Bots, Spam & Credit Card Testers — 261 Interventions Protecting Online Stores

Is your online store receiving suspicious orders with fake addresses? Are hundreds of spam accounts registering every day? Is your payment page being bombarded by credit card testers? You're not alone. Since 2018, MonSiteBug has handled 261 interventions related to bots, spam, and credit card testing fraud on PrestaShop, WooCommerce, and Magento stores.

This article is an exclusive study based on our real production data. No theory: hard numbers from our 8,809 support tickets and concrete cases handled by our team. And the trend is alarming: the phenomenon has been exploding since 2024.

The trend is explosive: 2019-2026

Bot and spam-related intervention requests have seen spectacular growth in recent years, with a true explosion starting in 2024:

2024-2026 alert: The number of bot/spam interventions literally doubled between 2023 and 2024 (37 to 60, a +67% increase). In 2025, the trend remained at peak level with 57 interventions. And in 2026, with 15 interventions in Q1 alone, we're on pace for an annual rate equal to or exceeding previous years. Bots have become the #1 threat to online stores.

The 6 types of bot attacks

Across our 261 interventions, we've identified 6 major categories of automated attacks:

1. Order spam

Bots place dozens or even hundreds of fake orders with fictitious addresses (often Russian, Chinese, or randomly generated). The goal: overwhelm the back-office, test payment processes, or simply cause harm. Your stock can be skewed, your statistics polluted, and your time wasted sorting real orders from fake ones.

2. Credit card testers

The most financially dangerous threat. Fraudsters use bots to test thousands of stolen card numbers on your payment page. Each attempt generates transaction fees from your payment provider (Stripe, PayPal). Result: your account can be suspended by your bank or PSP due to an excessively high fraud rate.

3. Registration spam

Bots create hundreds of fake customer accounts per day. They bloat your database, distort your marketing metrics, and can be used to send spam from your site. Some hosts blacklist your domain when registration confirmation emails are flagged as spam by Hotmail, Gmail, or Yahoo.

4. Contact form spam

Your contact form receives dozens of messages per day containing links to dubious sites, SEO offers, or illicit content. Beyond being annoying, this can lead to your mail server being blacklisted.

5. SEO bots and scraping

Robots crawl your site to copy your product listings, prices, and descriptions. Others generate artificial traffic that skews your Google Analytics data and your marketing decisions based on that data.

6. Analytics pollution

Ghost bots appear in Google Analytics with fictitious traffic sources ("referral spam"). Your bounce rate climbs artificially, your conversion data is distorted, and you make marketing decisions based on wrong numbers.

Real cases from our tickets

Case #1 — Order spam (Ticket #184, 2019)

Original title: "Spam sur commande"

One of the very first cases in our history. A PrestaShop merchant was receiving dozens of fake daily orders with disposable email addresses. The back-office had become unusable — impossible to distinguish real orders from fake ones. Our intervention: implemented anti-bot validation rules on the checkout funnel and IP geolocation filtering.

Case #2 — Email blacklist due to bots (Ticket #1582, 2021)

Original title: "black list HOTMAIL, GMAIL, YAHOO à cause boots spam sature inscription clients"

This case perfectly illustrates the cascading effect of bots. Hundreds of fake accounts were created daily, triggering just as many confirmation emails. Hotmail, Gmail, and Yahoo ended up blacklisting the merchant's entire domain. Result: even real customers stopped receiving order confirmation emails. Our intervention: blacklist removal, CAPTCHA implementation on the registration form, and DKIM/SPF/DMARC configuration.

Case #3 — Store fraud (Ticket #3217, 2022)

Original title: "Fraude sur mon site LA BOUTIQUE DES ESSAYEUSES"

A typical credit card testing case. The merchant noticed dozens of failed payment attempts daily, with varying amounts. Fraudsters were testing the validity of stolen cards by attempting small purchases. The payment provider was threatening to terminate the contract due to an abnormally high fraud rate.

Case #4 — CAPTCHA error (Ticket #4180, 2022)

Original title: "ERREUR CAPTCHA - OUTFITBOOK"

A misconfigured CAPTCHA was blocking real customers instead of bots. The merchant had tried to install an anti-spam module themselves, but the CAPTCHA was causing errors in the checkout flow. Result: direct revenue loss. We replaced it with an invisible reCAPTCHA v3 that protects without impacting the shopping experience.

Case #5 — Repeat CB testers (Ticket #8742, 2026)

Original title: "testeur CB - 3ème éditions !"

The title says it all: this is the third time this merchant has suffered a credit card testing attack. Fraudsters come back with new IPs, new patterns, and bypass the protections in place. This case illustrates the increasing sophistication of bots in 2026 and the need for multi-layered protection.

Case #6 — Analytics pollution by bots (Ticket #8743, 2026)

Original title: "Correction tracking GA4 / GTM (Pollution par des bots)"

The merchant was seeing completely inconsistent Google Analytics data: thousands of 0-second sessions, 95% bounce rates, ghost traffic sources. Their marketing decisions were based on wrong numbers. We implemented server-side filtering and exclusion rules in GA4.

Case #7 — Spammer registrations (Ticket #1226, 2020)

Original title: "Inscription de spameurs sur notre site"

Hundreds of accounts created with Russian email addresses and randomly generated names. The customer database was polluted, newsletters were being sent to non-existent addresses, and the email bounce rate was skyrocketing.

Case #8 — CAPTCHA implementation (Ticket #8652, 2026)

Original title: "Mettre en place un Captcha"

More and more merchants are proactively asking us to install a CAPTCHA, aware of the threat. This is a positive sign: awareness is growing.

Solutions we deploy

Every store is different, but here are the proven solutions we've been implementing for 8 years:

reCAPTCHA v3 (invisible)

Unlike reCAPTCHA v2 ("I'm not a robot"), v3 is completely invisible to the user. It assigns a risk score to each visitor (0 = bot, 1 = human) and silently blocks bots without impacting the shopping experience. It's our first line of defense.

Cloudflare (WAF + Bot Management)

Cloudflare acts as a shield in front of your site. Its Web Application Firewall blocks malicious requests before they reach your server. The Bot Management module identifies and blocks sophisticated bots using machine learning. Bonus: it also improves your site's performance.

Honeypot fields

An invisible field added to forms. Humans don't see it and don't fill it in. Bots automatically fill in all fields. If the honeypot is filled, the submission is silently rejected. Simple, effective, zero UX impact.

Rate limiting

Limiting the number of submissions per IP per time period. A human doesn't submit 50 contact forms in 1 minute. If an IP exceeds the threshold, it's temporarily blocked. Essential against CB testers bombarding the payment page.

Custom anti-bot scripts

For the most stubborn cases, we develop custom scripts that analyze visitor behavior: typing speed, mouse movements, time spent on page. A bot fills a form in 200ms — a human takes at least a few seconds.

Geographic blocking

When attacks come massively from certain countries (often Russia, China, some Southeast Asian countries), IP geolocation blocking can drastically reduce attack volume. Use with caution if you have international customers.

Our approach: multi-layered protection

No single solution is enough. Modern bots bypass CAPTCHAs, change IPs, and mimic human behavior. That's why we apply a defense-in-depth strategy:

Key point: Merchants with only a CAPTCHA are vulnerable. Those combining 3 to 4 layers of protection see their spam volume drop by 95% or more.

Anti-bot checklist for your store

Check these points right now — every unchecked box is an open door for bots:

• reCAPTCHA v3 on all forms — Registration, contact, comments, and especially the checkout funnel.
• Honeypot fields — On every form, an invisible field that traps basic bots.
• Rate limiting on the payment page — Maximum 5 attempts per IP per hour. Beyond that, temporary block.
• 3D Secure enabled — Additional bank verification that blocks 99% of CB testers.
• Cloudflare or equivalent WAF — First line of defense against known bots.
• Email validation — Format verification + email confirmation before account activation.
• SPF/DKIM/DMARC configured — To prevent your legitimate emails from ending up in spam.
• Registration monitoring — Alert if more than X registrations per hour (abnormal threshold).
• Google Analytics filtering — Known bot exclusion + referral spam filter.
• Regular updates — CMS, modules and plugins up to date to prevent vulnerabilities exploited by bots.

Our bot & spam numbers at a glance

Why trust us with your store's protection?

Since 2018, we've protected hundreds of online stores against bots, spam, and fraud. Our expertise is forged in the field — 261 real interventions, not theory.

What sets us apart:

• 261 bot/spam interventions — unmatched field expertise
• Multi-layered protection — no single solution, a complete strategy tailored to your store
• Fast response — action within hours of your request, essential when CB testers are costing you money every minute
• Zero UX impact — our solutions protect without inconveniencing your real customers
• Multi-CMS expertise — PrestaShop, WooCommerce, Magento, WordPress...
• Post-intervention follow-up — we verify that protections hold over time