Payment form abuse is a strange beast. Why would someone show up at my website and use my payment for to make little tiny payments of $0.50-$0.70? It is just strange. Customers I never heard of making these tiny payments. What is up with that?
I'll tell you what is up with that. What you aren't seeing is the other end of that where there are many, many failed transactions for the same amounts on cards that have been denied.
Why would a customer show up and make those payments? The reason is simple. They have a list of stolen credit cards and they need to sell them. In order to sell them, they must determine which ones are valid and which ones have been cancelled or already filled to their limit. They are using your site to test these stolen cards. One of these little tiny charges of $0.50 is likely to cost you more than two or three hours of your time as you work with your credit card company to defend yourself against the chargeback that will be soon follow when the stolen credit card is used to buy major items. That spending spree will be initialed by a charge to your company and for that little tiny charge, you will get a $35-$50 chargeback fee. That is right, that is a stolen card, being used on your site and it will cost you a chargeback!
When one of these charges shows up, void (best) or issue a refund (ok) right away! Don't try to figure out what happened or why you are $0.50 richer... just get rid of it before it is discovered on a statement and ends up in a chargeback.
So, how do you avoid these fake charges? First, make sure that you don't have an open payment page on your website, if that is possible. In other words, make customers login to their account before they pay. If that isn't possible, and for my business it simply isn't, then make sure the site is protected against bots by using reCAPTCHA to get rid of them.
That is the first line of defense. The second line is the person who monitors the payments. If they see these payments coming in, shut down the payment page on your website. This will cause them to go elsewhere very quickly. You can always bring it up later. They don't usually come back if you are quick to block them. Block their IPs in your website firewall to keep them from coming back. They use a lot of IPs so this isn't always a valid way to get rid of them.
Always refund these payments as soon as they are discovered.
What about contacting the police or the FBI? Not really helpful. The criminals are in different countries, outside of your local police's jurisdiction and the FBI isn't going to worry about a $0.50 charge to your website. They are aware of these scams and there isn't much that can be done to investigate them. What about the credit card company? Nope, no help there either. What about the customer on the card? Maybe we should contact them? While that is nice, how do we contact them? The email used will not be there and they don't give us a phone number. Then all we do is alert them that OUR COMPANY made a fake charge on their card!!!
If anyone ever finds a government agency that is willing to allow us to report these type of crimes, I'm happy to do so, but right now, we simply don't have anyone we can go to for small only fraud.
As a small business, we just need to be aware that this might happen and react to it as quickly as possible. Your payment person should know to monitor the payment email account and be ready to react if something happens.