Guarding against card fraud

Get ahead of the latest card fraud threats by following specialist advice from our team.

Card fraud involves fraudsters stealing someone else’s credit or debit card details and then using them to make purchases or take money from the card owner’s account. 

Robert Dommershuizen, Strategic Fraud Analyst at the bank, lists the different types of card fraud in order of prevalence:

  1. Card not present: where card details are stolen and then used to make purchases online or over the phone. Credit card fraud reached £2.3m in 2023*, while debit card fraud was at £4.1m.
  2. Lost and stolen: where the criminal physically presents the card to a service provider or retail outlet after stealing or cloning it. A cloning machine ‘skims’ and copies the card details via an ATM or handheld device. Credit card fraud for this was at £200k, while debit cards rang in at £600k.
  3. Fraudulent application: this is when customer details are used to apply for a credit card.
  4. Card not received: when a card is intercepted in the post.

As shown above the most common scam by far is ‘card not present’, with credit card fraud at £2.3m in 2023, followed by ‘lost and stolen’ at £200,000. “Fraudsters might obtain card details in a number of ways, including from a data leak by an internet provider or a business email compromise (BEC) attack,” explains Robert. “However, another method used is what we call sequential attacks.”

The long card number on the front of a debit or credit card is generally 16 digits, with the first 12 identifying the provider of the card, so they’ll usually be the same for every customer of that particular provider.

“It’s just the last four digits at the end that are different,” Robert explains. “For these sequential attacks, fraudsters work their way up from that four-digit number, so for example 1000, 1001, 1002. “As a result, we’re now looking to remove this sequential ordering on cards.”

A classic example of step-by-step card fraud

Once a fraudster has a customer’s details, it can be a matter of three easy steps.

  • The fraudsters make a fraudulent online payment to an outlet such as a takeaway restaurant
  • They call the card owner, pretending to be the bank, saying they should have received a text message to say that there’s been a fraudulent payment
  • While on the call the card owner receives a text message sent by the fraudster; they decline it at the request of the fraudster

The fraudster now has the victim’s buy-in because they’ve supposedly saved them from fraud, so they can take them through further false security to get more details.

“It’s been used as a hook transaction to ask for further details,” explains Robert. “They now have access to customers’ online banking or Bankline and from there they can make higher value payments from those platforms.”

Bypassing the one-time passcode

One of the main areas targeted this year has been MOTO (mail order, telephone order), where they provide the card details over the phone to make a purchase.

“That’s one of the most prevalent and is essentially bypassing a customer logging into their app to authenticate their one-time passcode. The bank is looking to revitalise its messaging to flag what fraudsters can do,” says Robert.

“It’s impacting the loss from the digital platforms like online or mobile banking, with the hook being widely used.”

What to watch out for

  • Emails and vishing calls supposedly from the bank, trying to get credit card or online platform details
  • Sharing business cards with work colleagues: “If there’s one card between 10 people within the business, the main card holder should be the only one to use it”
  • Contactless cards are embedded with multiple layers of security and transactions have the same protection as chip and PIN. Shield your PIN in shops or at cash machines and don’t write it down or tell anyone what it is
  • If you notice anything unusual or suspicious about a cash machine, don’t use it
  • Payments made using a variety of cards with sequential numbers
  • Urgent orders – be wary of additional time pressures
  • When using your card online, ensure the website is secure. The web address should begin with ‘https://’ – ‘s’ stands for ‘secure’. This only indicates the link between you and the website is secure, not the site itself
  • Find out how to protect smartphones and tablets with this Small Business Guide: Cyber Security - NCSC.GOV.UK


Visit our fraud awareness hub for more information, and upcoming webinars and events.


*As of November 2023.

Choose the content you want

Get business inspiration and practical tips straight to your inbox 

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top