You could take these type of orders as "pending" then require a SMS code to access the final payment page. Adding an extra step like this might discourage the attacker if their goal is not attacking you specifically. They will move on to another easier target.