It's January and the gym is busy, so you quickly tap in through the barriers and head to the changing rooms. Shoving your stuff into a locker, you absentmindedly tap in your four-digit card Pin number to lock it - it's the only one you can remember.
You don't notice the other gym goers, but one of them has noticed you, and they've seen your Pin. Later, you discover they've stolen your debit card from the locker while you were working out, and used your Pin number to go on a spending spree of more than £9,000.
It may sounds far-fetched, but that's exactly what happened to Matthew Spencer.
Not only that, criminals were able to transfer £50,000 between his accounts. His bank, HSBC, refused to refund him as it claimed he had been grossly negligent with his Pin, but we don't believe he was.
Our research shows that Matthew is not alone and that not all banks are treating victims of card fraud fairly. We've also found that banks are using the lack of clarity on 'gross negligence' as a get-out clause for repayments.
In this Which? the investigation, we reveal the banks that are the best, and worst at dealing with card fraud. We also look at the different types of card fraud, what each is costing, what 'gross negligence' is and how to protect yourself.
According to UK Finance, there were a whopping 1.8m cases of card fraud in 2017, costing victims a massive £566m. In total, it accounted for roughly 80% of all fraud cases.
The types of card fraud are split into five categories.
Also known as card-not-present fraud. Stolen card details are used to buy goods online, by phone, or by mail order.
A criminal uses a lost or stolen card to make purchases or withdraw cash. They may spy on victims to learn Pin numbers before a theft.
Fake cards are created using stolen details from a genuine card's magnetic strip.
Stolen or fake documents are used to open an account in someone else's name, or an existing account is taken over by a criminal.
A new or replacement card and/or Pin is stolen in transit before you receive it.
The number of cases is on the rise - in just the first half of 2018, there were more than 1m cases that resulted in a rise of some 11% year-on-year.
Remote purchase fraud accounted for around 1.4m cases of card fraud in 2017, making it far and away the largest category. There were more than 350,000 cases of fraud via lost or stolen cards too, and this was up a huge 51% from 2016.
In November 2018, we spoke to more than 900 Which? members to find out how their banks dealt with them after they were defrauded by card criminals.
The helpfulness score includes the speed of receiving a replacement card, the guidance given on how to minimise the risk of fraud in future, the communication provided by the bank following the fraud, and how customers would rate the overall reaction to the fraud.
Sample sizes from our survey are in brackets next to the provider.
|Credit card provider||Helpfulness score|
|M&S Bank (33)||90%|
|American Express (35)||87%|
|Barclays/ Barclaycard (91)||83%|
|Tesco Bank (54)||79%|
|Lloyds Bank (34)||78%|
|Debit card provider||Helpfulness score|
|Nationwide Building Society (39)||87%|
|Lloyds Bank (43)||81%|
|Barclays Bank (48)||78%|
We've exclusively obtained data from the FOS that shows uphold rates for each bank too - the higher the uphold rate, the more likely you are to have your claim unfairly rejected by a bank.
If you've been a victim of fraud you'd hope to be treated with understanding by your bank and get your money back quickly. We know from speaking to Matthew and other victims of card fraud that this isn't always the case.
To refuse to refund you after debit card fraud, a bank must have evidence that you have authorised the transactions yourself, acted fraudulently or with 'gross negligence', or that you've left it too late to inform them. But just what does acting with gross negligence actually mean, and how is this determined?
In August 2018, the FOS said it quite often hears from banks that customers have acted with gross negligence, and this is being used as a reason to deny reimbursement. They said that:
Each case that's referred to the FOS is reviewed to see if what a victim did fall below the standard expected of a 'reasonable person', and whether this put their security details at risk.
Take your timeCard fraudsters may use pressure or distraction techniques to make you feel flustered and persuade you to reveal personal or financial details. Taking time and care with every transaction could help you notice unusual or unexpected behavior, and treating unsolicited phone calls, letters, emails or texts with caution is wise.
Use cashpoints inside banksIt's less likely that a cashpoint inside a bank will have been tampered with. It's always worth checking that there is nothing unusual about the cashpoint, though, and that there aren't people hanging around it or standing too close while you use it.
Monitor card statementsIn our survey, just 39% of debit card respondents said they became aware of actual or attempted fraud when their bank contacted them to verify transactions, and only half of credit card users. Keep an eye on your statement for any unusual transactions that haven't been picked up by your bank.
Check your credit reportMonitoring your credit card will help you spot any accounts opened in your name using stolen details.
Act quicklyIf you spot a fraudulent transaction or your card is lost or stolen, contact your bank straight away. Change your Pin and account passwords, and if you think mail has been intercepted or redirected to a new address, contact Royal Mail.
We'd recommend changing the Pin on any new card you're sent, and not using obvious combinations such as 1234.
If you struggle to remember your Pins, creating a rule using the numbers in the 16 digit card number could be a useful technique.
An example would be to take the last digit of the card number, count that number of digits from the last digit going backward, and use the next four digits in reverse order. Creating your own rule will mean you can find your four-digit Pin number by glancing at your card.
Shield your pin whenever you use it in public, including in the supermarket, and try not to use it for other purposes if at all possible.