We had an unthinkable happen to one of our client’s WooCommerce sites – fraudulent payment and carding attacks. The attacks began on a Sunday and continued through Monday before the payment gateway we use responded. The client knew something was wrong immediately because he keeps vigilant watch over his orders, but he wasn’t sure how to react, or even if it was fraud.

We both assumed, incorrectly because you know how that saying goes, the payment processor had systems in place to stop or at least detect fraud. Wrong. Well, they do, but it has to be pretty extreme. Notice from the image that this person tried 16 times to process the payment, and then it was approved. Why wasn’t this stopped? 16 times!!

Thank goodness, through one of my networking connections, I knew just who to call! Sarah Laube of Nines Financial Group got on a Zoom call with us, and she patiently explained what was going on, and coached us through putting in place the measures the payment processor recommended to safeguard against this type of attack. Thanks to Sarah, we are now more protected, and I’m here to explain how you can do the same.

Always Remain Vigilant for Fraudulent Charges

First and foremost is to remain vigilant. If you notice there are more than 4 payment attempts within a few minutes, most likely this is fraud. If you notice something you even suspect is fraud, call your payment processor. They’ll be able to detect if it is fraud and handle it from their end. Some other ways to be vigilant and protect yourself from fraud are:

  • Verifying orders manually: Before fulfilling an order, take the time to manually verify the customer’s information, such as their name, address, and phone number.
  • Using AVS and CVV checks. These should be available through your gateway, but you must activate them first. Refer to the processor’s document to learn how to set these up.

Adding Google reCAPTCHA to WooCommerce

One easy way to protect yourself against fraud is by using Google reCAPTCHA which is a free service offered by Google to protect websites from spam and abuse. You know the drill by now, you must either solve a simple puzzle or tick a box to confirm that you aren’t a robot. You can use the free plugin reCAPTCHA for WooCommerce. To get your reCAPTCHA, go to the Create Page for Google reCAPTCHA and follow the instructions. You’ll configure for v2 “I am not a robot”, and you’ll need both the Site Key and the Secret Key to add to the plugin settings. This method only takes a few minutes, but it is probably one of the easiest ways to protect your store.

Once you have your keys, the above image shows the placement of the Secret and Site Keys, and you can either leave the Theme as Light, or change it to Dark. This is your styling perference.

Next, check all the boxes for the WooCommerce Forms, and click Save Changes. That’s it!

Rotating APIs to Prevent Fraudlent WooCommerce Charges

Rotating APIs is another way to reduce the risk of fraudsters. But what is an API? An API, or Application Programming Interface, is a set of protocols and tools that allows different software applications to communicate with each other. In the context of e-commerce and online payments, an API is a way for your WooCommerce site to communicate with your payment processor’s system. It enables the transfer of payment data between the two systems, allowing for secure and efficient transactions.

Now back to how to rotate these little wonders of modern innovation. This method is also fairly simple to implement and only requires you to copy and paste information into the corresponding fields. When you set up your payment processor on the site, you should have entered some API keys. Newsflash, these aren’t meant to be your permanent APIs. They are meant to be rotated out periodically. To do this, you simply create a new one through your payment processor, and switch the new one out for the old one on your site. Depending on the volume of online transactions you have, you can rotate them daily, weekly or monthly. It only takes a few minutes, but it’s a great way to protect yourself from fraud! If you suspect an attack, do this immediately!


Setting Risk Thresholds to Prevent WooCommerce Fraud

Setting risk thresholds is another way to protect your site from fraudulent transactions. These settings allow you to flag transactions that meet certain criteria as potentially fraudulent. You can set thresholds for transactions with a high dollar amount, transactions that are shipping to a different address than the billing address, or transactions with a high rate of returns. You can also set thresholds for multiple transactions happening from the same email address or credit card. When a transaction meets one of your risk threshold settings, it will be flagged for manual review.



With Sarah’s help, it took us a bit over an hour to implement everything, but now our client can rest a bit easier knowing that his site is at least more protected than it was. Please, oh please, don’t let this happen to you by assuming your payment processor has your back – they only cover your shoulder blade. And, while these suggestions can’t guarantee you’ll never be attacked, they can at least cover your lower back.

Remember first to stay vigilant and monitor your transactions for any signs of fraudulent activity. Then, implement the easy measures above, so you can protect your online store from payment fraud and chargeback attacks, which will not only help you avoid paying for any chargebacks, but it will most importantly save your business’s reputation.