This article is brought to you by Aura.
Watch the video to see how we protect you online.
This article is brought to you by Aura. Watch the video to see how we protect you online.
Start Free Trial
4.7 stars on Trustpilot
Close Button
What is Aura? (1:10)

Carding: The Fraud Technique Destroying Your Credit

Online shopping with your credit card is convenient. But can put you at risk of a type of fraud called carding. Learn how to protect yourself today.

Illustration of someone holding gift cards like a poker hand with a credit card peeking out of their sleeve

Aura’s app keeps you safe from scams, fraud, and identity theft. Try Aura for free.

4.7 stars as of March 2024

In this article:

    In this article:

      See more

      Aura’s digital security app keeps your family safe from scams, fraud, and identity theft.

      See pricing
      Share this:

      What Is Carding?

      E-commerce is booming. But the convenience of online shopping isn’t just good news for shoppers — it’s also a boon for a special type of fraud called carding.  

      Carding is when criminals steal your credit card and use it to buy prepaid gift cards. It’s a somewhat simple scam with serious consequences. 

      According to the Federal Trade Commission (FTC), consumers lost $627 million to fraud in the last few years [*]. And online shopping was the third most reported type of fraud [*]. 

      As we spend more time and money online, the threat of carding only increases.

      So how does carding actually work? How do criminals get your credit card details? And how can you protect yourself from this type of identity theft?


      How Does Carding Work?

      Carding is a type of credit card scam in which a criminal steals or fraudulently uses credit card details to buy prepaid gift cards. 

      After they get your details, criminals test the validity of your card by attempting small purchases across the web. If those work, the scammer uses your details to buy gift cards from places like Amazon or Walmart

      The whole process can take just minutes, which means a scammer can take off with stolen funds before you even realize what’s happened.

      Unlike other forms of credit card fraud, gift and prepaid cards can’t be traced. So once the scammer has completed the purchase, they’re free to use the gift cards to buy items or sell for cash.

      Out of 2.1 million FTC fraud reports in 2020, credit cards were the most common payment method used [*]. But while in-store purchases require signatures or PINs, scammers can use credit card details for online shopping

      Take action: If scammers have access to your credit card details, your bank account, email, and identity could also be at risk. Try Aura’s identity theft protection free for 14 days to secure your identity against scammers.

      How Do Criminals Steal Your Credit Card Numbers?

      Criminals who engage in carding — commonly known as "carders" — use various methods to obtain stolen credit card numbers. But the easiest scam is to simply buy your card details on the Dark Web.

      Due to the vast number of data breaches in the past few years, sensitive and financial information is easily available to hackers online. Even if your credit card details aren’t available online, carders have developed clever methods for getting them.

      The Top 5 Most Common Carding Attacks

      1. Phishing by impersonating a bank representative
      2. Buying your details on carding forums
      3. Tricking your into installing malware
      4. Using credit card skimming or shimming devices
      5. Hacking a website’s payment system

      1. Phishing by impersonating a relative or bank representative 

      If you’ve ever gotten a strange text or email claiming to be from your bank, you’ve most likely been the victim of a phishing attack.

      Phishing attacks are when “carders” try to scam you online by sending messages under false pretenses to try and get your information. Carders will use almost any medium for phishing, including:

      Whatever the channel, the game plan is the same. 

      The carder impersonates a person you trust, like a relative or an official body such as your bank or lawyer. Under this guise, they pressure you into either sharing personal information or clicking on a link.

      For example, carders might pretend to be an e-commerce store contacting you with a fake cart abandonment email. 

      Scammers insist they need payment to complete your purchase. Once the thieves obtain your personal details, they can use them for carding and other purposes.

      💡 Related: Bank of America Customer? Beware of These 7 Scams

      2. Buying your details on carding forums

      Carding forums are illegal sites where criminals buy and sell stolen financial details. Forums include information such as credit card numbers and passwords for PayPal or Stripe accounts.

      These forums also provide criminals with advice on credit card cracking and testing. Criminals access these forums via the Dark Web, a part of the internet that is not accessible via normal search engines and web browsers.

      These underground marketplaces promoting carding activity are a growing risk to consumers. In August 2021, D3 Lab analysts discovered one carding forum with over 1 million credit card numbers for sale [*].

      💡 Related: Scammed on PayPal? Here's What To Do

      3. Tricking you into installing malware that steals your info 

      A malware attack is when hackers trick you into clicking a link that installs malicious software on your phone, tablet, or computer. Malware runs in the background and monitors your activity without you even knowing. 

      This carding activity lets thieves search for specific information on your devices, such as credit and debit card numbers. Even more sinister are keyword stroke programs which record everything you type on your device. 

      Elderly family members and children are especially prone to falling prey here. Carders may gain enough personal information to commit serious family identity theft

      Take action: If you accidentally give scammers your personal data (or its leaked in a data breach), they could take out loans in your name or empty your bank account. Try an identity theft protection service to monitor your finances and alert you to fraud.

      4. Credit card skimming and shimming

      Credit card skimming is a financial crime in which thieves attach a small, difficult-to-spot device to real credit card readers. Whenever you swipe or insert your card, the device steals your credit card numbers.  

      Some carding machines even send the data to the criminal's device using Bluetooth or Wi-Fi in real-time.

      In November 2021, police arrested a Las Vegas couple after linking them to credit card skimmers on gas station pumps in Southern Utah [*].

      💡 Related: Lost Credit Card? Do This ASAP

      5. Hacking a website's payment system

      Some thieves use cyber attacks to hack into an online store's shopping cart and gain possession of the list of credit numbers used in recent checkouts. 

      It's surprisingly easy for cybercriminals to exploit loops in e-commerce checkouts. Especially if the merchants haven't updated their software.

      An infamous example of this type of data breach was performed by an illegal carding syndicate called XE Group. Remarkably, they remained under the radar as they stole thousands of credit card numbers a day for eight years straight.

      💡 Related: 10 Amazon Gift Card Scams You Need to Avoid

      Think Your Credit Card Was Stolen? Check the Warning Signs

      Carding scams are becoming more commonplace. It’s important that you stay diligent in protecting yourself against credit card and identity fraud. 

      The best place to start is by recognizing the red flags that you’ve been a victim of carding. 

      There are some tell-tale signs that a criminal is attempting to or has already obtained your financial information, such as:

      • Incoming messages or calls from unknown sources. Be wary if someone you don’t recognize requests your private information. Don’t click links, download files, or respond to their message. If it’s a phone call, hang up and contact your bank through official channels.
      • Unprofessional website errors. Financial institutions have well-polished websites. Be on guard if you notice any design flaws, misspellings, clunky navigation, or links that lead to nowhere.
      • Odd device behavior. Sudden changes in your computer or phone's behavior are major red flags. Be suspicious if your device is noticeably slower, hotter, or louder. Additionally, strange new icons or animations can indicate the presence of malware.
      • Mystery transactions. Review your credit card report at least monthly. If you see any unusual or unauthorized transactions, your credit card details may be in the hands of a carder.
      • Balance alerts. Your credit card company may issue alerts once your balance reaches a certain threshold. If you have not made any large purchases recently but your balance changes significantly, it could be carding.
      • New credit cards or loans. Review your credit report from the three large credit unions (Experian, TransUnion, and Equifax). If new loans or credit cards have been opened in your name, someone has likely stolen your credit card information. 

      It's essential to keep an eye out for the warning signs above. However, there are some more proactive strategies to help reduce the chances of carding theft.

      5 Easy Steps To Protect Yourself Against Carding

      Prevention is the best form of protection when it comes to carding and identity theft. To keep your account details safe, follow these steps:

      1. Save your bank’s official contact information 

      Save your banker's email address and whitelist it with your email provider. This allows you to quickly verify their identity when receiving official communications.

      Also, double check the details of anyone contacting you. Carders will often mask their “From” email or IP address to look legitimate. Hover over or click on their name to see the actual email address.

      2. Regularly check your credit report and bank statements

      Scammers are almost always after your financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts you don’t recognize.

      An identity theft protection service like Aura can monitor your credit and statements for you and alert you to any signs of fraud.

      3. Use antivirus and phishing protection software 

      Fraudsters who want to gain access to your device for carding might trick you into downloading malicious programs. Some of these malware attacks are sophisticated and require a high-quality antivirus program to remove them.

      Aura’s device and Wi-Fi protection blocks malicious and phishing sites. So even if you accidentally click on one, you’ll be safe.

      4. Keep your software and device OS updated 

      While antivirus software is essential, updating your software can prevent malware in the first place. Make sure to complete software updates as soon as possible. 

      5. Consider signing up for identity theft protection

      Aura’s top-rated identity theft protection monitors all of your most sensitive personal information, online accounts, and finances for signs of fraud. If a scammer tries to access your accounts or finances, Aura can help you take action before it’s too late. Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable.

      How To Report a Carding Fraud

      If you believe you are a carding victim, you should immediately report it to appropriate authorities:

      • Federal Government: Go to the FTC's website,, and create a report. Federal law enforcement agencies can use your report during their investigation of your case.
      • Local Law Enforcement: Report your stolen wallet or credit card to local police. They may be able to locate the thief and recover other stolen belongings.
      • Financial Institution: File a report with your credit card company so they can issue a chargeback. As long as you make this report quickly, you will only be liable for a maximum of $50, thanks to the Fair Credit Billing Act (FCBA).

      If a fraudster has access to your credit card number, they might have other sensitive information as well. Look for other signs of identity theft, such as unfamiliar medical bills (i.e., medical identity fraud), missing tax returns, or suspicious log-in attempts. 

      If you think you’ve been the victim of identity theft, you should change your passwords and consider an identity theft protection service. 

      Take action: Protect yourself from the risks of identity theft and fraud with Aura’s $1,000,000 in identity theft insurance. Try Aura free for 14 days to see if it’s right for you.

      Are E-Commerce Sites Still Safe To Use?

      Does the risk of carding mean you shouldn’t shop online anymore? 

      The epidemic of carding fraud has led e-commerce websites to tighten cybersecurity practices. Here are a few of the security measures that e-commerce sites now use:


      Authorization is when a merchant delays their collection of funds while they verify your card. 

      For example, a gas station typically authorizes a small denomination first before charging the total amount a few days later. 

      If the merchants detect signs of fraud, they won’t request the total funds from your financial institution — issuing you a refund instead. 


      A CAPTCHA is a type of security test that uses a challenge-response framework. In simpler terms, it's a test to see whether you're a human or an AI bot built by scammers.

      For example, a common CAPTCHA test shows a collection of different images that look relatively similar. The user must click on only the images showing motorcycles.

      It's an easy test for a human. But it is much harder for a scammer's bots.

      Address Verification System (AVS)

      AVS is a fraud protection method for transactions where your card is not physically present, such as in online or phone purchases.

      The AVS verifies that the billing address you provided matches the one in the card issuer's system. If the addresses do not match, the system will decline the transaction.

      Unfortunately, some fraudsters have found a way around AVS by using a change-of-address scam.

      Card Verification Value (CVV)

      The CVV is a three or four-digit number, typically found on the signature strip on the back of your credit card. When shopping online, cardholders must provide this code to verify they have physical possession of the card.

      This security measure helps prevent carders from simply purchasing your credit card number from the Dark Web and using it online.

      Multi-Factor Authentication (MFA)

      MFA is an additional security step required when logging into accounts. Beyond your username and password, a merchant might send a text message with a unique code that you have to enter before you can use your credit card. 

      Velocity checks

      Velocity refers to the number of transactions made on a card within a particular time period. Merchants often employ velocity checks to prevent credit card fraud. If the merchant detects abnormal purchasing patterns, they can decline the transaction. 

      Payer authentication systems

      Payer authentication systems, such as Verified by Visa, involve the online retailer contacting the cardholder to verify the transaction.

      Your card provider can also compare your transaction with your purchase history. For example, they can check to see if you're using the same device or shopping at a usual store. Merchants can use these security features to automate the approval or rejection of purchases.

      The Bottom Line: Keep Your Credit Cards Safe From Scammers

      There are more threats to your finances and identity than ever before. 

      But despite the growing threat, it’s hard for law enforcement to track down carders, let alone retrieve stolen funds. 

      Aura’s all-in-one digital security solution protects your sensitive information — such as credit card numbers and account details — so you can shop safely. 

      We’ll alert you of any suspicious activity, block phishing sites, and let you know if any of your accounts have been compromised. And if the worst happens, Aura covers up to $1 million in eligible losses due to identity theft. 

      Ready for ironclad identity theft protection? Try Aura 14-days free.

      Editorial note: Our articles provide educational information for you to increase awareness about digital safety. Aura’s services may not provide the exact features we write about, nor may cover or protect against every type of crime, fraud, or threat discussed in our articles. Please review our Terms during enrollment or setup for more information. Remember that no one can prevent all identity theft or cybercrime.

      Is this article helpful so far?
      Need an action plan?

      No items found.

      Award-winning identity theft protection with AI-powered digital security tools, 24/7 White Glove support, and more. Try Aura for free.

      Related Articles

      An illustration of a thief signing a credit card to symbolize using it illegally
      Family Safety

      Help! A Family Member Opened a Credit Card In My Name

      It’s a crime for a family member to open a credit card in your name (and without your knowledge). Here’s how to handle this precarious situation.

      Read More
      September 8, 2023
      Illustration of a credit card protected inside of a glass case
      Credit & Finance

      How To Prevent Credit Card Fraud: 10 Essential Steps

      Criminals use your physical card or stolen credit card numbers to make purchases in your name or impersonate you — here's how you can stop them.

      Read More
      June 23, 2023

      Try Aura—14 Days Free

      Start your free trial today**