Scam Alert: Criminals Are Stealing Cards Without Touching Your Wallet
Two scams have jumped out at me this month, and both are worth five minutes of your attention. One of them barely existed a year ago and it's now near the top of the fraud figures. The other has been running quietly for a while and it's still catching people out because it sounds so ordinary.
Neither of these is the sort of scam where you can spot a dodgy email a mile off. That's the point. They work on people who are careful.
1. Your Card, Added to a Stranger's Phone
This one worried me the moment I read about it. UK Finance flagged digital wallet fraud in their 2026 annual report as the second biggest source of card losses. Santander said it was their second biggest card fraud type last year, and HSBC has seen cases climbing for eighteen months. Which? put it near the top of their most convincing scams of 2026. So this isn't a fringe thing.
Here's how it goes. It starts with a text or email you weren't expecting: a parcel that needs a small redelivery fee, or an alert that looks like it's from your bank. You tap the link, you land on a site that looks right, and you type in your card number. Then it asks for the one-time code your bank has just texted you. You enter that too.
That code was the whole game. With your card details and that single passcode, the criminal adds your card to Apple Pay or Google Pay on their own phone. Now they can pay with a tap, anywhere contactless is accepted, and there's no £100 limit like there is on a physical card. Digital wallets don't cap the amount. They can spend, and spend, and spend.
The nasty part: cancelling the card doesn't always fix it. Banks use something called Automatic Billing Updater so your saved card details refresh automatically when you get a new number. Some fraudsters ride that. The new card lands on their device too, and the spending carries on.
So what do you actually do? Treat a one-time code from your bank exactly like your PIN. You would never read your PIN out to anyone, and you should never type an OTP into a website you reached from a text or email. If a code turns up on your phone and you didn't ask for one, that's a warning sign in itself. Someone may be trying to add your card right then. Ring your bank on the number from your card and tell them.
Turn on transaction alerts too, if you haven't. Getting a ping the second money leaves your account is the fastest way to catch this early.
2. The Mobile Upgrade That Leaves You With the Bill
Action Fraud has a dedicated warning out on this one, which tells you how common it's become. You can read it straight from them at actionfraud.police.uk/upgradescam.
The call sounds completely normal. Someone rings claiming to be from EE, O2, Vodafone, Three or Lebara. You're due an early upgrade, they say, or there's a cracking deal on a new contract. To sort it out, they need to confirm a few things: your account login, your address, your bank details. It all sounds like the sort of admin a phone company would do.
Then they hang up and use those details to log into your real account and order an expensive handset in your name, sent to your address. When it turns up, you get a second call, or a knock at the door. Wrong phone, they say, dispatch error, our courier will come and collect it. Or hand it back at this address instead. You do the decent thing and give it back.
You gave it back to them. The real network never sees it. You're left holding a contract for a phone that's now in a criminal's pocket.
The rule here is simple. Your network will not ring you out of the blue to offer an upgrade. If you're genuinely due one, you'll see it when you log into your own account. Never give login details or bank details to someone who rang you, however smooth and official they sound. And if a phone shows up that you didn't order, do not hand it to anyone who comes to collect it. Ring your network on the number from your bill or their real website and let them deal with it.
If it's already happened
If you've handed over a code, typed your card into a dodgy site, or given your details to an upgrade caller, act now rather than tomorrow.
- Ring your bank straight away. Use the number on the back of your card. Most UK banks have a 24/7 fraud line. Tell them exactly what happened.
- Ask them to check for digital wallet tokens. This is the bit people miss. Ask the fraud team whether any "tokens" have been set up against your card on Apple Pay or Google Pay, and get any you don't recognise wiped. Otherwise a new card can just inherit the problem.
- Contact your mobile provider if it was the upgrade scam, so they can flag your account before any handset gets ordered or a return goes to the wrong place.
- Change the password on any account you gave details for, and your email password first, since that's the one that unlocks everything else.
How to report
- Scam text → forward to
7726 - Scam email → forward to
report@phishing.gov.uk - Scam website → report at ncsc.gov.uk
- Fraud of any kind → Action Fraud on
0300 123 2040or actionfraud.police.uk
Reporting takes a couple of minutes and it does something. The scam filters on the mobile networks and the reporting services all work off volume, so every report you send makes the next fake site or number a bit quicker to shut down.
If any of this rings a bell, it's worth reading how I keep a machine safe for online banking and how to tell a real virus warning from a fake one, since the same phishing links that steal card codes often try to drop something nasty on your PC at the same time. And if you think a scammer has been near your computer, I handle virus and malware removal in St Helens and can make sure nothing got left behind.
Mark has been fixing computers since the late '90s and went self-employed in 2008. Based in St Helens since 2013, he works evenings and weekends from his home in Laffak — friendly, affordable repairs for PCs, laptops, and Macs. See reviews on Google
Think you've been scammed? Or had someone on your PC?
If you've let someone remote in, installed dodgy software, or just want your PC checked over — get in touch and I'll have a proper look.
★★★★★"Absolutely fantastic service from Local Computer Guy, I was unable to help my grandparents with their computer issues after an unfortunate issue with a scammer and potential virus being installed on their machine. After a quick call I knew they were in good hands. Arrived on time and quickly wiped the machine and made it safe, also helped investigate what had happened and helped my grandparents get using their computer again."
— Joe Gempton, via Google