What Is Carding?
E-commerce is booming. But the convenience of online shopping isn’t just good news for shoppers — it’s also a boon for a special type of fraud called carding.
Carding is when criminals steal your credit card and use it to buy prepaid gift cards. It’s a somewhat simple scam with serious consequences.
As we spend more time and money online, the threat of carding only increases.
So how does carding actually work? How do criminals get your credit card details? And how can you protect yourself from this type of identity theft?
How Does Carding Work?
Carding is a type of credit card scam in which a criminal steals or fraudulently uses credit card details to buy prepaid gift cards.
After they get your details, criminals test the validity of your card by attempting small purchases across the web. If those work, the scammer uses your details to buy gift cards from places like Amazon or Walmart.
The whole process can take just minutes, which means a scammer can take off with stolen funds before you even realize what’s happened.
Unlike other forms of credit card fraud, gift and prepaid cards can’t be traced. So once the scammer has completed the purchase, they’re free to use the gift cards to buy items or sell for cash.
Out of 2.1 million FTC fraud reports in 2020, credit cards were the most common payment method used. But while in-store purchases require signatures or PINs, scammers can use credit card details for online shopping.
How Do Criminals Steal Your Credit Card Numbers?
Criminals who engage in carding — commonly known as "carders" — use various methods to obtain stolen credit card numbers. But the easiest scam is to simply buy your card details on the Dark Web.
Due to the vast number of data breaches in the past few years, sensitive and financial information is easily available to hackers online. Even if your credit card details aren’t available online, carders have developed clever methods for getting them.
The Top 5 Most Common Carding Attacks
- Phishing by impersonating a bank representative
- Buying your details on carding forums
- Tricking your into installing malware
- Using credit card skimming or shimming devices
- Hacking a website’s payment system
1. Phishing by impersonating a relative or bank representative
If you’ve ever gotten a strange text or email claiming to be from your bank, you’ve most likely been the victim of a phishing attack.
Phishing attacks are when “carders” try to scam you online by sending messages under false pretenses to try and get your information. Carders will use almost any medium for phishing, including:
Whatever the channel, the game plan is the same.
The carder impersonates a person you trust, like a relative or an official body such as your bank or lawyer. Under this guise, they pressure you into either sharing personal information or clicking on a link.
For example, carders might pretend to be an e-commerce store contacting you with a fake cart abandonment email.
Scammers insist they need payment to complete your purchase. Once the thieves obtain your personal details, they can use them for carding and other purposes.
💡 Related: Bank of America Customer? Beware of These 7 Scams →
2. Buying your details on carding forums
Carding forums are illegal sites where criminals buy and sell stolen financial details. Forums include information such as credit card numbers and passwords for PayPal or Stripe accounts.
These forums also provide criminals with advice on credit card cracking and testing. Criminals access these forums via the Dark Web, a part of the internet that is not accessible via normal search engines and web browsers.
These underground marketplaces promoting carding activity are a growing risk to consumers. In August 2021, D3 Lab analysts discovered one carding forum with over 1 million credit card numbers for sale.
💡 Related: Scammed on PayPal? Here's What To Do →
3. Tricking you into installing malware that steals your info
A malware attack is when hackers trick you into clicking a link that installs malicious software on your phone, tablet, or computer. Malware runs in the background and monitors your activity without you even knowing.
This carding activity lets thieves search for specific information on your devices, such as credit and debit card numbers. Even more sinister are keyword stroke programs which record everything you type on your device.
Elderly family members and children are especially prone to falling prey here. Carders may gain enough personal information to commit serious family identity theft.
4. Credit card skimming and shimming
Credit card skimming is a financial crime in which thieves attach a small, difficult-to-spot device to real credit card readers. Whenever you swipe or insert your card, the device steals your credit card numbers.
Some carding machines even send the data to the criminal's device using Bluetooth or Wi-Fi in real-time.
In November 2021, police arrested a Las Vegas couple after linking them to credit card skimmers on gas station pumps in Southern Utah.
💡 Related: Lost Credit Card? Do This ASAP →
5. Hacking a website's payment system
Some thieves use cyber attacks to hack into an online store's shopping cart and gain possession of the list of credit numbers used in recent checkouts.
It's surprisingly easy for cybercriminals to exploit loops in e-commerce checkouts. Especially if the merchants haven't updated their software.
An infamous example of this type of data breach was performed by an illegal carding syndicate called XE Group. Remarkably, they remained under the radar as they stole thousands of credit card numbers a day for eight years straight.
💡 Related: 10 Amazon Gift Card Scams You Need to Avoid →
Think Your Credit Card Was Stolen? Check the Warning Signs
Carding scams are becoming more commonplace. It’s important that you stay diligent in protecting yourself against credit card and identity fraud.
The best place to start is by recognizing the red flags that you’ve been a victim of carding.
There are some tell-tale signs that a criminal is attempting to or has already obtained your financial information, such as:
- Incoming messages or calls from unknown sources. Be wary if someone you don’t recognize requests your private information. Don’t click links, download files, or respond to their message. If it’s a phone call, hang up and contact your bank through official channels.
- Unprofessional website errors. Financial institutions have well-polished websites. Be on guard if you notice any design flaws, misspellings, clunky navigation, or links that lead to nowhere.
- Odd device behavior. Sudden changes in your computer or phone's behavior are major red flags. Be suspicious if your device is noticeably slower, hotter, or louder. Additionally, strange new icons or animations can indicate the presence of malware.
- Mystery transactions. Review your credit card report at least monthly. If you see any unusual or unauthorized transactions, your credit card details may be in the hands of a carder.
- Balance alerts. Your credit card company may issue alerts once your balance reaches a certain threshold. If you have not made any large purchases recently but your balance changes significantly, it could be carding.
- New credit cards or loans. Review your credit report from the three large credit unions (Experian, TransUnion, and Equifax). If new loans or credit cards have been opened in your name, someone has likely stolen your credit card information.
It's essential to keep an eye out for the warning signs above. However, there are some more proactive strategies to help reduce the chances of carding theft.
5 Easy Steps To Protect Yourself Against Carding
Prevention is the best form of protection when it comes to carding and identity theft. To keep your account details safe, follow these steps:
1. Save your bank’s official contact information
Save your banker's email address and whitelist it with your email provider. This allows you to quickly verify their identity when receiving official communications.
Also, double check the details of anyone contacting you. Carders will often mask their “From” email or IP address to look legitimate. Hover over or click on their name to see the actual email address.
2. Regularly check your credit report and bank statements
Scammers are almost always after your financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts you don’t recognize. An identity theft protection service like Aura can monitor your credit and statements for you and alert you to any signs of fraud.
3. Use antivirus and phishing protection software
Fraudsters who want to gain access to your device for carding might trick you into downloading malicious programs. Some of these malware attacks are sophisticated and require a high-quality antivirus program to remove them.
Aura’s device and Wi-Fi protection blocks malicious and phishing sites. So even if you accidentally click on one, you’ll be safe.
4. Keep your software and device OS updated
While antivirus software is essential, updating your software can prevent malware in the first place. Make sure to complete software updates as soon as possible.
5. Consider signing up for identity theft protection
Aura’s top-rated identity theft protection monitors all of your most sensitive personal information, online accounts, and finances for signs of fraud. If a scammer tries to access your accounts or finances, Aura can help you take action before it’s too late. Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable.
How To Report a Carding Fraud
If you believe you are a carding victim, you should immediately report it to appropriate authorities:
- Federal Government: Go to the FTC's website, IdentityTheft.gov, and create a report. Federal law enforcement agencies can use your report during their investigation of your case.
- Local Law Enforcement: Report your stolen wallet or credit card to local police. They may be able to locate the thief and recover other stolen belongings.
- Financial Institution: File a report with your credit card company so they can issue a chargeback. As long as you make this report quickly, you will only be liable for a maximum of $50, thanks to the Fair Credit Billing Act (FCBA).
If a fraudster has access to your credit card number, they might have other sensitive information as well. Look for other signs of identity theft, such as unfamiliar medical bills (i.e., medical identity fraud), missing tax returns, or suspicious log-in attempts.
If you think you’ve been the victim of identity theft, you should change your passwords and consider an identity theft protection service.
Are E-Commerce Sites Still Safe To Use?
Does the risk of carding mean you shouldn’t shop online anymore?
The epidemic of carding fraud has led e-commerce websites to tighten cybersecurity practices. Here are a few of the security measures that e-commerce sites now use:
Authorization is when a merchant delays their collection of funds while they verify your card.
For example, a gas station typically authorizes a small denomination first before charging the total amount a few days later.
If the merchants detect signs of fraud, they won’t request the total funds from your financial institution — issuing you a refund instead.
A CAPTCHA is a type of security test that uses a challenge-response framework. In simpler terms, it's a test to see whether you're a human or an AI bot built by scammers.
For example, a common CAPTCHA test shows a collection of different images that look relatively similar. The user must click on only the images showing motorcycles.
It's an easy test for a human. But it is much harder for a scammer's bots.
Address Verification System (AVS)
AVS is a fraud protection method for transactions where your card is not physically present, such as in online or phone purchases.
The AVS verifies that the billing address you provided matches the one in the card issuer's system. If the addresses do not match, the system will decline the transaction.
Unfortunately, some fraudsters have found a way around AVS by using a change-of-address scam.
Card Verification Value (CVV)
The CVV is a three or four-digit number, typically found on the signature strip on the back of your credit card. When shopping online, cardholders must provide this code to verify they have physical possession of the card.
This security measure helps prevent carders from simply purchasing your credit card number from the Dark Web and using it online.
Multi-Factor Authentication (MFA)
MFA is an additional security step required when logging into accounts. Beyond your username and password, a merchant might send a text message with a unique code that you have to enter before you can use your credit card.
Velocity refers to the number of transactions made on a card within a particular time period. Merchants often employ velocity checks to prevent credit card fraud. If the merchant detects abnormal purchasing patterns, they can decline the transaction.
Payer authentication systems
Payer authentication systems, such as Verified by Visa, involve the online retailer contacting the cardholder to verify the transaction.
Your card provider can also compare your transaction with your purchase history. For example, they can check to see if you're using the same device or shopping at a usual store. Merchants can use these security features to automate the approval or rejection of purchases.
The Bottom Line: Keep Your Credit Cards Safe From Scammers
There are more threats to your finances and identity than ever before.
But despite the growing threat, it’s hard for law enforcement to track down carders, let alone retrieve stolen funds.
Aura’s all-in-one digital security solution protects your sensitive information — such as credit card numbers and account details — so you can shop safely.
We’ll alert you of any suspicious activity, block phishing sites, and let you know if any of your accounts have been compromised. And if the worst happens, Aura covers up to $1 million in eligible losses due to identity theft.