How Do Hackers Get Your Credit Card Number?
Scammers steal credit card numbers in a variety of ways, such as through phishing attacks, hijacking payment forms, intercepting public Wi-Fi, and more.
Last year, the Federal Trade Commission (FTC) received 1.1 million identity theft reports, with nearly half of those involving credit card fraud [*]. So while credit cards provide a convenient way to spend money, you can’t ignore the risks around using them.
1. Phishing emails and websites
Phishing attacks are designed to trick you into giving up your sensitive information. These emails purport to be from an entity that you trust, such as your credit card company, utility company, or the Internal Revenue Service (IRS).
In some cases, scammers create look-alike websites that include fake phone numbers and payment forms.
In one such scheme, cybercriminals targeted Evergy customers with ads for phony websites when they Googled terms like “pay Evergy” and “Evergy bill” [*].
When customers landed on the fake Evergy website to pay their bill, they were unknowingly giving up their credit card information to the scammers.
⚠️ Receive quick alerts if scammers target your credit. Identity Guard can monitor your credit file, as well as your bank, credit card, and 401k accounts — warning you in near real time of signs of fraud. Save 33% on Identity Guard today →
2. Data breaches
In August 2023, the merchant services provider BankCard suffered a data breach that exposed more than 10,000 Americans to data theft — including their credit card numbers [*].
Data breaches like these happen when scammers exploit security vulnerabilities within a company to access sensitive user information.
In fact, the BankCard data breach may have compromised other personal data such as customer account numbers and Social Security numbers (SSN).
3. Mail theft
Physical credit card statements often include your credit card number, making them inviting targets for scammers who have learned how to exploit the United States Postal Service (USPS) system.
A USPS worker herself managed to steal card details from at least 37 residents along her mail delivery route [*].
In a similar version of the scheme, thieves steal reissued credit cards out of your mailbox before you’ve had a chance to retrieve them.
⛳️ Related: Someone Is Using My Home Address Fraudulently. What Do I Do? →
4. Credit card skimming
Cybercriminals install card skimmers on card readers, ATMs, and even gas pumps. These small devices fit over a merchant’s card terminal and can be difficult to spot.
When you swipe or insert your credit or debit card, your data is harvested. Scammers can then use these stolen credit card numbers to fabricate cloned cards.
One such scammer targeting gas stations was able to harvest up to 1,000 credit card numbers per day [*]. In just three days of skimming, the thief stole more than $30,000 from unsuspecting victims.
5. Stolen or lost wallets
Earlier this year, an Ohio nursing home employee left her purse in an office at the facility, only to return and discover that her wallet had been stolen [*].
By the time the police investigation began, her credit cards had already been used for several fraudulent transactions.
Anytime you leave your wallet somewhere unattended, you risk credit card theft. This crime appeals to criminals because of its simplicity — they only need to find an opportunity to steal a misplaced or unsupervised credit card, after which it can be immediately used.
6. Formjacking
Formjacking, sometimes called e-skimming, is a type of cyberattack in which scammers commission malicious code to hijack payment forms on well-known e-commerce websites.
In June, a New York-based car accessories company was targeted by one of these attacks. Malicious JavaScript (JS) code was injected into iOttie’s checkout page, siphoning cardholder details and credit card numbers straight to scammers [*].
Hijacked forms can be difficult to spot. In many cases, victims won’t realize it until a fraudulent purchase is discovered on their account statements.
7. Public Wi-Fi networks
Public Wi-Fi networks that don’t require a password are convenient and easily accessible in places like hotels and coffee shops.
While these open wireless connections are sometimes safe, using them for activities such as banking comes with serious risks. Yet, 20% of people use public Wi-Fi to make financial transactions [*] — making them vulnerable to credit card theft and other types of fraud.
Hackers sometimes use what’s called a “man-in-the-middle” (MITM) attack to intercept and excise data that you share while using these networks.
8. Familiar fraud
It’s unsettling to believe that your loved ones could steal your personal information; but unfortunately, it’s not all that uncommon.
Familiar fraud takes a few different forms — from a trusted family member using your card without permission to an acquaintance stealing your credit card number.
In an elderly Florida woman’s case, the culprits were two caretakers entrusted to look after her. The thieves painstakingly gained access to the woman’s credit card accounts and allegedly made more than $100,000 in fraudulent purchases [*].
⛳️ Related: Is Discover Identity Theft Protection Worth It? →
9. Malware or spyware
Scammers may target you by sending links and attachments which, if clicked on, can download malware onto your device.
One common type of malware known as a keylogger steals your personal information and can even record what you type.
Payment terminals may also be caught in the fray. In October of last year, cyber thieves targeting terminals with strains of point-of-sale (POS) malware were able to steal credit card details from 167,000 cards [*].
When POS malware does not work, scammers turn to JavaScript sniffers — a type of formjacking. These malicious scripts can “sniff out” card numbers, expiration dates, CVVs, and more.
10. Scam phone calls
Phishing attacks aren’t limited to email or text messaging — these attacks can also happen over the phone. You’re first contacted by a scammer posing as a trusted company or representative to confirm your credit card information.
In a scam that targets hotel guests, fraudsters call a local hotel and ask to be transferred to a specific room [*].
Should the guest answer, the scammer pretends to be calling from the front desk and claims that there’s a payment issue. So as not to “inconvenience” guests, the caller offers to re-verify card numbers over the phone.
How To Keep Your Credit Card Information Safe
The best way to avoid having your credit card data stolen is to exercise caution whenever you’re supposedly speaking to a company that you know and trust.
Learn to recognize the warning signs of phishing, and avoid sharing account information with anyone who raises red flags. Here are some other steps you can take to prevent credit card fraud:
Turn on available online banking features
- Create a secure password. Your bank account password should be at least 10 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols.
- Set unique PINs for each of your credit cards. If you have multiple bank accounts, use different PIN numbers for each one.
- Set up MFA. Multi-factor authentication (MFA) typically requires a one-time code, biometric scan (such as a fingerprint), and/or the answer to a security question.
- Enable account (or threshold) alerts for suspicious transactions. Text or email alerts notify you of fraudulent activity so that you can investigate and act quickly.
Use a secure internet connection and device
- Use a virtual private network (VPN) and antivirus software. A VPN masks your IP address so that you can safely browse, even while using public Wi-Fi networks. Antivirus software can block harmful malware meant to steal sensitive information like your credit card numbers.
- Avoid using public Wi-Fi for financial transactions. To protect your data, use your cellular network paired with a VPN if you need to conduct banking transactions while on the go.
- Keep apps, browsers, and firewalls up to date. Scammers often muscle their way in through security vulnerabilities in apps and browsers that are out of date. Turn on automatic updates whenever possible.
Practice safe online shopping
- Don’t store card information on your browser or with merchants. Entering your payment information manually each time is less convenient, but generally safer.
- Use virtual cards or mobile payment services like PayPal or Apple Pay. When you use mobile pay, your card information is converted into a random string of digits as a security measure — making it nearly impossible for data thieves to steal.
- Only shop with trusted online vendors. Whenever possible, purchase from websites that are compliant with the Payment Card Industry Data Security Standard (PCI DSS). While there’s no one trust seal to look for, compliant websites use third-party payment processors like PayPal and Stripe.
Keep your physical cards safe
- Opt to use your digital wallet whenever possible. This is an easy way to give card skimmers a wide berth. Be sure to enable biometric authentication (a passcode, fingerprint, or facial recognition) on these apps to ensure extra security.
- Shred credit card statements. Some identity thieves “dumpster dive” to find discarded bills or financial statements. Shred these, or opt for paperless statements to prevent unwanted access.
- Activate and sign any new credit cards immediately. If you’re expecting a reissued or new card and don’t receive it within the specified timeframe, contact the issuing company; your card might have been stolen.
Watch out for the warning signs of credit card fraud
- Check your account statements regularly. Even if you have account alerts enabled for suspicious transactions, it’s a good idea to manually review your statements as well.
- Pull your credit reports to look for new accounts or hard inquiries. The more often you check your credit score, the better. Free credit reports from all three bureaus are now available once a week at AnnualCreditReport.com.
- Consider signing up for identity theft protection. Identity Guard helps keep you safe from credit card fraud and identity theft. You’ll be alerted of any suspicious activity on your credit file or other financial accounts.
What To Do If Your Credit Card Number Was Stolen
A scammer getting a hold of your credit card numbers can have seismic implications — but if you act quickly, you can minimize the damage.
Here’s what to do if your credit card number was stolen:
- Contact the credit card issuer. As soon as you suspect fraud, contact your financial institution so it can cancel your cards and reissue new ones. In the meantime, many mobile banking apps provide the option to freeze or lock access to your cards so that they can’t be used by scammers.
- Update your account login information. Change your account password to something more secure, and set up two-factor authentication (2FA). This setting requires a one-time code that is sent to your email or device when you log in.
- Monitor your credit card statements. Your bank accounts are the most vulnerable during the time after your card numbers are stolen — and before you have a chance to cancel them. Look over your statements, and report any transactions that you don’t recognize.
- File a report with your local law enforcement. The Federal Deposit Insurance Corporation (FDIC) recommends filing a police report to establish a paper trail if you need to contest fraudulent charges down the line.
- Report to the FTC. Report the credit card fraud to the Federal Trade Commission (FTC) by visiting ReportFraud.ftc.gov.
- Set up a fraud alert (or freeze your credit). Contact one of the three major credit bureaus — Experian, TransUnion, or Equifax — to set up a fraud alert. This will require potential lenders to verify your identity before issuing new credit. Alternatively, you can freeze your credit so that it’s entirely inaccessible. To do so, you’ll need to contact each bureau individually.
A digital security provider like Identity Guard can make it much easier to monitor your financial accounts for signs of fraud.
With award-winning identity theft protection and a $1 million insurance policy, rest easy knowing that you're better shielded from credit card fraud.
