How fraudsters could steal your card without it ever leaving your wallet

'Digital pickpockets' using Apple and Google Pay for limitless spending
Faye LipsonSenior researcher & writer

Faye was Headline Money Consumer Money Journalist of 2023 and a Wincott Award finalist in 2025. She's been investigating scams for nearly a decade.

Digital wallet scams

Digital wallet scams are on the rise, with fraudsters stealing card details to set up a digital wallet (such as Apple Pay or Google Pay) on their own devices. This can happen even if you have never set up a digital wallet yourself.

The level of fraudulent transactions is causing major losses for banks, with a December 2024 report shared with Which? by the Cyber Defence Alliance revealing that some individual banks have reported losses of £2m to £6m in one year.

We found many banks continue to use one-time passcodes when setting up digital wallets, even though industry body UK Finance has warned they're being abused by fraudsters. 

Victims are almost always reimbursed for unauthorised payments on fraudulent digital wallets, with the bank absorbing the cost. 

Ultimately, these losses will likely be passed on to all of us through higher interest rates on mortgages and loans, less generous account perks and lower interest on savings.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

How the scam works

A digital wallet is set up when you add your card details to a service such as Apple Pay, Google Wallet or Samsung Pay on your phone. This allows your phone or a connected wearable device to be used to pay at contactless payment terminals. 

Digital wallets can be very convenient and have security advantages compared to paying by card: namely, that you have to authorise every payment with your fingerprint or face.

But as you don't need a physical card to add a card to a digital wallet, fraudsters could steal your card details and set up a digital wallet on their own phone. 

They can then use this to spend your money online or in physical stores. Unlike physical contactless cards, which are typically limited to £100 per transaction, digital wallets have no arbitrary spending limit, making it easier for criminals to make large purchases.

Digital wallet fraud can occur during a takeover of an entire bank account, but another common method involves tricking you into giving up your debit or credit card details.

This often starts with a fake ad for a product or a phishing text or email, such as a bogus parcel delivery message. When you click the link, you are taken to a fake website that prompts you to enter your card details to complete a transaction.

The scammer monitors the website in real time. Once you submit your personal and card information, they receive it and use it to set up a digital wallet immediately. 

As part of the setup, banks and providers must verify that you want to add your card to a digital wallet, and many send a one-time passcode (OTP) via text or email. The scammer's fake website will then ask for this code, claiming it's needed to authorise the payment you thought you were making. 

In reality, the fraudster uses the OTP to complete the digital wallet setup on their own device. Once the digital wallet is set up, the fraudster can spend money from your account. You might not even know it has happened unless your bank notifies you, and research shows that some providers do not.

How a digital wallet scam unfolds

This is a real example of a copycat Royal Mail website, supplied by the Cyber Defence Alliance. It starts with a believable message.

1 / 4

  • This is a real example of a copycat Royal Mail website, supplied by the Cyber Defence Alliance. It starts with a believable message.
  • Victims are then asked for personal information. As well as digital wallet scams, these details can be used for identity theft.
  • Fraudsters as for card information ostensibly to pay a small charge, but in fact to set up a digital wallet.
  • The final step is for the fraudster to obtain the one-time passcode (OTP) that the bank sends to the victim to allow the card to be added to a digital wallet.

A large collection of images displayed on this page are available at https://www.which.co.uk/news/article/how-fraudsters-could-steal-your-card-without-it-leaving-your-wallet-aBr2y9W3kbxm

The passcode problem

While digital wallet companies such as Apple and Google state they provide card issuers with information on potential fraudulent activity, they say that the card issuer is ultimately responsible for approving or rejecting transactions and adding cards to wallets. 

Unfortunately, the security processes of many banks have a weak point: the OTP sent via text message.

The Cyber Defence Alliance's 2024 report recommended that its members, including banks, 'consider avoiding or limiting the option to use OTP/SMS as authentication'. UK Finance has also been warning about scammers using social engineering to get OTPs since 2021.

In our banking security reviews, we've long been penalising bank websites and apps that send OTPs by text. This is due to the potential for social engineering and because texts sometimes appear on phone screens even when locked (you can turn this off in settings).

Yet despite years of concern, our snapshot research has revealed that some major banks, building societies and credit card companies are still using SMS OTPs in the digital wallet setup process.

First in Which? Money magazine

This story first appeared in Which? Money magazine. Join for reviews and investigations, plus 1-to-1 guidance from our experts. From £4.99 a month.

Sign up now

Banks using texted passcodes

In April and May, we surveyed 15 providers about their digital wallet setup process.

Barclays, the Co-operative Bank, HSBC (with its sister banks First Direct and M&S Bank), Santander and Virgin Money said they currently use SMS OTPs – although they usually weren’t the only verification option.

Starling Bank told us it does still use OTPs for setting up Apple Pay alongside other options, but it removed them from Google Wallet in 2022.

TSB told us it is ‘working closely with card and wallet providers to implement approval via the TSB mobile app. In the interim, OTP verification is accompanied by the necessary risk verification, alongside fraud controls to keep customer details safe'.

Digital banks Chase and Monzo differed significantly from the norm, telling us they don’t use OTPs for setting up digital wallets and never have. Capital One told us it doesn’t allow its cards to be added to digital wallets. 

Three providers didn’t outline exactly which verification methods they use. These were American Express, Lloyds Banking Group and NewDay, which operates the John Lewis Partnership Credit Card. 

One-time passcodes sent by text aren’t the gold standard in verification. Some providers offer more secure alternatives.

We were able to test the setup processes for cards issued by Halifax (part of Lloyds Banking Group) and American Express. American Express did use SMS and email OTPs; Halifax did not, instead offering two more robust methods, including in-app approval. It’s unclear whether Lloyds and Bank of Scotland have the same verification methods as their sister bank, and Lloyds didn’t respond to our follow-up questions about this. 

Responding to our finding, American Express said: ‘Privacy and security are a priority for American Express. We have controls designed to protect customer accounts and guard against unauthorised fraudulent activity, and if we identify activity that may be fraud, we will take protective actions.’

OTPs sent by text aren’t the gold standard in verification. Some providers offer more secure alternatives, including approval within their mobile banking apps and customers calling the bank and being asked for digits or characters from passwords.

No verification method is bulletproof. For example, it’s conceivable that a victim could be socially engineered into approving wallet setup within their mobile app.

But an in-app process or a phone call gives the bank more chances to warn victims about fraudsters’ tactics – anyone making a bank transfer in the past few years is likely to have noticed the increased checks and warnings.

Missed opportunities

When we asked UK Finance about digital wallet scams, it told us the industry was ‘alive to these risks’, takes fraud more seriously than other sectors, and that in 2024, £1.45bn of unauthorised fraud was prevented. 

Changing these processes can be costly and time-consuming, especially for older banks with ageing IT systems. Additional measures can be taken to ensure wallet setup requests are genuine, such as providers flagging setups to customers.

Chase said: ‘Every time a customer’s card is added to a digital wallet from any other method than the button within the Chase app, we will always notify the customer via the Chase app and prompt them to check the request to ensure that it’s genuinely them.’

Starling Bank told us its customers have the ability to freeze all mobile wallets in their Starling app. They can also create virtual cards in just a few taps when they are unsure if a payee can be trusted. Those cards can then be deleted after a single use, ensuring a fraudster can’t make any further use of the credentials.

Providers can also limit how many wallets a card can be added to overall, or within a certain time period, although most told us they didn’t. Banks that do impose limits include Virgin Money, where an individual card could be added to a maximum of five devices; for Starling, it was a total of 15 devices, while Monzo customers can only add their Monzo cards to a digital wallet twice in a 24-hour period and three times every 30 days.

Yet even these sorts of measures potentially allow plenty of room for fraudsters, who need to add your card to just one digital wallet to start spending.

While OTPs remain widely in use, the risk of digital wallet fraud will be elevated, and anyone with a debit or credit card needs to be aware and alert to what to look out for.

key information

How to stay safe

Adding your cards to your own digital wallet won't put you more at risk — it could even help you, by making you more aware of the process and notifications from your bank. Our other tips include:

  • Avoid links: Do not click on links in emails or messages that claim to be from your bank or credit card company. If you're unsure if a message is legitimate, contact the organisation directly using a trusted phone number or website. Many banks can be reached via the fraud helpline 159.
  • Check website data: When shopping online, make sure the web address is correct and use a domain checker to verify the site's age. Be cautious of ads with prices that seem too good to be true.
  • Turn on notifications: Most mobile banking apps allow you to receive push notifications whenever money is spent on your account. Turning these on can help you spot fraudulent activity as soon as it occurs.
  • Check statements: Regularly review your bank and credit card statements and report any suspicious transactions to your bank immediately.
  • Heed warnings: If your bank notifies you that your card has been added to a digital wallet and you did not do this, call the bank immediately to investigate.
  • Disable message previews: To prevent OTPs from being seen by others, you can disable message previews so they do not flash on your phone's locked screen.

More on this

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home and travel insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, and travel insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


5.Stickee Technology Limited for the introduction of non-investment pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to arrange non-investment pet insurance products (FRN916665). Stickee Technology Ltd is authorised and regulated by the Financial Conduct Authority (FCA)  in England and Wales; 3rd floor, 1 Ashley Road, Altrincham, Cheshire, UK WA14 2DT Registered company number 06711740

 

Other financial services:


Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.