Card testing fraud: What it is, how it works, and more

This article includes tips, suggestions and general information. We recommend that you always do your own research and consider getting independent tax, financial and legal advice before making any important decision.

Learn about card testing fraud and possible things to do if credit card information is stolen.

What is card testing?

Card testing fraud — sometimes called card checking, carding, or account testing — is a fraudulent process scammers may use to check if bank and credit cards work, typically by attempting small transactions with the card details.

Criminals test the stolen card information to find out if the card has been cancelled or locked. They may also guess card details and use these tests to ‘check’ their guesses.

If a cardholder notices that their credit or debit card was stolen and locks it or reports the theft, a card test will likely fail. Similarly, deactivated accounts and guessed card details that don't correspond with a real card will typically fail card testing.

If the card passes a test and the card is still active, criminals could go on to commit substantial card fraud — using the card to make larger fraudulent purchases, withdrawing cash from an ATM, or selling the stolen card's details to other criminals.

How does card testing work?

There are two common methods for testing stolen credit card details:

• Small payments. Scammers may try to make a purchase to see if the card is valid. Generally, scammers make small purchases because cardholders are less likely to notice if their balance changes by a few pounds.
• Authorisations. Rather than initiating transactions, scammers may try a pre-authorisation that verifies that the card is active, and has sufficient cash. It’s similar to how hotels often put a temporary charge on a credit card when someone checks in. Criminals may use this method because people may not question small pending transactions on their bank statement.

Scammers may steal or buy thousands of card details and then test them all to see which cards are still valid. Manually going card by card would likely take too long. It’s possible for criminals to use large networks of compromised computers to quickly test thousands of stolen cards at a time.

What is the impact of card testing?

An unexpected payment or authorisation could be an indication that a person’s card's details have been stolen. If they don’t notice, they may wind up paying the credit card bill or allowing the scammers to get away with using their bank card.

Some card issuers may not hold people liable for unauthorised transactions they reported immediately. This means people could have to request a new card and update payment details, but there won’t necessarily be financial loss if the card issuer offers fraud protection.

Common ways scammers steal debit and credit card numbers

Some of the common ways credit card numbers are stolen include:

• Data breaches. Hackers may break into a large company’s system and find the details for thousands of cards. They then test the cards to see which ones still work. Or they sell the data from the breach, and the buyers test the cards.

• Phishing. Criminals may send phishing emails or texts (sometimes called smishing) that look like they come from legitimate companies. The recipient may click on a link in the message and enter their card details to ‘verify’ an account or transaction. But they’re mistakenly sending the details directly to the scammer. Alternatively, the link may install malware on the device that can steal a victim’s private and financial information.

• Guessing. Fraud groups may use software to guess various combinations of card details and then test the cards to see if any of their guesses work. Cards from the same issuer share a bank identification number (BIN) — the initial digits on the card — and criminals may use this BIN as a starting point.

• Skimming. Card skimming devices can copy information when a card gets inserted or swiped. Scammers may place these devices on top or inside ATMs and card readers. There may also be cameras or touchpad overlays that are used to record people’s PIN codes. The criminals can then come back and collect all the stolen card information to sell or create fake cards.

Consumers can help protect themselves from some of these methods by learning how to identify fake messages and using safe payment options. For example, contactless payments and a digital wallet can help keep a card’s details hidden from skimming devices.

However, even the best protections may not protect cardholders from every type of attack. That’s why monitoring accounts for fraudulent activity is important.

What to do if credit card information is stolen

When someone suspects that their card is lost, stolen, or compromised, it’s important to report the loss or theft as soon as they’re able and freeze their card account. Card issuers can then work to keep scammers from fraudulently using stolen card numbers, while cardholders can take steps to get a replacement card.

The reporting process for fraudulent card activity varies by card issuer. People may be able to:

• Ring the phone number on the back of the card. Most cards will have a phone number listed on the back of the card. Cardholders may be able to call and speak with a representative to report potential fraud or a stolen card. If a card has been physically stolen or lost, cardholders may be able to find contact information online by searching on the card issuer’s official website.

• Use the card issuer’s website or mobile app. Many card issuers offer online account services. If a card has been compromised, a cardholder may be able to report fraud using the website or app. Cardholders may also be given an option to freeze their account immediately to prevent further fraudulent transactions.

Find out more about how PayPal makes your security a priority.