How to identify and stop card hopping and card testing fraud

Online payment fraud prevention is a serious subject for businesses and consumers alike. Research reveals that payment fraud cost $41B in 2022 and is expected to increase 17% to $48B in 2023. According to a survey conducted by Sift, 43% of consumers have recently fallen victim to payment fraud. By all metrics, online payment fraud is on the rise.

Card-not-present (CNP) fraud accounts for the overwhelming majority of these losses. In this blog, we will explore the difference between two common CNP fraud tactics: card testing and card hopping. We will also provide tips and strategies for trust and safety teams to protect their business and their customers.

What is a card testing attack?

Card testing is a type of payment fraud where fraudsters use stolen credit card information to test whether the card is still active and valid. This is often done by making a small purchase, typically less than $1, to avoid detection. Once the card has been verified, the fraudster can use it to make larger purchases or sell the card information on criminal forums.

Sift data scientists have discovered bot-savvy fraud rings that leverage automation to perform rapid credential stuffing and IP address rotation against multiple merchants at once. Card testing attacks that are automated at scale enable fraudsters to quickly test a large volume of cards to verify their validity.

Card testing can be difficult to detect because the purchases are often small and can go unnoticed by the cardholder. However, businesses can prevent card testing by using fraud detection tools that analyze transaction patterns and detect risky behavior.

What is a card hopping attack?

Card hopping fraud is similar to the consumer practice of opening multiple accounts to receive introductory offers, except that the fraudsters use stolen credit card information to make fraudulent purchases. Card hopping typically follows card testing—once multiple cards have been verified, fraudsters hop from one card to the next, racking up expensive purchases and withdrawals.

Card hopping can be particularly damaging to businesses because it can result in multiple chargebacks and lost revenue. Businesses can protect themselves from card hopping by using tools that analyze transaction patterns and detect when the same person is using multiple cards to make purchases.

Here are four red flags that fraud teams can monitor for card hopping attacks:

• Card hoppers cycle through more than two unique stolen payment cards in rotation.
• Each card has been issued from a different provider—often from different geographic regions.
• Card hoppers use the same IP and mailing address across cards, despite being issued from different geographic regions. This is the result of merchants not implementing proper address verification (AVS) checks.
• Cards may be tied to a higher-than-usual number of failed transactions.

Statistically, it’s unlikely that a legitimate user would use more than five payment methods. According to a survey conducted by Sift, less than 5% of consumers report using five or more payment cards per month, but a card hopping fraudster can use two-to-three times that number in the same time.

How is payment fraud detected?

While card testing and card hopping are both types of payment fraud, they differ in their approach and impact. Card testing is focused on verifying whether a stolen credit card is still active, while card hopping involves using multiple stolen cards to make fraudulent purchases. 

Both types of fraud can be difficult to detect, but businesses can protect themselves by using fraud prevention tools that analyze transaction patterns and flag suspicious activity. Companies that adopt an end-to-end, real-time approach, backed by a network of global signals and events, reduce block rates by 55% compared to those that don’t.

Detecting and preventing payment fraud requires a multi-layered approach that involves both technology and best practices. Here are some strategies that businesses can use to prevent payment fraud:

• Use fraud detection tools that analyze transaction patterns and flag suspicious activity.
• Be up to date with the latest fraud trends and techniques to stay ahead of fraudsters.
• Train internal fraud teams on how to identify and prevent payment fraud.

Sift’s Digital Trust & Safety Platform enables intelligent automation and flexible orchestration to make fraud detection smarter and easier. Sift ingests more than one trillion events per year, detecting new attack patterns in less than 250 milliseconds and providing our customers nearly instantaneous protection.

Learn more about how to select the right online payment fraud prevention platform.

Download the Q1 2023 Digital Trust & Safety Index to learn more about card testing and card hopping.