Facebook profiles could expose you to card fraudWhich? research finds millions may be at risk

23 October 2014

Close-up of credit card being handed over

Millions of social media users may be vulnerable to identity theft, according to a new Which? investigation.

Our researchers successfully applied for a credit card in the name of a volunteer, using details from their Facebook profile cross-checked with other publicly available information, such as phone directories.

Which? believes many other social media users unknowingly expose details that are useful to identity thieves.

Are you at risk? - Take our interactive quiz to find out what you can do to protect yourself from identity predators

Applying for a credit card without bank details

We identified three card providers - Capital One, Nationwide and Santander - which do not ask for a bank account number in credit card applications.

When our researchers completed an online Capital One credit card application form using only information they found or guessed, they were shocked to find the application was approved.

Credit and debit card identity fraud is rising. After declining in 2011, annual losses climbed back up to £41.9 million last year. Which? is calling for card providers to review their application processes and ensure they're robust.


Please enable JavaScript to access this content.

'Current address' fraud

Although the credit card in our investigation was safely delivered into the hands of the volunteer at their home address, real identity thieves routinely intercept a card before it reaches its intended recipient.

Cifas, the UK's card fraud prevention service, said so-called ‘current address fraud’ accounted for 75% of identity frauds recorded between January and August of this year.

Fraudsters may target victims who live in blocks of flats where post can be retrieved from a communal area, or apply for a credit card while the victim is on holiday, making it easier to surreptitiously retrieve the card.

In our investigation, many of our volunteers had mentioned birthdays and other personal details on their social media profiles. A real fraudster might go on to use this data to compose a targeted 'phishing' email to try to glean further information. 

Find out more: How to spot a phishing email - our guide reveals the tell-tale signs 

Credit card companies respond

The three card companies we identified told us they take credit card fraud and online security very seriously and each has various sophisticated measures and checks to prevent fraudulent applications and to verify each applicant's identity.

Capital One told us that it leads the industry both in preventing fraud and in assisting the victims of fraud. A spokesman said that it advises customers to protect their data and to restrict access to their profiles on social media sites.

Members can read the full investigation in this month's edition of Which? magazine.

More on this...