Don’t get tricked into revealing a passcode – the new fraud that's on the rise

Remote purchase fraud is soaring, with millions of incidents reported each year. These sophisticated scams use your card details for online spending sprees, putting your hard-earned savings at risk.

Here’s what you need to know to protect yourself.

What’s on this page?

• What is remote purchase fraud?
• Passcode fraud is on the rise
• Could your card be added to someone else’s wallet?
• How criminals get your passcode
• How to avoid getting scammed

What is remote purchase fraud?

Remote purchase fraud is when criminals use your card details to make online purchases. According to industry body UK Finance, it’s a growing crime: there were 2.6 million reported incidents in 2024, up 22% from the previous year.

That’s one every five minutes, or 7,000 a day. And those are just the ones we know about. David Callington, head of fraud at HSBC UK, says: “Scammers are devious criminals who use a range of techniques to steal money from people without any concern for the mental or financial wellbeing of their victims.”

Passcode fraud is on the rise

Remote purchase fraud typically starts with you being tricked into handing over financial details. Or they might steal them. In recent weeks there have been reports of cyber-attacks against Cartier, The North Face, Adidas, Victoria’s Secret and Harrods.

Often hackers are trying to steal customer data that can then be used for fraudulent activity (although no financial details were accessed in these cases). One way that banks and related organisations try to protect us is by using an extra layer of security called a one-time passcode (OTP).

This will often be sent to your phone as a way of confirming your identity and usually expires after a few minutes. This kind of code might be used when you login to online banking, or when you’re making a purchase online. Or if you’re adding a bank card to your digital ‘wallet’ on your phone.

In response, criminals have been increasingly targeting their victims to get these passcodes. Giles Mason, director of campaigns at UK Finance, says: “Our discussions with the industry point to an increase in the compromise of one-time passcodes.”

In April this year, two men were arrested in Middlesbrough and the Netherlands after a three-year investigation into £7.5 million of one-time passcode fraud. 

• Read our 7 tips for safe online banking.

Could your card be added to someone else’s wallet?

The worst-case scenario is if an OTP is used to add a bank card to digital wallet like Google Wallet or Apple Wallet. If fraudsters manage to do this, they can use your card on their phones to buy things anywhere – and contactless smartphone payments don’t have the £100 payment limits that contactless bank cards do.

Even if you try to keep your card safe by not adding it to a digital wallet on your phone, that won’t stop a fraudster from trying to add it to theirs. To do this, the fraudster will need your card details. There is an extra layer of security before a card can be added. Often, an OTP can be the extra layer. So a criminal might put your details into their digital wallet and then click on “send me a code by text” on the card verification page. That text is sent automatically by your card issuer to your phone. They might then call you to try to get you to reveal the OTP.

How criminals get your passcode

Fraudsters have numerous ways of stealing this information.

As HSBC told us, criminals “often start by social engineering – sending fake emails, gathering data on social media with fake quizzes and competitions, creating fake merchants and fake goods... We’ve seen a rise in fraud emanating from online marketplaces, and a rise in WhatsApp and SMS-type messages seeking to elicit information or money too. It’s not just one fraud type or approach. Fraudsters and scammers use every trick in the book.”

Social engineering means manipulating people in order to deceive them, using knowledge of how people think and act. Criminals will start some kind of interaction that eventually tricks the person into giving away their bank details.

Mason agrees. “Criminals are shifting tactics,” he says. “We are seeing criminals increasingly using social engineering techniques to trick victims into handing over their personal and banking details so the criminal can authenticate fraudulent online card transactions.” 

One popular way that remote purchase fraud happens is a fake text message about a delivery. It appears to be from a courier firm or Royal Mail. It usually says: “There’s a problem with a package; click here to arrange delivery.” That takes you to a fake website for the delivery service (which could be DPD, Evri, Royal Mail, or another delivery firm) where you’ll be asked to pay a small administration fee.

If you enter your card details and your billing address on the form – not realising it’s a fake website – that gives the criminals most of the details they need. 

Shortly afterwards, you’ll get a call on the same number that the text message was sent to. It’s your bank, and they’ve detected fraudulent activity on your card. To refund that money, the caller says, we need to do a security check. Can you read out the six-digit code we’ve just sent to your phone, please? The code is real, and from your bank. But the person on the phone isn’t.

Giving the code will allow the criminals to do whatever they were trying to do, whether that’s log in to your bank, make a purchase, or add the card to their digital wallet. 

In the case of the £7.5 million investigation and the arrests that were made in April this year, fraudsters had been using a specially designed OTP tool to make phone calls to victims, pretending to be from banks or cryptocurrency exchanges.

How to avoid getting scammed

The key to staying safe is to always keep OTPs to yourself. “If you receive an unexpected request to share personal information or a one-time passcode that has been sent to you, it is likely to be part of a scam that could lead to you becoming a victim of fraud,” warns HSBC’s David Callington. “Do not share one-time passcodes.”

Banks have teams working around the clock to spot potentially suspicious payments, but you can do your part too, says Callington. “People can help protect themselves by keeping abreast of the latest scams, taking note of fraud warnings when making payments, and not sharing one-time passcodes,” he says.

Assume that any unsolicited communication – a text, an email, a phone call from an unfamiliar number – could be fraudulent. Don’t click any links, download any attachments, or reply to the message. If you want to speak to your card issuer, call them directly on the number printed on your bank card. You can forward suspicious texts to 7726 and report emails to the National Suspicious Email Reporting Services (SERS).

Giles Mason says you should always follow the advice of the Take Five to Stop Fraud campaign: Stop, Challenge and Protect. Stop means “taking a moment to stop and think before parting with your money or information,” he explains. Challenge means asking yourself: “Could it be fake? It’s OK to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.”

What to do if you've been targeted

Protect means: “Contact your bank immediately if you think you’ve been scammed and report it to Action Fraud online or on 0300 123 2040,” Mason says. If you’re in Scotland, notify Police Scotland by calling 101 or visiting a police station.

The most urgent thing is to get your card stopped to prevent further fraud, so always contact your bank straight away. Whether you get your money back depends on the nature of the scam and the information you shared. Banks consider handing over a one-time password as the same as giving fraudsters your bank card and pin.

So if you do this, unfortunately it’s unlikely you will be eligible for a refund. If you didn’t hand over the OTP or do anything else to break your card issuer’s security rules, you’ll usually get your money back the next business day and your bank will send you a new card.