How Did Someone Get Your Credit Card Number?
Millions of Americans have been the victim of credit card fraud. And there’s a good chance it could already be happening to you.
Criminals no longer need your physical credit card to commit fraud. Instead, credit card fraud has evolved into one of the most common cyber security threats. For example, a 2019 hack of Capital One released the credit card information of over 100 million people [*].
So, how can you protect yourself and your credit card from fraudsters? In this guide, we’ll explain how people steal credit card numbers, what they can do with them, and how to protect yourself now and in the future.
How Do Hackers Get Your Credit Card Information?
- Stealing wallets or finding lost credit cards
- Dumpster diving for cards and account details
- “Friendly” fraud from family members or friends
- Using card skimmers and shimmers
- Stealing your card details over public Wi-Fi
- RFID collection (intercepting contactless payments)
- Phishing attacks to steal your account information
- Installing malware and spyware on your devices
- Scam phone calls pretending to be from your bank
- Shoulder surfing and copying your card info
- “Formjacking” on websites you use and trust
- Taking over your online banking account
- Finding your credit card numbers after a data breach
- Hacking the payment systems for online stores
1. Stolen wallets or lost credit cards
Physical credit card theft still happens. If you forget your wallet somewhere or your wallet is stolen, a criminal can snatch your card and use it right away. A stolen credit card has the unique advantage that it’s ready to use without requiring any extra steps.
2. Dumpster diving for cards and account details
Your mail can be an easy source for credit card fraud. If you throw away a pre-approved card, accidentally toss a replacement card, or forget to shred your statements, anyone can take them out of the trash and use them.
3. “Friendly” fraud
Perhaps surprisingly, family members are often the perpetrators of credit card fraud. A family member or friend you trust could have access to your cards and use them without permission. Or, a member of your family could open a credit card in your name.
4. Using card skimmers or shimmers
These small devices collect credit card data from the card’s magnetic strips, which criminals then use to create a cloned card. Thieves install skimmers on ATMs, gas pumps, and other publicly available card readers.
Shimmers are the natural evolution of card skimmers. But instead of stealing data from your card’s magnetic strip, they go inside the reader and steal your chip information.
5. Stealing your card details over public Wi-Fi
Open wireless connections at places like coffee shops and airports are notoriously unsafe. Hackers can use what’s called a “man-in-the-middle” (MITM) attack to intercept your connection and collect any data you share, including credit card information.
6. RFID collection (i.e., intercepting contactless payment)
Many modern cards use radio-frequency identification (RFID) for contactless payment. A thief close enough to you with the right device can use this technology to “scrape” your credit card information. There are very few reports of this scam, but it could grow as RFID becomes more common.
7. Phishing emails or texts
Phishing is a type of social engineering attack designed to scam you online and give up your sensitive information. A phishing message pretends to be from an organization you trust like your bank or the IRS. But if you share information by clicking on the link or responding to the email/text, the data goes directly to a hacker.
8. Installing malware or spyware on your device
Phishing attacks can also try to get you to download attachments that include malware. This harmful software can steal sensitive data from your devices and share it with hackers.
One common type of criminal software — called a keylogger — records everything you type. This includes credit card numbers, passwords, emails, and more, and sends them to the hacker.
9. Scam phone calls
Phishing attacks can also take place over the phone. A scammer will call posing as an authority figure who needs to confirm your credit card information. Often the scammer will use serious threats — like jail time for unpaid taxes or criminal activity on your card — to get you to act.
📚 Related: How To Know if Your Phone Is Hacked (and What To Do) →
10. Shoulder surfing and copying your card information
A rogue restaurant employee can copy your card data when you’re not looking (this scam is called shoulder surfing). Or, a call center worker can write down your information when you pay via credit card over the phone.
11. “Formjacking” on websites you use and trust
Hackers use different types of cyber attacks to inject malicious software onto website forms. When you enter your info — including credit card numbers — they get access to them.
Researchers found “formjacking” code on major sites like Ticketmaster, Newegg, and British Airways. In 2022, security experts detected the code on over 100 real estate websites [*].
12. Account takeovers on your online bank
A thief with login information for your credit card company can use your credit as if it were their own. This form of identity theft is particularly dangerous as a fraudster can use account information to apply for new credit, take out fraudulent loans, and collect personal data.
13. Finding your credit card info after a data breach
Research shows that data breaches increased 68% from 2020 to 2021. Billions of account details have been leaked from Facebook, T-Mobile, Experian, LinkedIn, and more. A single data breach can expose tens of millions of credit card numbers to hackers on the Dark Web.
14. Hacking the payment systems for online stores
Many websites where you shop or pay for services offer to keep your card on file. While this can be convenient, it also means that if a hacker later accesses the company databases, they can steal that saved data.
Which Scams Should You Be Most Worried About?
With all these methods, you might wonder: which credit card scam poses the greatest threat?
By far, data breaches are responsible for the most stolen credit card numbers. Experts estimate that details from as many as 60 million credit cards are released in data breaches each year [*].
These card details end up for sale to hackers on the Dark Web for as little as $14 [*].
Unfortunately, we usually can’t (or don’t know how to) protect ourselves from data breaches.
For credit card theft that targets individuals, phishing is probably the most common method today. But scammers who steal your credit card information want to keep you blind to their scams as long as possible (to have time to max out your card).
How To Tell if Your Card Numbers Have Been Stolen
- Suspicious activity on your credit card or bank statement. Don’t ignore small transactions, either. A $0.01 charge could be a scammer testing your card to make sure it’s active before moving on to bigger purchases.
- New accounts or hard inquiries on your credit report. You can request a free copy once a year at AnnualCreditReport.com. Your credit report shows all credit associated with your identity. Look for accounts you didn’t create, amounts different from your statements, or inquiries you don’t recognize.
- Fraud alerts from your bank, credit card, or credit monitoring service. Your bank or card provider may alert you to purchases they think are fraudulent. But they often come too late (or not at all). A credit monitoring service actively monitors all transactions on your card, credit report, and bank account and warns you of suspicious transactions in near-real-time.
- Calls from creditors about transactions you didn’t make. Credit card scammers have no intention of paying off your debt. If fraudulent purchases go to collections, it’s a sign your card’s been used without your permission.
- Unexpected packages showing up. A scammer might forget to change your shipping address when using your card details. Or, they could order packages to your house with the goal of stealing them. If you get strange mail or packages, check your credit card statement. (This could also be a sign that you’re the target of a “brushing” scam.)
- A lower available balance than you expected. Scammers will work quickly to run up your available credit. If you’re shocked at the amount owing on your card, check your statement now.
- Other warning signs of identity theft. A stolen credit card often means that a criminal has access to other sensitive information about you. Look for other warning signs of identity theft such as missing mail, a drop in credit score, or suspicious log-in attempts on your online accounts.
Any of these warning signs could mean your card or details are stolen. But seeing no signs doesn’t necessarily mean you’re safe. A criminal could still have access to your card and be waiting to use it.
📚 Related: Someone Bought a Car in My Name! What Should I Do? →
What Happens After Your Credit Card Gets Stolen?
As you might suspect, most thieves use stolen credit card data to make fraudulent purchases.
If a criminal skimmed or “shimmed” your card details, they’ll create a cloned card with your data and commit all types of financial fraud.
If they have your physical card, they’ll use it to buy gift cards (a scam known as “carding”) and luxury goods. Why these items? Gift cards are almost impossible to trace, while luxury items command a high resale price, which means fewer shopping trips.
But while these scams are still common, today, most credit card theft today doesn’t involve the physical card.
Instead, scammers use what’s called “no card present” theft to make purchases through online retailers. Often, they’ll buy gift cards as they’re easy to resell, can’t be traced, and don’t require shipping.
Hackers might also get access to huge numbers of card details in data breaches and make money selling them on the Dark Web.
No matter what they use your credit card numbers for, the results are damaging.
Are you the victim of fraud? Follow our fraud victim's checklist for step-by-step instructions on how to recover after fraud.
Am I liable for fraudulent purchasing using my credit card?
In many cases, the answer is luckily no. If you act quickly.
Under the Fair Credit Billing Act, your liability for credit card fraud is just $50 if reported within 60 days of the charge. All major credit card networks including Visa, Mastercard, Discover, and American Express offer $0 liability.
The situation is less clear for debit cards. If you act immediately, you won’t be responsible. But if you wait as little as two days to report fraudulent charges on a debit card, you could be liable for up to $500.
And if you don’t notice the unauthorized bank account withdrawals for two months, you could be liable for everything.
Will credit card fraud damage my credit score?
Credit card theft can wreak havoc on your credit score. Damage to your credit score is reversible but may take months and sometimes even years to clear.
And that’s just a thief with access to your credit card. Someone with your personal information can do more damage.
Using information like your Social Security number, a thief can apply for new credit in your name. These new accounts can rack up unpaid debt before you notice, leaving you with an impacted credit score and endless collection calls.
Can a stolen credit card lead to identity theft?
Stolen card information on its own constitutes identity theft. But if your card is hacked, you should assume you’re a victim of other types of identity theft as well.
Details like your card number and expiration date usually aren’t enough information to hack into other accounts.
However, a criminal can create a so-called “synthetic” false identity by combining the name on the card with other information, like someone else’s Social Security number.
Remember: the most common type of individual card theft is through phishing. If a scammer has access to other personal information, it can lead to many other kinds of identity theft.
Was Your Credit Card Number Stolen? Do This ASAP
- Contact the fraud department of your credit card issuer or financial institution. Close or freeze your accounts and get a new card. Point out which fraudulent transactions should be cleared from your account.
- Reset all your passwords and enable 2FA (but not over SMS). Change all your account passwords to be more secure and use a password manager to keep track of them. If you don’t already use two-factor authentication, set it up. This requires an additional code before logging in. But don’t use SMS as it can be compromised. Instead, use an authenticator app like Google or Okta.
- Review your credit report for fraudulent activity. Request a free copy as outlined above to see if the cyber criminal has accessed other accounts or applied for credit under your name.
- File an identity theft report with the Federal Trade Commission (FTC). Use the free tools at IdentityTheft.gov. This will provide you with documentation you may need later.
- Report the fraud to your local law enforcement. If your card was physically stolen, you should file a police report for identity theft immediately.
- Set up a fraud alert or credit freeze. A fraud alert requires lenders to verify your identity for a year, while a freeze rejects all loan applications until unfrozen. To set up a fraud alert, contact one of the three credit bureaus—TransUnion, Equifax, or Experian. To set up a freeze, you’ll need to contact each bureau separately.
- Sign up for identity theft protection. Aura monitors all your financial and personal accounts and alerts you of suspicious activity. We also secure your devices from viruses, malware, and phishing so you can shop and browse safely. All accounts are also covered by a $1,000,000 insurance policy for eligible losses due to identity theft.
How To Prevent Credit Card Fraud
The best way to avoid credit card fraud is to protect your card and financial information at all times. Here are the best ways to prevent credit card fraud:
Protect your physical credit card
- Use a chip reader instead of swiping your card. All modern credit cards use EMV chips that are more secure and thwart skimming. It’s the best way to protect your card at gas stations or public ATMs.
- Watch your wallet and purse. Consider keeping your wallet in your front instead of your back pocket, where it’s harder to pickpocket. And don’t leave your purse unattended, such as sitting in a grocery cart.
- Carry fewer cards with you. Having too many credit cards can make you vulnerable to fraud. Only carry cards and ID you need. Leave other credit cards, your Social Security card, and passport in a secure place at home. (Remember, it's not always possible to change your Social Security number – even after identity theft.)
- Choose credit over debit. If your credit card is stolen, federal law and credit networks protect you in several ways, and your liability in most cases is zero. Debit card fraud, on the other hand, can deplete your accounts and leave permanent damage.
Protect your sensitive data at home and in public
- Be careful during in-person transactions. If possible, keep a credit card in your sight whenever paying at a restaurant or store. Also, beware of shoulder surfers watching you key in your card information.
- Avoid paying by credit card on the phone. Whenever possible, use another method of payment. And only share information with representatives at numbers you’ve called. Don’t trust incoming calls that ask for financial information or account numbers.
- Shred mail before throwing it away. Many shredders don’t offer great protection, so look for a model that offers “micro cut” shredding. Thieves can reconstruct pages from other shredders in a matter of hours.
- Be wary of incoming phone calls. Incoming calls that require you to “confirm” details are often scams to collect that very data. Instead, make an outgoing call to the organization’s official number.
- Set up a credit freeze. A credit freeze is a security measure that can keep thieves from opening accounts in your name. Consider keeping your credit frozen at all times, and only unfreeze it when applying for a loan or buying a house or car.
Protect your card details online
- Remove your card from websites. Don’t keep a card on file unless absolutely necessary.
- Use a secure connection when shopping online. Before typing in credit card information, make sure the site address starts with https:// (with an “s,” for “secure”). Some browsers represent a secure connection with a green padlock. (For extra protection, follow these tips on how to shop online safely.)
- Use an antivirus and VPN. A strong antivirus can detect and disable malware on your computer. A VPN scrambles your internet data and location, making it much harder for thieves to steal data over a Wi-Fi connection.
Look out for the warning signs of credit card fraud
- Check your account statements regularly. One of the fastest ways to spot theft is to regularly review debit and credit card statements.
- Pay attention to fraud alerts. If your bank or credit card alerts you of suspicious activity, look into claims by going to the website yourself or calling the official number. Be wary of clicking links on fraud alert texts or emails, as they may be scams.
- Consider a credit monitoring service. Aura will alert you of any suspicious activity immediately. Every second counts during an identity theft attempt, and Aura delivers alerts at least 2x faster than the competition.
Preventing Credit Card Fraud Starts With You
To protect yourself from credit card theft and fraud, be careful and be covered.
Be careful with your card, who has access to it, and how you use it. The media often highlight new attacks, but most cards are stolen through old-school methods like breaches and phishing. Remember the basics, and stay alert.
Be covered by keeping a close eye on your statements and signing up for identity theft protection. With Aura, you and your family are covered by our $1,000,000 insurance policy for eligible losses due to identity theft.
Nobody is completely safe from credit card theft. But with care and coverage, we can all be prepared.