All categories

8 ways scammers can steal your bank card details without you noticing

Marijus Plančiūnas, Head of Paysera Information Systems
My card is safely sitting in my wallet but someone else is using it to pay online. This is not a trailer for a film about stolen identity. This is an increasingly common type of crime. It only takes a little carelessness, being in the wrong place at the wrong time, and your card details can end up in the hands of fraudsters without you even knowing it.

Phishing emails and 'calls from the bank'

Classics are classics. They never go out of style. Just like the classic types of fraud such as emails from a 'bank', emails from a 'public authority' (e.g. STI, FCIS), or calls from a 'bank manager'. Their aim is to obtain card details by creating a convincing story that something is wrong with the person's account (e.g. 'black' money has been discovered) or card ('will be blocked'), and to resolve the problem, they ask you to log in to the account, provide the card details, and so on. To prevent the victim from realising that they are being scammed, they usually try to convince the victim to act as quickly as possible. This has been and continues to be one of the most popular forms of financial fraud.

To make the phishing email look more convincing, scammers may use your actual data from previous data theft. For example, customer data such as payment card type, expiry date, and the last four digits of the card number could have been stolen from a car rental platform. This data on its own would not be enough to use the card, but it can be used to convince you of the authenticity of an email – for example, to trick you into believing that your bank is writing to you, the card details can look quite real.

SMS: "Your card is blocked. To unblock it, please click here"

Smishing is similar to email phishing, except that instead of an email, they try to collect card or login details via SMS. Modern technology allows fraudsters to use any name to send an SMS, which makes SMS phishing a rather convincing scam. So, if you have received a birthday greeting from your real bank in the past, and the scammer generates a similar bank name (let's say the name is 'Good Bank Ltd'), the scammer's message on your smartphone will go into the same message thread as the greeting you once received from 'Good Bank Ltd'.

Malware and spyware

Phishing – i.e. collecting login or card details – can be accompanied by the additional step of tracking the device using spyware. For example, a keylogger can be used to spy on your keyboard, which tells fraudsters what you type on your keyboard. This also includes card details you enter in online shops.

So, if you receive a link on a messaging platform or by email containing an interesting text ("Hey, have you seen this one????"), by clicking on the link you may unknowingly 'unwrap' a 'gift' sent to you by a scammer.

Unsafe or malicious e-shops

During the Covid-19 pandemic, e-commerce grew several times over, but have smaller e-shops become more focused on cybersecurity to ensure safety?

Scammers find such shops to be easy prey. By hacking into an insecure e-shop, hackers can obtain personal data (which is then used for phishing) or payment data used for payment transactions. Sometimes, attractive but fake e-shops are explicitly created to collect data, with the main function of stealing your data. They may not be able to complete the order (i.e. the money will not be charged) because their purpose is only to collect personal data which will then be used for phishing.

Hacking cash register systems

Financial fraudsters target locations where payment data travels from one point to another, which is why computerised point-of-sale (POS) systems are a common target for hackers worldwide. On top of that, card data can be accessed by attaching a special device to the payment device.

Man-in-the-middle (MITM) theft of card data via public Wi-Fi

Hackers use publicly accessible wireless internet stations to launch man-in-the-middle (MITM) attacks. By tracking the traffic between your device and the internet, hackers fish for card data. However, with Let's Encrypt and HTTPS, this method of extracting card data is becoming more complicated and less popular for hackers.

"Mum, I bought some armour for an online game"

We usually feel safe at home. The walls of our home may protect us from strangers, but not always from the people who live in the same house... Unfortunately, we come across cases where unfamiliar card payments end up being made by people we know or even family members living in the same place. The good news is that if it turns out that a purchase you don't recognise, such as magic armour on a gaming platform, has been made by your son or daughter, you won't have to replace your card. But the gaming enthusiast is likely to be facing a few days without a computer and smart devices.