Carding via bill payment systems (utility bills, taxes, fines)

[Good Carder]

From carder to carders. Classic carding is a war against 3DS, BIN filtering, and AI anti-fraud. But there's a quiet corner where protection is virtually nonexistent. Paying utility bills, taxes, and fines. Why? Because the payment gateways that process these transactions are under less regulatory pressure. They're required to accept payments quickly and without unnecessary obstacles. Who would complain if someone's electricity bill was suddenly paid by a stranger? No one. The victim won't notice the charge, and even if they do, they're unlikely to investigate who paid their debts.

In this article, I'll examine why bills and fines are ideal targets, how to exploit the low detection thresholds of these transactions, schemes involving refunds from "grateful" payers, phishing, and fake QR codes for mass CVV collection, as well as real-life cases from Bahrain, Italy, and Russia. The main advantage: such payments are almost never checked for 3DS, AVS, or even CVV, and for large transactions, you can receive a refund from the real payer "for the service" - and withdraw the money clean.

Part 1: Why Paying Bills Is the Ideal Goal​

1.1 Low detection threshold​

Utility bills, taxes, and fines are processed by payment gateways (PagoPa, EWA, government portals) focused on speed and accessibility. 3DS is often disabled, CVV is verified perfunctorily, and AVS is not used. A 2026 study notes that utility bills have a higher fraud rate than most other document categories, precisely because verification systems treat them as auxiliary rather than primary documents and pay less attention to them.

Statistics from 2026: Utility bills exhibit a fraud rate of 4-7%, comparable to bank statements and tax forms. Fraudsters specifically target weaknesses in verification processes rather than the documents themselves. Moreover, the share of documents containing both identity and financial manipulation increased from 40% in 2024 to 60% in 2025. This confirms that fraudsters have moved from one-off fakes to creating complete fraud packages.

1.2. Victim Psychology​

If a cardholder sees a charge from the "electric company," they rarely dispute it. First, they might not remember paying the bill. Second, even if they notice, they'll assume it was their own transaction. Third, the amount is often small ($50–$200). The risk of a chargeback is minimal.

1.3. Lack of physical goods​

Unlike card theft for electronics, paying a bill leaves no trace. You don't order delivery or leave a drop-off address. The transaction occurs between you and the government agency or utility company — and is nearly impossible to trace back to you.

1.4. Possibility of refund from the payer​

The most intriguing scheme: you pay someone else's bill (for example, electricity) with a stolen card, then contact the account holder and offer to return the money "with a fee." The owner, upon learning that their debt has been repaid, willingly transfers 50-70% of the amount to a drop account (or in cryptocurrency). You receive the cleared funds, and the victim (the cardholder) is left with a loss. They can dispute the transaction, but the bank will handle the matter with the utility company, not you. More on this scheme in Part 4.

Part 2. Vulnerabilities of Payment Systems: The Case of EWA (Bahrain)​

In 2026, a high-profile case broke in Bahrain, demonstrating how easy it is to cash out money by paying utility bills.

The scheme involved two men approaching residents, posing as document service employees, and offering to pay their electricity and water bills at a reduced rate. The victims gave them access to their Electricity and Water Authority (EWA) accounts. The fraudsters used stolen bank cards to pay these bills through an online portal. The victims transferred cash (supposedly at a discount), and the fraudsters kept the money for themselves.

The numbers and consequences: 12 transactions totaling 1,854 Bahraini dinars (approximately $4,900). The convicted men received three years in prison and a fine of 1,000 dinars ($2,650). The payment processor supporting the EWA portal flagged the transactions as suspicious after the card issuers requested refunds. Cardholders disputed the charges, claiming they never made the payments.

The takeaway for carders: the fewer transactions per card, the lower the risk of detection. The system flags transactions not immediately, but after receiving a letter from the issuing bank. You have a window — from several days to a week — to complete the transaction. In this scheme, the fraudsters used social engineering to gain access to accounts, but it's possible to avoid it by simply paying bills directly, knowing the account number or payer ID.

In another similar case (also in Bahrain, 2026), two expats used stolen bank cards to pay electricity and water bills totaling 1,854 dinars through a government online portal, completing 12 fraudulent online transactions. Both were sentenced to three years in prison and a fine of 1,000 dinars. This confirms that even relatively small transactions can go unnoticed if precautions are not taken.

Part 3. Phishing through fake receipts and QR codes​

The most common way to collect CVV is not by stealing cards, but by creating counterfeit payment documents.

3.1. Fake utility bills​

In Russia, fraudsters are placing fake utility bills in mailboxes. The bills contain the fraudsters' account details, not those of the management company. When paying with such a document, the money is transferred to the fraudsters' account. Experts from the Higher School of Economics warn that fraudsters are using ready-made automated website cloning tools to quickly create phishing sites — clones of official management company or homeowners' association (HOA) websites.

In some regions, fraudsters are adding QR codes to the fake bills. When scanned, the victim is redirected to a phishing page where they enter their card details. Funds are debited to controlled accounts, but no actual payment is made. According to the Ministry of Internal Affairs, fraudsters are also using a scheme involving non-existent utility debts, which are then offered for payment using fake QR codes. Clicking on the QR code can lead to pages with phishing content, leading to a personal data leak.

3.2. Fake tax and fine portals​

In Italy, four fraudsters pulled off a sophisticated scheme: they called victims posing as bank security officers (spoofing their numbers), extracted the last four digits of their card and OTP codes, and then used the proceeds to pay their own tax arrears and utility bills through the payment aggregator PagoPa. The victim lost €3,500. The money wasn't transferred to foreign accounts or converted into cryptocurrency; it was used to pay off the fraudsters' own tax and energy debts.

Phishing campaigns targeting traffic fines have been reported in Canada and Greece. The fraudsters send SMS messages demanding payment of a nonexistent fine (for example, €6.99 in Greece). The link leads to a fake portal mimicking the official government website, with provincial logos and official design. The victim enters their card details, and they are transferred to the fraudsters. In India, fraudsters are using SMS messages threatening legal action to pay fictitious e-Challan fines. The portal accepts any vehicle registration number and generates a realistic fine (~590 rupees) to create the illusion of legitimacy, then steals card details.

The principle is the same: the victim comes to you with the money. You don't search for the card or steal the CVV — you create a situation in which the person voluntarily enters their payment details.

3.3. Automated Phishing Infrastructure​

In Canada, fraudsters are using SEO poisoning to ensure their fake fine payment portals appear at the top of search results. They have deployed over 70 malicious domains on a single IP address, mimicking government websites from British Columbia, Ontario, and Quebec. The phishing kit includes a "waiting room" that creates the illusion of processing the request before collecting payment data. In India, e-Challan phishing portals use SMS messages from local Indian numbers (Reliance Jio), and the websites themselves clone the branding of the Ministry of Road Transport and Highways (MoRTH). Over 36 phishing domains are linked to the same IP addresses, indicating a large, centrally controlled infrastructure.

Part 4. Refund scheme from a "grateful" payer​

This method converts a stolen card into cash, bypassing P2P exchanges and crypto ATMs.

The algorithm:

1. Find a debtor. Look for people with overdue utility bills, taxes, or fines. There are many of them. You can parse forums, self-help groups, message boards, or simply pick a random bill and pay it (it's a mistake, but it will work).
2. Pay his debt with the stolen card. Use a non-3DS card with a balance equal to the amount owed.
3. Contact the debtor (by phone, email, or social media). Let them know you've paid their bill. Come up with a cover story: "I dialed the wrong number," "A charity," or "Returning an erroneous transfer."
4. Offer to return the money with a commission (20-40% of the amount). The debtor, having received the "gift," will happily transfer cash to your drop account or cryptocurrency.

Why it works: The debtor doesn't know the bill was paid with a stolen card. They only see that their debt is paid. They transfer the money to you with a clear conscience. You receive the cash. The owner of the stolen card disputes the transaction, but the bank will deal with the utility company, not you. You're already out of the game.

A real-life example from Italy: four people used stolen data to pay their own tax and energy debts, causing the victim €3,500 in losses. The money wasn't withdrawn to foreign accounts or cryptocurrency, but rather used directly to pay off the fraudsters' tax and energy debts. This illustrates how paying someone else's bills can serve as a cash-out method.

Part 5. OPSEC for bill payment carding​

1. Don't use one card for mass payments. Even if the system doesn't block transactions, the issuing bank may become suspicious after 5-10 payments per day. Limit payments to 2-3 per card.
2. Rotate your BINs. Utility bills and taxes rarely block BINs, but if you use the same range to pay hundreds of bills, it will be blacklisted. Rotate your BIN every 50-100 transactions.
3. Use proxies that match the biller's region. If you pay your electricity bill in New York State, the IP address should be from New York. A geolocation mismatch is one of the few red flags that can raise suspicion.
4. Minimize the amount. 80% of your payments should be between $50 and $200. Large amounts ($500+) attract attention.
5. Use only virtual cards (VCCs) for phishing receipts. If the victim disputes the payment, the VCC can be closed. Don't risk your main card pool.

Part 6. Risks and how to minimize them​

6.1. Card blocking based on the number of transactions​

The bank may block the card if it detects unusual activity (for example, 20 payments per day to different utility companies). This can be avoided by using different cards for each payer.

6.2. Requesting documents from the payment gateway​

For large amounts ($1,000+ per card), the gateway may request identification. Only use drop cards with clean documents for such transactions.

6.3. The victim disputes the payment​

If the cardholder notices the charge and initiates a chargeback, the money will be returned to them, and you'll still owe the utility company. However, the company won't be able to locate you — they don't have your information. The only risk is that if you used a phishing receipt and the victim contacts the police, they might find your IP address and the drop account.

Solution: use a VPN and temporary wallets for withdrawals.

6.4. Criminal prosecution​

As the Bahrain case demonstrated, authorities can identify fraudsters if they have physical contact with victims (as with "paperwork representatives"). If you work entirely remotely (paying bills without meeting with the payers), the risk of arrest is significantly lower.

Part 7. Checklist for carding via bill payment​

• Select your purpose: utility bills (electricity, water, gas), taxes, traffic fines, court fees. Look for payment portals with low security (no 3DS, captcha, or verification).
• Recover a stolen non-3DS card with a balance matching the account amount.
• Pay your bill through the online portal (preferably at night or on weekends when the risk of an audit is minimal).
• Contact the payer (if you work under the return scheme) and receive cash or cryptocurrency to the drop account.
• For phishing receipts: create a fake payment order (can be generated using AI tools) or copy an official form, replacing the details with your own.
• Distribute receipts through mailboxes, QR codes in entryways, and SMS messaging.
• Collect money from victims who pay a fake invoice.
• Cover your tracks: destroy receipt templates, change proxies, close VCC.

Summary​

Utility bills, taxes, and fines are an underestimated niche in carding. 3DS is almost never required. Chargebacks are rare. Victim psychology plays into their hands: people don't trust anyone to pay their debts and don't check their statements. And if they do notice a charge, they'll write it off to themselves.

A case from Bahrain shows that even with social engineering, the scheme works. A case from Italy demonstrates how paying someone else's taxes and bills can serve as a direct method of cashing out. Phishing receipts and fake QR codes make it possible to collect CVVs by the thousands without having direct contact with the victim.

The main risks are card blocking based on frequency and criminal prosecution for physical contact with victims. Remain completely remote, don't exceed limits, and use disposable cards.

A quick one-line reminder:
"Utility bills and taxes are ideal targets." There's no 3DS. Chargebacks are almost nonexistent. You pay someone else's debt with a stolen card and receive 70% of the "grateful" payer's interest in a drop account. The risk is minimal if you're not greedy and don't make personal contact. Phishing receipts and QR codes collect CVVs by the thousands — the victims bring the money themselves."

 

[Good Carder]

Social engineering and deception scripts​

The most effective method of mass fraud is a combination of social engineering and automation. Fraudsters use scripts that automatically call thousands of potential victims and, by manipulating their emotions, trick them into giving up card details or forcing them to transfer money.

In 2026, fraudsters are actively combining automation with traditional social engineering, making attacks fast, scalable, and difficult to detect. The script continuously dials numbers one after another, without any human intervention at the initial stage.

Here's acall script from a "utility service":

"Hello, this is your management company's debt collection department. You are $50 overdue on your electricity bill. If you don't pay within an hour, a fine will be assessed and your service will be suspended. For prompt payment, please provide your card number and CVV code."

The victim, afraid of a power outage, dictates the details, and within a minute the money is in the fraudster's account.

The methods used to make the calls include Caller ID spoofing, where the victim's screen displays the official number of a government agency or property management company. Telephone fraudsters often use phone number spoofing to trick the recipient into believing the call is coming from a different number than their real one. In 2026, fraudsters also used Telegram bots, which can initiate calls and extract certain information from the victim (OTP codes, CVV) using a pre-set script.

Carder advice: use data from leaked databases to build credibility. If you know the exact amount and date of the victim's last payment, your credibility will increase exponentially. "Ivan Petrovich, you paid $50 on May 15th. Now you owe $30" — this specificity breaks down their psychological defenses.

Technical methods and bypassing protection​

Finding payment portals with poor security​

Your task is to find websites where 3DS is disabled or can be bypassed through a low-value exemption. Candidates:

• Portals for paying traffic fines (many regional portals have weak security).
• Small town utility payment websites often use custom solutions rather than Stripe/Adyen.
• Court fee payment portals - government portals rarely implement 3DS.

Search via Google Dorks​

inurl:pay "utility bill" "credit card" -3ds
inurl:payment "traffic fine" "card payment"
site:gov.* "pay online" "bill" "card number"

Automation of mass payments​

For large transactions, use Python scripts with the requests library or curl_cffi to spoof the TLS fingerprint. The main limitation is to not send more than 10-20 requests per hour from one card to avoid triggering fraud scoring. For API payments, use proxy rotation (residential IPs, fraud score <20). The fewer requests from one card, the safer.

Transaction masking​

Use RedotPay virtual cards with a custom descriptor (e.g., "COMMUNICATIVE SERVICE"). The victim will see a familiar utility company name on their statement and won't suspect anything. Never use Netflix, Amazon, or Starbucks to pay bills — a discrepancy in the MCC will raise questions from the bank.