Text: This blog post may contain affiliate links which may earn me a commission at no extra cost to you.
iMac computer on a desk showing the Thrivecart checkout design editor and the title: How to Protect Your Thrivecart Account from Scammers and Spammers

A new threat in Thrivecart account security are scams called Card Testing scams. In this post, I'll share my best tips for protecting your Thrivecart account from Card Testing scams and other security risks.

Along with protecting your Stripe and Paypal accounts, protecting your Thrivecart is also crucial for protecting your business, your digital assets, and ensuring you and your customers have uninterrupted access to their purchases if you use Thrivecart Lear to host your courses and digital products.

What are Card Testing scams and are Thrivecart accounts at risk?

Card testing scams are one of the most common scams and have recently become more prevalent with Thrivecart accounts. Here's what happens: scammers purchase or otherwise acquire -aka steal- lists of credit card numbers. Before they make big purchases with them, they first want to test and see which cards are still valid, active accounts, so they make a LOT (hundreds, or sometimes thousands) of small purchases, often for $0.00 or as little as $1 or as much as $10, to see which transactions go through. They need a valid payment processor for their scam, so they might use an unsuspecting Thrivecart account or checkout to test their purchases. Once their small purchase goes through, they then move on to make bigger purchases with that credit card, for luxury goods, clothing, electronics or other expensive purchases.

How to know if you are under a Card Testing attack and what to do

I recently spoke with two creators who had to deal with a Cart Testing attack on their Thrivecart and Stripe accounts. Each scam will be different, but I want to share some similarities so you can recognize what's happening and take immediate action.

Both creators sell digital products via their website and take payment via Thrivecart. Their attacks occurred between December 2022 and January 2023.

Here are the similarities between two recent card testing attacks involving Thrivecart and Stripe:

  • Neither creator saw any unusual activity in their Thrivecart account – no new transactions, purchases, refunds, etc.
  • Their Thrivecart and Stripe logins had not been compromised and they did not lose access to their dashboards or accounts. Their real customer data was not breached or compromised
  • Their attacks started gradually, with just one or two small charges, either for $0 or $6, a day, and then increased. It's clear that these were processed via a bot
  • The customers whose cards the scammers were using were not charged, as the charges were either $0 or were marked as pending in Stripe, but in some instances, the attempted charge still showed up on the customer's credit card statement
  • These creators only became aware they were under attack when they saw the pending charges when they logged in to their Stripe accounts – again, there were no transactions or changes on Thrivecart, or when they were contacted about the attempted charges customers saw on their credit card statement.
  • Stripe may or may not notify you of a potential attack – one of these creators received a single email from Stripe after weeks of being under attack, the other was never contacted by Stripe
  • In both instances, Thrivecart and Stripe both claimed the breach was on the other's platform. The transactions were processed via Open API via Stripe, but associated with Thrivecart products (as in, there was one product singled out and used to test thousands of cards). If any funds had actually been processed, the creators would have had to refund the charges and eat the Stripe fees.
  • Both creators could only stop the attack by pausing or requesting a temporary hold on their Stripe account. Their Thrivecart accounts were able to function normally using Paypal as a payment processor.

If you think you may be under a card testing attack, immediately open support tickets with Thrivecart and Stripe. You may also want to have Stripe freeze your account. Lastly, consider creating a notification for your site (such as a pop up or a footer bar notification) that you are aware of the transactions and are taking action. While that may seem scary and vulnerable, it's never a bad thing to be as transparent as possible and have documented proof that you notified site visitors of a potential issue as the people who are innocent victims of the scam may be looking up your site to investigate the problem.

As with all things Thrivecart account security and general online security, the best course of action is to prevent falling victim to card testing scams and other potential security issues for your e-commerce business in the first place with a few basic preventative steps.

Here are 5 tips to protect your Thrivecart account security:

1)  Enable two-factor authentication for your Thrivecart account 

You're likely already very familiar with this security protocol, but it can go a long way to protecting your account from spammers or when your favorite password storage app has a breach, like LastPass did in December, 2022.

How to enable two-factor authentication on your Thrivecart account

  1. Log in to your ThriveCart account
  2. Click on your profile icon in the top right corner
  3. Select “Profile”
  4. Scroll to the bottom of your profile page and enable 2FA by clicking the button “Set up your 2-factor auth” and following the prompts.

NOTE: Many Thrivecart users find that despite checking the box “remember me on this computer for the next 30 days,” they still need to authenticate their login credentials every single time they log in to their account. While annoying, it's still better than risking potentially losing access to your account.

Screen capture of a Thrivecart profile editor page, with an arrow showing where to click to enable two factor authentication to strengthen your Thrivecart account security

2) Enable fraud prevention via Captcha security protocols on your Thrivecart account 

We've all seen Captcha (or ReCaptcha) boxes before: they usually look like a checkbox that says, “Click here to confirm you're a human” or something like that, and sometimes they make you do a puzzle or identify traffic lights or fire hydrants. However, enabling Fraud Prevention for your Thrivecart account with Captcha will not add a Captcha checkbox to your Thrivecart checkouts. In most instances, it will be invisible. In the instance that the system is not sure a real person is attempting the purchase, or their appears to be an issue or risk with that card, a traditional Captcha box will appear.

I've been told that adding this feature to your Thrivecart account may slow your checkouts down by a second or two, but I strongly recommend it anyway. Card Testing scams are now common and I've had 2 friends whose accounts have been impacted. Enabling the anti-fraud Captcha on their checkouts could have prevented this.

How to enable Fraud Prevention in Thrivecart with Captcha

  1. Log in to your ThriveCart account
  2. Click on “Settings” in the left-hand menu
  3. Click on “Account-wide Settings”
  4. Click “Fraud prevention”
  5. Enable “Google reCAPTCHA”

Screen capture of Thrivecart fraud prevention settings to strengthen your Thrivecart account security with a box around the Google reCaptcha option

I recommend using “Google ReCaptcha” but you may wish to test both. If you don't have either of these settings enabled, I strongly recommend you GO NOW to set this up.

banner showing a woman working at a desk; text on the image: want to see exactly how I have my funnels set up in Thrivecart? Free 15 minute behind-the-scenes video

3) Grant your VA or team members access to your Thrivecart account via the Users feature, not by sharing your login

I can't stress this enough – for the absolute strongest Thrivecart account security, no one should have full admin access to your Thrivecart account other than you if at all possible. Instead, never share your Thrivecart login and grant access to your account via the subusers feature. If you have Thrivecart Pro, you're able to add up to 5 additional users with customizable access to your account, for a total of 6 logins, including your own. I believe this is not available for regular Thrivecart accounts, but if it were me, I'd upgrade to Thrivecart Pro just to get access to this.

Within the Users settings, you're able to create a new user account and customize, down to a product-by-product level, which courses and products your team member has access to, whether or not they can delete products, see statistics like sales data and conversion rates, look up customers, perform refunds, or manage your affiliates.

How to create user accounts for your team members or contractors in Thrivecart

  1. Log in to your ThriveCart account and go to the “Settings” section.
  2. Click on the “Subusers” tab. You can also find the Users menu by clicking your profile picture in the upper right corner and then clicking Users.
  3. Click the “Add Subuser” button to add a new subuser.
  4. Enter the subuser's first and last name and email address. The rest of the fields (Country, State, Zip code, etc.) are optional.
  5. Choose the App Permissions tab to customize what access you want to give to the new subuser. ThriveCart offers a variety of permission levels, from read-only access to full control over your account, broken down into these categories: Coupons, Learn, Statistics, Affiliates, Users, and Settings.
  6. Click the Product Access tab to customize which products the subuser will have the ability to see and edit inside their dashboard. NOTE: Your subuser will not have the ability to create new products, only the primary user (you) can do that. However, you can create a product, Save and Exit, and then allow your subuser to handle all the other settings, design, and set up tasks.
  7. Last, click the Course Access tab to customize which courses your subuser will be able to see and edit within their account. Approvals are given on a project-by-project basis. Projects inside Thrivecart Learn are simply folders used to organize your courses. You cannot grant access on a course-by-course basis.
  8. Click the Save button to create the subuser.

Thrivecart will send your new subuser an email notifying them they've been added to your account and prompting them to set up a password.

To manage your subusers, head back to the Users menu to edit their permissions, reset their password, or delete their account. If you make any changes, such as removing access to a product or project, they will be notified via email.

4) Create a unique, strong password for your Thrivecart account and don't add it to your LastPass or save it to your browser.

Start with a strong, complex password and consider not storing it anywhere. This is totally optional, but services like password-storing apps have data breaches often and it might just be one more step to protecting your account and preventing you from losing all your valuable work and products.

Suggestions for creating a strong, secure Thrivecart password:

  • Use at least 12 characters
  • Use a combination of upper and lowercase letters, numbers, and symbols
  • Avoid using common words or phrases, especially avoiding meaningful words like your name, a spouse or child's name, or your birthdate or birth year
  • Don't reuse passwords across different accounts – only use this password for your Thrivecart account

5) Check your transactions regularly, both in Thrivecart and in your payment processors like Stripe and Paypal

It's never a bad idea to keep an eye on your ThriveCart transactions and be alert to any suspicious activity, like a sudden uptick in orders or a high number of refunds. I also routinely, usually weekly, log in to my Stripe account and keep an eye on how many failed payments have occurred that week.

Failed payments are not necessarily a sign of an attack, as sometimes cards simply get declined, but I do pay attention if its a customer trying to purchase multiple times, or if there are several failed purchases all occurring close together. I'd recommend checking your transactions at least once a week to stay on top of any trends or sudden increases in failed payments or purchase attempts.

If you suspect you're under a card testing attack, immediately contact Thrivecart and Stripe and see our recommendations and guidelines as listed at the top of this article.

Bonus tip for extra fraud prevention if you use Stripe as one of your payment processors in Thrivecart

Stripe recently introduced a new layer of security to all payments processed via their service, Radar. You can find more details on Stripe's site here, but the basic premise as of 2023 is Stripe will charge you an extra $0.05 USD per transaction to process extra checks to prevent fraud. I recently enabled this after my friends experienced Card Testing attacks and have not noticed any adverse affects, lost sales, or conversion dips. If you offer split-pay or payment plans on your digital products, this can also help to reduce the number of defaulted/incomplete payment plans you have to deal with. 

Spam or scam attacks are not going away, and scammers will continue to innovate and find new ways to make a quick buck, but by following these tips and best practices, you can help protect your ThriveCart account from scammers and spammers. While not fail-proof, implementing security and fraud prevention measures like limiting enabling 2FA, using CAPTCHA on all your checkouts, creating a strong, secure password, and adding your team members to your Thrivecart account as subusers rather than sharing your login details with them directly, can all help to make your Thrivecart account, transactions, customers, and digital assets like your courses and products stored in Learn, more secure.

Other posts you may want to check out: