What Is Carding? (Examples and How To Protect Yourself)

Share this:

Ryan Toohil

CTO at Aura

In this article:

    Identity theft and fraud protection for your finances, personal info, and devices.

    See pricing
    Share this:

    What Is Carding?

    E-commerce is booming. But the convenience of online shopping isn’t just good news for shoppers — it’s also a boon for a special type of fraud called carding.  

    Carding is when criminals steal your credit card and use it to buy prepaid gift cards. It’s a somewhat simple scam with serious consequences. 

    According to the Federal Trade Commission (FTC), consumers lost $627 million to fraud in the last few years. And online shopping was the third most reported type of fraud

    As we spend more time and money online, the threat of carding only increases.

    So how does carding actually work? How do criminals get your credit card details? And how can you protect yourself from this type of identity theft? 

    How Does Carding Work? Is It Dangerous?

    Carding is a type of credit card fraud in which a criminal steals or fraudulently uses credit card details to buy prepaid gift cards. 

    After they get your details, criminals test the validity of your card by attempting small purchases across the web. If those work, the scammer uses your details to buy gift cards from places like Amazon or Walmart. 

    The whole process can take just minutes, which means a scammer can take off with stolen funds before you even realize what’s happened.

    Unlike other forms of credit card fraud, gift and prepaid cards can’t be traced. So once the scammer has completed the purchase, they’re free to use the gift cards to buy items or sell for cash.

    Out of 2.1 million FTC fraud reports in 2020, credit cards were the most common payment method used. But while in-store purchases require signatures or PINs, scammers can use credit card details for online shopping

    How Do Criminals Steal Your Credit Card Numbers?

    Criminals who engage in carding — commonly known as "carders" — use various methods to obtain stolen credit card numbers. But the easiest scam is to simply buy your card details on the Dark Web.

    Due to the vast number of data breaches in the past few years, sensitive and financial information is easily available to hackers online. 

    For example, details for a credit card with a balance of up to $1,000 cost just $150 on the Dark Web. You can check to see what personal details of yours are available to hackers using Aura’s Identity Guard Dark Web Scanner.

    Aura identity guard dark web scanner

    Even if your credit card details aren’t available online, carders have developed clever methods for getting them.

    The Top 5 Most Common Carding Attacks

    1. Phishing by impersonating a bank representative
    2. Buying your details on carding forums
    3. Tricking your into installing malware
    4. Using credit card skimming or shimming devices
    5. Hacking a website’s payment system

    1. Phishing by impersonating a relative or bank representative 

    If you’ve ever gotten a strange text or email claiming to be from your bank, you’ve most likely been the victim of a phishing attack. 

    Smishing scam pretending to be from Bank of America

    Phishing attacks are when “carders” try to scam you online by sending messages under false pretenses to try and get your information. Carders will use almost any medium for phishing, including:

    Whatever the channel, the game plan is the same. 

    The carder impersonates a person you trust, like a relative or an official body such as your bank or lawyer. Under this guise, they pressure you into either sharing personal information or clicking on a link.

    For example, carders might pretend to be an e-commerce store contacting you with a fake cart abandonment email. 

    Scammers insist they need payment to complete your purchase. Once the thieves obtain your personal details, they can use them for carding and other purposes.

    Related: The 10 Worst Walmart Scams & Fraudulent Schemes of 2022

    2. Buying your details on carding forums

    Carding forums are illegal sites where criminals buy and sell stolen financial details. Forums include information such as credit card numbers and passwords for PayPal or Stripe accounts.

    These forums also provide criminals with advice on credit card cracking and testing. Criminals access these forums via the Dark Web, a part of the internet that is not accessible via normal search engines and web browsers.

    These underground marketplaces promoting carding activity are a growing risk to consumers. In August 2021, D3 Lab analysts discovered one carding forum with over 1 million credit card numbers for sale.

    3. Tricking you into installing malware that steals your info 

    A malware attack is when hackers trick you into clicking a link that installs malicious software on your phone, tablet, or computer. Malware runs in the background and monitors your activity without you even knowing. 

    This carding activity lets thieves search for specific information on your devices, such as credit and debit card numbers. Even more sinister are keyword stroke programs which record everything you type on your device. 

    Elderly family members and children are especially prone to falling prey here. Carders may gain enough personal information to commit serious family identity theft

    4. Credit card skimming and shimming

    Credit card skimming is a financial crime in which thieves attach a small, difficult-to-spot device to real credit card readers. Whenever you swipe or insert your card, the device steals your credit card numbers.  

    Some carding machines even send the data to the criminal's device using Bluetooth or Wi-Fi in real-time.

    In November 2021, police arrested a Las Vegas couple after linking them to credit card skimmers on gas station pumps in Southern Utah.

    5. Hacking a website's payment system

    Some thieves use cyber attacks to hack into an online store's shopping cart and gain possession of the list of credit numbers used in recent checkouts. 

    It's surprisingly easy for cybercriminals to exploit loops in e-commerce checkouts. Especially if the merchants haven't updated their software.

    An infamous example of this type of data breach was performed by an illegal carding syndicate called XE Group. Remarkably, they remained under the radar as they stole thousands of credit card numbers a day for eight years straight.

    Think Your Credit Card Was Stolen? Check the Warning Signs

    Carding scams are becoming more commonplace. It’s important that you stay diligent in protecting yourself against credit card and identity fraud. 

    The best place to start is by recognizing the red flags that you’ve been a victim of carding. 

    There are some tell-tale signs that a criminal is attempting to or has already obtained your financial information, such as:

    • Incoming messages or calls from unknown sources. Be wary if someone you don’t recognize requests your private information. Don’t click links, download files, or respond to their message. If it’s a phone call, hang up and contact your bank through official channels.
    • Unprofessional website errors. Financial institutions have well-polished websites. Be on guard if you notice any design flaws, misspellings, clunky navigation, or links that lead to nowhere.
    • Odd device behavior. Sudden changes in your computer or phone's behavior are major red flags. Be suspicious if your device is noticeably slower, hotter, or louder. Additionally, strange new icons or animations can indicate the presence of malware.
    • Mystery transactions. Review your credit card report at least monthly. If you see any unusual or unauthorized transactions, your credit card details may be in the hands of a carder.
    Aura credit and fraud monitoring
    [Image Source: Aura Credit Monitoring]
    • Balance alerts. Your credit card company may issue alerts once your balance reaches a certain threshold. If you have not made any large purchases recently but your balance changes significantly, it could be carding.
    • New credit cards or loans. Review your credit report from the three large credit unions (Experian, TransUnion, and Equifax). If new loans or credit cards have been opened in your name, someone has likely stolen your credit card information. 

    It's essential to keep an eye out for the warning signs above. However, there are some more proactive strategies to help reduce the chances of carding theft.

    3 Easy Steps To Protect Yourself Against Carding

    Prevention is the best form of protection when it comes to carding and identity theft. To keep your account details safe, follow these steps:

    1. Save your bank’s official contact information 

    Save your banker's email address and whitelist it with your email provider. This allows you to quickly verify their identity when receiving official communications.

    Also, double check the details of anyone contacting you. Carders will often mask their “From” email or IP address to look legitimate. Hover over or click on their name to see the actual email address.

    2. Use antivirus and phishing protection software 

    Fraudsters who want to gain access to your device for carding might trick you into downloading malicious programs. Some of these malware attacks are sophisticated and require a high-quality antivirus program to remove them.

    Aura VPN and Wi-Fi protection
    [Image source: Aura Antivirus with VPN]

    Aura’s device and Wi-Fi protection blocks malicious and phishing sites. So even if you accidentally click on one, you’ll be safe.

    3. Keep your software and device OS updated 

    While antivirus software is essential, updating your software can prevent malware in the first place. Make sure to complete software updates as soon as possible. 

    How To Report a Carding Fraud

    If you believe you are a carding victim, you should immediately report it to appropriate authorities:

    • Federal Government: Go to the FTC's website, IdentityTheft.gov, and create a report. Federal law enforcement agencies can use your report during their investigation of your case.
    • Local Law Enforcement: Report your stolen wallet or credit card to local police. They may be able to locate the thief and recover other stolen belongings.
    • Financial Institution: File a report with your credit card company so they can issue a chargeback. As long as you make this report quickly, you will only be liable for a maximum of $50, thanks to the Fair Credit Billing Act (FCBA).

    If a fraudster has access to your credit card number, they might have other sensitive information as well. Look for other signs of identity theft, such as unfamiliar medical bills (i.e., medical identity fraud), missing tax returns, or suspicious log-in attempts. 

    If you think you’ve been the victim of identity theft, you should change your passwords and consider an identity theft protection service. 

    Are E-Commerce Sites Still Safe To Use?

    Does the risk of carding mean you shouldn’t shop online anymore? 

    The epidemic of carding fraud has led e-commerce websites to tighten cybersecurity practices. Here are a few of the security measures that e-commerce sites now use:

    Authorization

    Authorization is when a merchant delays their collection of funds while they verify your card. 

    For example, a gas station typically authorizes a small denomination first before charging the total amount a few days later. 

    If the merchants detect signs of fraud, they won’t request the total funds from your financial institution — issuing you a refund instead. 

    CAPTCHA

    A CAPTCHA is a type of security test that uses a challenge-response framework. In simpler terms, it's a test to see whether you're a human or an AI bot built by scammers.

    For example, a common CAPTCHA test shows a collection of different images that look relatively similar. The user must click on only the images showing motorcycles.

    It's an easy test for a human. But it is much harder for a scammer's bots.

    Address Verification System (AVS)

    AVS is a fraud protection method for transactions where your card is not physically present, such as in online or phone purchases.

    The AVS verifies that the billing address you provided matches the one in the card issuer's system. If the addresses do not match, the system will decline the transaction.

    Unfortunately, some fraudsters have found a way around AVS by using a change-of-address scam.

    Card Verification Value (CVV)

    The CVV is a three or four-digit number, typically found on the signature strip on the back of your credit card. When shopping online, cardholders must provide this code to verify they have physical possession of the card.

    This security measure helps prevent carders from simply purchasing your credit card number from the Dark Web and using it online.

    Multi-Factor Authentication (MFA)

    MFA is an additional security step required when logging into accounts. Beyond your username and password, a merchant might send a text message with a unique code that you have to enter before you can use your credit card. 

    Velocity checks

    Velocity refers to the number of transactions made on a card within a particular time period. Merchants often employ velocity checks to prevent credit card fraud. If the merchant detects abnormal purchasing patterns, they can decline the transaction. 

    Payer authentication systems

    Payer authentication systems, such as Verified by Visa, involve the online retailer contacting the cardholder to verify the transaction.

    Your card provider can also compare your transaction with your purchase history. For example, they can check to see if you're using the same device or shopping at a usual store. Merchants can use these security features to automate the approval or rejection of purchases.

    The Bottom Line: Keep Your Credit Cards Safe From Scammers

    There are more threats to your finances and identity than ever before. 

    But despite the growing threat, it’s hard for law enforcement to track down carders, let alone retrieve stolen funds. 

    Aura’s all-in-one digital security solution protects your sensitive information — such as credit card numbers and account details — so you can shop safely. 

    We’ll alert you of any suspicious activity, block phishing sites, and let you know if any of your accounts have been compromised. And if the worst happens, Aura covers up to $1 million in eligible losses due to identity theft. 

    Ready for ironclad identity theft protection? Try Aura 14-Days Free!

    Related Articles

    fraud prevention tips
    Fraud

    45 Fraud Prevention Tips: How To Avoid Scammers in 2022

    How many of these fraud prevention tips are you aware of? Start 2022 off right by learning how to safeguard your data, devices, and family today.

    Read More
    April 22, 2022
    Aura
    Identity Theft

    Can Someone Steal Your Identity With Your ID? Yes. Here's How.

    Can someone steal your identity if they have your ID? Unfortunately, yes. Learn how to prevent identity theft if your ID gets lost or stolen.

    Read More
    April 8, 2022

    Try Aura—14 Days Free

    Start your free trial today**

    This is some text inside of a div block.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

    1. Financial identity theft and fraud
    2. Medical identity theft
    3. Child identity theft
    4. Elder fraud and estate identity theft
    5. “Friendly” or familial identity theft
    6. Employment identity theft
    7. Criminal identity theft
    8. Tax identity theft
    9. Unemployment and government benefits identity theft
    10. Synthetic identity theft
    11. Identity cloning
    12. Account takeovers (social media, email, etc.)
    13. Social Security number identity theft
    14. Biometric ID theft
    15. Crypto account takeovers