A charge of 88 cents sneaks into your credit card bill. Would you notice? And if you did, would you bother investigating?

Fraudsters are betting you’ll probably let it go. And that’s why these small charges indicate something much more problematic: the phenomenon of “card testing,” where hackers try out whether stolen numbers are active and available to exploit. By making negligible charges, thieves crack the door open wide enough to spend thousands of dollars on your account.

Testing is hardly a new tactic. Nor is digital skimming, the virtual version of physical card skimming, where fraudsters insert an electronic device into an ATM or a payment terminal to steal card information. With digital skimming, crooks insert some malicious code into vulnerable areas like online checkouts and come away with all the data they need to make purchases with your card or drain your bank account. These subtle scams have become increasingly instrumental in implementing sophisticated, coordinated campaigns that exploit vulnerabilities across the digital payment ecosystem.

Part of the problem is that the ubiquity of e-commerce and the growing popularity of peer-to-peer money transfers has opened more entry points for scammers to insert malicious code, thereby getting ahold of account details. This helps explain why worldwide card fraud increased by more than 18% to almost $34 billion in the three years ending 2023, according to Nilson Report figures.

Now, artificial intelligence is supercharging both testing and scamming. Instead of actual human beings manually trying numbers out one at a time, AI can process thousands of scams at once — and get better with each try.

“What’s become more prevalent in the past two or three years is the speed and scale at which these attacks are occurring,” says Rigo Van den Broeck, executive vice president of Cybersecurity Solutions at Mastercard. “AI makes these things repeatable and automated — which is why we’re also using AI to proactively detect and disrupt these operations at scale and in real time, before they cause harm.”

AI is particularly potent because it can learn and adapt to become even better at executing fraud. “It means more attacks and more aggressive attacks,” says Kerry Thomas, who has managed Fraud & Decisioning Products at Mastercard for the past 14 years. “It’s like the perfect storm.”

It’s essentially a high-stakes game of chess as each side tries to think three or four moves ahead, Thomas says. For example, fraudsters are now much better at mimicking actual cardholder behaviors, which was one way fraud detection technology could weed out bad actors.  

Luckily, the good guys have AI too. That means they can scan 24/7 for red flags that identify when such attacks are underway, so that personal information isn’t compromised, malicious charges don’t go through and merchants and cardholders are notified about what’s occurring.

For instance, Mastercard tools like anomaly detection and behavioral analysis can help, identifying, in real time, suspicious charges that fall outside of the usual patterns. This is an especially big assist to smaller businesses, who don’t have massive resources and whole departments devoted to this issue like large national retailers do.

There are a number of layers of defense. First is education, giving businesses all the information they need to secure their part of the ecosystem. Next is having proper controls in place, such as risk assessments to prevent information from being compromised. Third is authentication, to make sure everyone in the payments process is who they say they are. And finally come monitoring, detection and the ability to take action, which Thomas calls “the most critical piece of all.”

Consumers can also fight back. Installing security software on your devices or using two-factor authentication on your financial accounts make it much more difficult for fraudsters to break in. Stick to shopping at trusted retailers (not sketchy ads on Facebook or Instagram, which could be fronts to get your information), check your accounts regularly and have automated alerts set up to remain on top of all charges.

“What I’ve learned over the years is that fraudsters go after the area of least resistance,” Thomas says. “They target the consumer who isn’t checking their accounts and the merchant who doesn’t have proper controls in place. And if they can’t find that, then they go away.”