Card testing: fraudsters use bots to test stolen card numbers with small transactions. Different names/addresses, often same IP. Goal is identifying “live” cards for larger fraud elsewhere.
Level 1 — Probing: A handful of suspicious orders. Same IP, fabricated names. Response: Refund successful orders immediately. Monitor for escalation.
Level 2 — Suspicious transactions: Multiple orders, same name/email, different cards, geographic scatter. Response: Refund all suspicious orders. Enable CAPTCHA on checkout. Enable WooPayments fraud protection / Stripe Radar.
Level 3 — Full carding attack: Dozens to hundreds of rapid-fire attempts. Response: Everything from Level 2 plus: contact payment processor, consider temporarily disabling checkout, rate-limit at server/Cloudflare level.
Why refund early: Fulfilled fraudulent orders result in chargebacks — you lose the product, the money, AND pay a chargeback fee. Proactive refunding before fulfillment avoids all of this.
Prevention: CAPTCHA at checkout. WooPayments Advanced Fraud Protection. Stripe Radar rules. Rate-limiting checkout API endpoints.