Whitepaper: The basics of online fraud

Fraud moves to online, and vice versa

How do fraudsters get credit cards?


To access these sites, you need to download a Tor browser. The dark web is known to be a place of trade for illegal goods and services; including credit cards. Credit card information finds its way onto the dark web when large security breaches happen at retailers. This information is sold for as little as $1 a card and often includes all of the necessary information needed to make an online purchase.

Fraudsters therefore visit the dark web to buy bundles of credit card details to be used on the normal web. These bundles vary in quality with some including billing address & phone number while others have the basic necessary information: card number, expiry date, CVV and name. Some bundles even come with a success guarantee - so if the details don’t work, you can go back to the seller and get your money back.

How do fraudsters test cards?

Once a bundle of cards has been purchased the next step is to test them. This can take place anywhere but often charities are targeted as they are considered unlikely to have stringent security in place to block a small donation. In this scenario fraudsters are often referred to as ‘carders’.

Carders will check that the CVV code and AVS codes are working and try to ascertain any additional information they can through the response codes that the merchant returns. A carder will often check hundreds of cards at a time through a number of sites. He or she (usually he) might even resell ‘clean’ cards with enhanced data. Or more likely he will start to target higher value items and services to purchase.

Multiple account creation

Fraudsters also create multiple different accounts using different email addresses that are often disposable or free (e.g. Gmail, Yahoo, Hotmail, Outlook etc.). Having a range of accounts and cards to try means a higher likelihood that they will be successful in making fraudulent purchases.

It also means that once a vulnerability is found, it can be exploited multiple times. You will certainly notice one individual buying large numbers of an item in a rapid burst: but will you notice multiple accounts making relatively small purchases across an  extended period of time? Spotting these connected purchasers is not easy but failing to do so could seriously damage your business.

Fraudsters also like to let accounts lie dormant for a couple of months before trying to use them. This is because a new account making large purchases is a big red flag that something isn’t right and will often be blocked. Creating and then leaving accounts dormant is an easy way to circumvent those rules.

A totally non-exhaustive list of the classic signs of a fraudster

It pains us to say it but there are a lot of smart fraudsters out there and these checks on their own will not necessarily catch them. On the other hand, lots of fraudsters are dumb or lazy so watching out for these behaviours in your customer base will stop at least some of the more egregious fraud attacks. Remember though, none of these on their own is usually enough to definitely indicate fraud and you risk a high false positive count if you block transactions on each of them. Really the only way to reliably block fraudsters is to have the time to review each order or to work with a fraud prevention platform. In either case, it is useful to be aware of some significant warning signs that someone is trying to defraud your business.

  1. Adding multiple cards in a short time frame
  2. Mismatches of card origin, user location and order locations
  3. Use of freemail and disposable email addresses
  4. Disconnect between email name and the user’s actual name
  5. Multiple failed attempted transactions
  6. Shipping/delivery location in known fraud hotspot
  7. Use of card connected with another fraudster
  8. Use of a device shared with another customer(s)
  9. Order value greater than the average purchase
  10. Attacking at night, on weekends or at peak times