Why small orders are where card-testing fraud hides
Most merchants assume fraud is a high-ticket problem. You scrutinize the $400 order. You wave through the $40 one. After talking to a lot of store owners, the pattern that keeps coming up is the opposite of what people expect: the losses cluster on the small orders, not the big ones.
The reason is simple and a little uncomfortable. Fraudsters know you do not manually review a $40 order. The math does not justify it, and they are counting on exactly that. So they test stolen cards in bulk, in amounts low enough to clear your attention and your processor's basic checks, and they ship everything to one address they control.
The pattern
Here is the shape of it, pieced together from how store owners describe it:
- Six to ten orders over a few days, each between $35 and $60.
- A different customer account and a different card on each one. Many of the cards are stolen and being tested.
- Every order ships to the same address. Often a freight forwarder, a reshipper, or a package-receiving storefront.
- Your platform's native fraud check flags none of them, because each order, looked at on its own, is unremarkable. Small amount, card authorized, nothing obviously wrong.
One store owner described losing roughly $2,800 in a single month to a run of $40 to $60 orders, all on different cards, all shipping to the same forwarding address. His platform flagged zero of them.
Why per-order scoring misses it
The blind spot is structural. Native fraud scoring looks at one order at a time. A $45 order with a valid authorization scores low on its own merits, and it should, because in isolation there is nothing to see.
The fraud does not live in any single order. It lives in the relationship between them: six different cards, six different names, one address. You cannot see that by scoring orders. You can only see it by scoring the address across orders.
That is the whole game. Score the address, not the order.
What the engine actually does
We built this exact scenario and ran it through the scoring engine: a string of roughly $45 orders, each from a different customer, all shipping to one address, carrying the kind of weak payment signals a proxied stolen-card order tends to leave behind (address verification that cannot be confirmed, an IP location that does not resolve, guest checkout). No exaggerated inputs. A deliberately middling, borderline order.
Here is how the score moved as the ring grew:
| Orders to the address | Risk score | Zone |
|---|---|---|
| 1 | 62 | Medium |
| 2 | 62 | Medium |
| 3 | 88 | High |
| 6 | 88 | High |
Two things are worth sitting with.
First, even the lone order lands at medium, not low. The weak payment signals alone are enough to pull it off the floor, so it shows up on a review queue rather than sailing through.
Second, the verdict flips to high the moment a third distinct customer ships to that address. That is the address cluster firing. The order's own facts did not change between the second and third order. What changed is that the address now has three unrelated accounts pointing at it, and that is a pattern, not a coincidence. From there the score holds high as the ring keeps growing.
A card-testing order that carries stronger signals on its own (an outright address mismatch, a detected proxy, several failed payment attempts) scores high on the very first order. The interesting case is the borderline one above, where the per-order facts are only middling and the address relationship is what makes the call.
An honest limit
The single strongest version of this signal is the one we are most careful about claiming today. When a forwarding address is already known bad across many different stores, that is the loudest possible alarm, and catching it depends on seeing activity across a network of merchants rather than one. On a single store you get the version above: the address cluster inside your own orders, plus the payment signals, which is already enough to flag the ring before you ship. The cross-store version is what makes the borderline cases decisive, and it gets stronger as more stores contribute.
What to do with it
If you are seeing this pattern, the move is not to lower your review threshold on every $40 order. That just floods your team. The move is to watch the address. A handful of orders from different accounts converging on one shipping address, especially a forwarder, is worth a hold before you fulfill, even when each order looks fine on its own.
That is the entire point of scoring fraud at the identity and address level instead of the order level. The order is where the money leaves. The address is where the fraud actually is.