monkeyman.agency
scaling

Card Testing on Shopify: Why You Suddenly Get Dozens of Tiny Fraud Orders

A flood of $3 orders at 2 a.m. isn't a sale, it's a stolen-card test run. Here's how to read the pattern, lock down checkout, and protect your decline rate.

June 24, 2026 9 min read

Devon runs Ridgeline Supply, an outdoor-gear store doing about $1.4M a year on Shopify. He woke up to 47 orders placed between 2 and 4 a.m., almost all of them for the same $4 carabiner, paid by 47 different cards, shipping to addresses that didn’t line up with the billing names. His first thought was that something had gone viral overnight.

It hadn’t. Somebody was using his checkout as a test bench for stolen cards, and the part that would actually hurt was still three weeks out.

This is one of the most common “what is happening to my store” panics we get pinged about, and almost nobody recognizes it the first time. The orders look real. The money even shows up. So merchants ship the carabiners, feel briefly lucky, and then get buried in disputes a month later.

The 2 a.m. order that isn’t a sale

When a criminal buys a batch of stolen card numbers, they don’t know which ones still work. Most have been cancelled. To sort the live cards from the dead ones, they need somewhere to run a cheap charge and watch whether it clears, and a Shopify checkout with a low-priced product is close to perfect for that.

A merchant we hopped on a discovery call with last month put it about as plainly as it gets. They’re checking the cards on the cheapest thing in the store, he said, and if a small charge goes through, that card gets used for a real haul somewhere else.

So the $4 order isn’t the crime. It’s reconnaissance.

That reframe changes everything about how you react. You’re not looking at a weird spike in demand for a single SKU. You’re looking at the free QA environment your store is quietly providing to someone, and every successful test makes a card more valuable on a resale market you’ll never see.

Reading the pattern before it costs you

The attacks have a signature once you know what you’re looking at. Lots of orders in a tight window, usually overnight, usually for your lowest-priced item or a digital product that ships instantly. Dozens of different card numbers, often with billing names that don’t match the shipping address, or shipping fields stuffed with gibberish.

Look at your abandoned checkouts too, not just your orders. Card testing throws off a flood of failed and abandoned attempts, the same handful of names cycling through with tiny variations, because most of the cards being tested are already dead and never clear.

Your decline rate is the other tell. If your gateway is suddenly refusing a huge share of attempts, that’s not your customers fat-fingering their CVV. That’s a script working through a list.

The pattern is loud if you’re watching. The problem is that most merchants aren’t watching at 3 a.m., which is exactly why the attacks happen then.

The bill comes due in three weeks

Here’s the timeline that catches people. The test charges clear. You ship. Nothing seems wrong for two or three weeks. Then the real cardholders notice the strange charge on their statement, call their bank, and the chargebacks land all at once.

Each one costs you the refunded amount plus a dispute fee, usually somewhere around $15 to $25, and you almost never win these because the charge genuinely wasn’t authorized by the cardholder. You lose the product, the shipping, the fee, and the original “sale” all at once.

And it compounds. The card networks track your chargeback ratio, and Visa’s monitoring program starts breathing down your neck once disputes cross roughly 0.9% of transactions. Cross the wrong thresholds and your payment processor can put your account under review, hold a reserve, or in the worst case drop you. A card-testing wave that you ignored for a month can quietly push a healthy store into that territory.

So the math isn’t “I lost a few hundred dollars in cheap product.” It’s the disputes, the fees, and the risk to your ability to take payments at all.

What Shopify gives you out of the box

The reassuring part is that you already own most of the tools to shut this down. They just ship turned down by default.

Shopify’s fraud analysis scores every order as low, medium, or high risk, and it flags exactly the signals card testing produces: mismatched addresses, multiple cards from one device, CVV and AVS failures. On Shopify Payments stores you can set fraud filters and Flow rules that auto-cancel or hold orders matching those patterns, so a 3 a.m. burst gets stopped without you awake to catch it.

Then there’s bot protection. Shopify offers a checkout CAPTCHA and bot mitigation layer that throws a verification step in front of suspicious traffic, which breaks the automated scripts that make card testing cheap to run in the first place. Turn it on.

A few more native moves help. Require CVV and address verification and set your gateway to decline on mismatch. Disable accelerated wallet buttons temporarily if the attack is routing through them. Throttle or hide your cheapest product if it’s the bait, or set a minimum order value while you’re under fire.

None of this is exotic. It’s a settings pass most stores never do until the day they have to.

Scoring orders before you ship them

Native tools catch a lot, but they review orders after they’re placed. For a store taking real volume, the upgrade is software that scores each order in real time and holds the risky ones before fulfillment. The decision happens before a package ever moves, not after.

Apps like Signifyd, NoFraud, and Fraud Filter plug into checkout and weigh hundreds of signals in the moment, and several offer chargeback guarantees where they eat the loss on an order they approved that turns out fraudulent. That guarantee is often the whole reason to buy, because it converts an unpredictable risk into a flat, budgetable cost.

The machine-learning angle matters more during an active attack than in calm weeks. A scoring model watching velocity, device fingerprints, and card-to-address relationships will spot the carabiner pattern in seconds, where a human staring at an order list at midnight will not. Honestly, that speed is most of the value.

The lockdown checklist when an attack is live

When you realize it’s happening right now, work the list in order, top to bottom:

  1. Turn on Shopify’s checkout CAPTCHA and bot protection immediately.
  2. Cancel and refund the test orders before you ship a single one (refunding fast also limits the chargeback fees).
  3. Add a fraud filter or Flow rule to auto-cancel sub-$10 orders that share a product, device, or burst window.
  4. Set your gateway to require and decline on CVV and AVS mismatch.
  5. Temporarily raise your minimum order value or hide the bait product.
  6. Call your processor, tell them you’re under a card-testing attack, and ask what they need from you.

Knock those out and the attack usually moves on within hours, because card testers want easy targets and a store that fights back isn’t one.

Calling your processor before your decline rate does the talking

That last step trips people up, so it’s worth its own beat. Merchants avoid calling the processor because they’re afraid of drawing attention to their account. The attention is already coming. The question is whether you get ahead of it.

When you call Shopify Payments or your gateway, say plainly that you’re experiencing card testing, that you’ve cancelled the fraudulent orders, and that you’ve tightened your fraud controls. Ask whether they can add temporary velocity limits on their end and whether the incident has affected your standing. Getting that on the record protects you if the chargebacks push your ratios up later.

The risk you’re managing isn’t only the fraud. It’s that a wall of declines, all by itself, looks bad to the networks, and an unexplained spike can trigger a review even after you’ve stopped the bleeding. A two-minute call reframes the whole thing from “this account is out of control” to “this merchant caught an attack and handled it.”

What we keep telling clients

The instinct when the orders flood in is to think about the lost product, and that’s the least important thing in the room. The carabiners are gone, fine. The thing to protect is your ability to keep taking payments without a processor reserve or a monitoring program hanging over you.

Card testing isn’t a sign you did something wrong. Every store with a cheap product and an open checkout is a target eventually, and getting hit once is closer to a rite of passage than a failure. What separates the merchants who shrug it off from the ones who spend a quarter cleaning it up is whether the defenses were on before the wave hit.

So we tell clients to do the boring settings pass now, while it’s calm: fraud analysis tuned, filters live, bot protection on, CVV and AVS enforced, a scoring app in front of fulfillment if the volume justifies it. None of it is glamorous and all of it pays for itself the first time a script finds your store at 3 a.m.

Devon turned on bot protection, wrote a filter that auto-cancels any sub-$10 order arriving in a burst across multiple cards, added a real-time scoring app, and made the processor call before his first coffee. The next wave came ten days later and fizzled inside an hour. He never shipped a single test order, and the chargebacks that would have landed in July simply never showed up.

Questions we get every week

How do I know it’s card testing and not a real sales spike? Real spikes spread across products, price points, and normal hours, and the orders pass fraud checks. Card testing clusters on your cheapest item, runs overnight, uses many different cards with mismatched billing and shipping, and drives your decline and abandoned-checkout counts way up. If those signals stack together, it’s an attack.

Should I ship the orders that already cleared? No. Cancel and refund them before fulfillment. The charges may have gone through, but they’ll almost certainly become chargebacks, and shipping just adds the cost of goods and postage to the loss you’re already going to eat.

Will fighting back hurt my conversion rate? Slightly, and only while the controls are tightened. A CAPTCHA step and stricter CVV rules add a tiny bit of friction, but you can dial them back once the attack passes. A short dip in conversion beats a chargeback ratio that gets your payments frozen.

Do I need a paid fraud app or are Shopify’s tools enough? For lower volume, the native tools plus a good filter setup handle most attacks. Once you’re processing real volume or you’ve been hit more than once, a real-time scoring app, ideally one with a chargeback guarantee, is worth the cost because it holds risky orders before they ship instead of after.

If a wave of tiny fraud orders has your store rattled and you want your checkout hardened before the next one hits, talk to us about a fraud lockdown.

Need help with this?

Send us your store. We'll send back an audit.

Send us your store URL. We'll send back a free audit within 48 hours.

Phone (optional)