Increase in Card Testing - Online Fraud


Unfortunately, cyber fraudsters like to use pages where there is a transactional form to test cards, where they typically put through a low-value amount to see if the transaction will be processed.

We continue to bolster our defences against this, but there are indeed other things that can be done...



  • If you have received a 'dodgy' payment in the last 30 days, you can see the IP address within the Financial > Online Donations > Errors and Info tab.
    That IP address can be added to the block list as described in the article Form & Web Widget Security  
  • Add a reCaptcha to your Web Widget - Using reCaptcha with your Stripe Web Widgets
  • Activate RADAR in your Stripe account
  • Set the minimum transaction amount in Stripe to something that will help to reduce the number of card testing but also won't affect the donations coming through.
  • Alert Stripe's fraud team where you are seeing numerous attempts so that they can also block IP addresses on their payment platform and investigate further.


Donorfy Forms:

  • Review your Spam filter in Forms > History - if there are any unprocessed Forms which do not look correct - delete them and check the payment status in Stripe. Alert Stripe of any fraudulent items.
  • Deactivate unused Forms in Forms > Manage Forms
  • Copy the remaining Active Forms and replace the Form URLs currently on their website with the new ones. Then deactivate the old Forms
  • Set the Postal Address to be a required item on each Form within the Constituent Details - Individual Element
  • If persistent, then also consider changing the page URL where the Form is hosted from


Donorfy Web Widgets:

  • Ensure any Web Widgets are SCA compliant (Web Widgets after 12th September 2019 will automatically be compliant, but older pages may not be - see Updating Your Web Widgets to Use Strong Customer Authentication (SCA) 

  • If you are still finding card testing is persistent, then consider setting up a new Web Widget and replacing the Widget Id within the Widget code on your web page with the new one. Once completed, delete the old Widget in Donorfy so that the old Widget Id becomes completely redundant.



For further reading about high-risk transactions, see this Knowledge Base article.


Article is closed for comments.
Powered by Zendesk