Scammers impersonate well-known brands to link your card details to their own digital wallets

International organised crime groups impersonating well-known brands and retailers are attempting to steal your card information, warns Cifas, the Cyber Defence Alliance and UK Finance.

These scams typically begin as texts, such as those offering to help with your bills or telling you about a parking charge, or as social media ads boasting too-good-to-be-true offers or closing down sales. They lead to malicious websites which ask for your card details.

Below, we tell you how to spot, avoid and report these scams.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts

Stealing bank details

Cifas has warned that once your bank details have been entered into scam websites impersonating recognised brands, you are sent a one-time passcode (OTP) via text.

This OTP has been requested by the criminals from your bank, now that they have your details.

On the scam website, you're then asked to enter your OTP. 

Once the OTP has been entered, the criminals can link your bank account to their digital wallet, such as Apple, Google or Samsung Pay, and make both online and in-store payments.

Scammers also sell on these card details to other criminals.

Amazon and O2 scam texts

Which? found two examples of this type of scam which started as texts impersonating O2 and Amazon and led to convincing fake websites asking for personal and card information.

A dodgy text sent from a random number tells you that there's a ‘significant price reduction’ on one of your recent Amazon orders. You’re told you are eligible for a refund for the price difference and encouraged to follow a malicious link.

Which? followed the link and was led to a convincing copycat Amazon website. This website mimicked the platform’s login page and prompted you to enter the email address or phone number associated with your Amazon account.

Another scam text currently circulating impersonates mobile network O2 and tells you that your ‘O2 sim will be disabled due to failure to accept O2's privacy policy'.

You are also encouraged to follow a link to accept the privacy policy.

We followed this link and discovered a fake O2 login page. When we entered bogus details, we were asked for our phone number, name, date of birth, home address and bank card information to ‘update’ our account.

Spotting and reporting scams

If you come across a suspicious text or ad, some signs that it might be a scam are:

• The message was unexpected.
• The offer is really low or free.
• A message or ad asks you to follow a link.
• You are being rushed to make a decision.
• It requests payment or personal information.
• It contains spelling and grammatical errors.

You should never share an OTP sent to you if someone requests it, these passwords should only be used by you.

You can report scam ads to the Advertising Standards Authority.

You can report scam text messages by forwarding the message to 7726, and malicious websites can be reported to the National Cyber Security Centre. Scam texts impersonating Amazon can be reported to Amazon.

If you lose any money to a scam, call your bank immediately using the number on the back of your bank card and report it to Action Fraud, or call the police on 101 if you’re in Scotland.