevent this by requiring all payments to be larger than a given Minimum Payment Amount. The default (and recommended) setting for the Minimum Payment Amount on every Givecloud account is $5.

Note: Your payment gateway may have its own Minimum Payment Amount setting. Be sure the setting in Givecloud and the setting in your payment gateway do not conflict.

Stop Accepting Payments

This setting completely shuts down payment processing for your entire Givecloud account.  This does not affect automated recurring payments or the Point of Sale.  If all else fails, this is an extreme brute force fallback.

How to manage Checkout Security Measures

  1. Go to Settings > Security.

  2. Scroll to the Checkout Security Measures.

  3. Follow the on-screen prompts, then hit Save settings.

📈 Authorization Rate Monitoring

You can be smarter about how you mitigate against carding bots using our Authorization Rate Monitoring.  This feature allows you to automatically crank up your security settings when there is a spike in failed authorizations.

The benefits of using our automation are that you can leave your payment forms relatively open and easy to use for most of your fundraising.

The challenge is that the automation will only kick in after a couple of failed authorizations are made - which means the carding bot will have had a couple of minutes (on average) to test cards before your security measures kick in.

Balancing the benefit and challenges is up to you.

When the Authorization Rate Monitoring is tripped, Givecloud will automatically notify your team.  You can also have Givecloud automatically change your security settings to:

  • Always Require CAPTCHA, or

  • Stop All Payments

Setting up Authorization Rate Monitoring

  1. Go to Settings > Security.

  2. Scroll to the Authorization Rate Monitoring panel.

  3. Follow the on-screen instructions and click Save Settings.

Refunding Fraudulent Contributions & Payments

If your carding attack numbers in the hundreds of contributions or donations, contact our live chat, and our team will help you clean up the bulk of failed authorizations.

To manually clean up the fraudulent contributions:

  1. Identify the fraudulent contributions.  They are typically pretty clear and contain obviously bogus emails, addresses and so on.  Givecloud's AVS & CVC Verification should help as well.

  2. Refund each contribution.

  3. Identify spam accounts.  Again, these are typically pretty clear and contain obvious bogus emails, addresses and so on.

  4. Delete each account.

Did this answer your question?