The most convincing scams of 2026 so far

An industry that never sleeps, adopts new tech at lightning speed and sees its profits surge every year. If it were anything other than fraud, it would probably be celebrated.

But instead of improving the world, scammers use their enviable skills to enrich themselves at the expense of millions of us, conning us out of £1.17bn in the UK alone in 2024.

From stealing your phone number and using it to hack your entire life, to impersonating Which? itself with bogus consumer advice, there’s no depth too low for some criminals to sink in their pursuit of our cash. But with a few simple steps, you can reduce your risk of becoming their next victim.

A version of this article was originally published in Which? Tech Magazine, Jun/Jul 2026.

Get tech help from humans

Solve your tech issues and get expert buying advice by chatting to our support team as often as you need for only £49 year.

Buy and save

Already a Tech Support member? For more help and 1-to-1 technical advice, including protection against scams and malware, go to our Tech Support online booking tool. 

1. Fake digital wallets

Imagine a thief at a bricks-and-mortar shop spending on your card, while the card itself remains tucked in your purse or wallet many miles away. It sounds like science fiction, but in fact it’s a distressing new frontier in card crime.

At its core, this scam involves a fraudster linking your credit or debit card details to a digital wallet (Apple Pay, Google Wallet or Samsung Pay) on a mobile phone in their possession. Once it’s set up, they can spend freely online or in person until they hit your credit limit or drain your balance.

How the scam works

1. The process usually begins with a ‘hook’, which can be surprisingly mundane. Examples we’ve seen include a phishing text about a bogus parcel delivery, and a social media advert for a bargain deal on loo roll.
2. If you’re tricked into clicking the link, you’re taken to a copycat website that looks exactly like a legitimate brand, such as Royal Mail.
3. As you enter your card details to pay for your item or redelivery fee, a scammer monitors the site in real time.
4. They input your details to set up a digital wallet on their phone, triggering your bank to send a one-time passcode (OTP) to your device.
5. The copycat site then prompts you to input that code, claiming it’s needed to verify the purchase you think you’re making. But in reality, you’re handing over the final piece of information the fraudster needs to activate the wallet on their device.

An investigation for Which? Money magazine (Aug/Sep 2025, p34) revealed industry data showing the huge scale of the problem, with individual banks losing between £2m and £6m annually to these scams. Ultimately, these costs may be passed to all of us via higher interest rates or reduced account perks.

We also uncovered a weak point in many major banks’ security. Most still relied on OTPs being sent by text during mobile wallet setup, despite more secure options being available. Our banking experts penalise this method when assessing banking security, precisely because texts can be intercepted or ‘socially engineered’ out of victims.

How to spot this scam and stay safe

• Be sceptical of any request for payment details or personal data, and ask yourself how you know a message or advert is genuine.
• Check whether a site’s address looks correct and how old the site is (use the domain checker website who.is); scam sites are usually new and operate for only a short time.
• Avoid clicking links in unsolicited emails or messages.
• Regularly check bank statements and consider setting up real-time spending alerts in your banking app. If you suspect your details have been compromised, contact your bank immediately.

For more details on this scam, head to how fraudsters could steal your card without it ever leaving your wallet

2. Which? impersonators

Which? itself is sometimes targeted in impersonation attempts. The most recent saw fraudsters on X adopt our logo and branding along with account handles @WhichukAsk and @whichukrep – worryingly similar to our own official account, @WhichUK.

The aim of the impostors was clear: to trick consumers into engaging with them instead of us, and to steal their personal information and money. The rogue accounts were suspended when we reported them to X, but this was far from the first impersonation we’ve had to fend off to protect the public.

A few months earlier, we learned of a copycat Which? website featuring a bogus article comparing different debit cards, falsely claiming to be written by our banking expert Chiara Cavaglieri. This, too, was taken down when we alerted the National Cyber Security Centre (NCSC). Our genuine site is which.co.uk.

Over the years we’ve seen many types of impersonation, including phishing scams and fake Best Buy badges. Even Which? staff have been kept on their toes by fraudulent emails purporting to be from our CEO, Anabel Hoult.

It’s because of this constant threat that we work with a brand protection partner to detect unauthorised use of our logo and brand name. Any trusted and well-known brand can be exploited by a fraudster.

How impersonation scams work

We most frequently see this happen with big banks like Halifax, major retailers such as Currys and industry regulators including Ofgem. More recently, we reported on scam websites impersonating Tesco, Amazon and Boots. The goal is to trick you into divulging your personal data and/or making a payment. 

Victims are tricked with fake login pages, surveys and competitions or government grants. They often face a barrage of frightening consequences, including unauthorised transactions, having their genuine bank account taken over or having new accounts and credit set up in their name.

How to spot this scam and stay safe

• To avoid such scams, treat all unsolicited calls, messages and emails with scepticism – even if they appear to come from a person or organisation you interact with. This is especially true if they’re trying to get you to click on something, or share personal or payment details.
• Check email and web addresses closely, and use a domain checker (such as who.is) to see when sites were created.
• Avoid clicking paid ads on search engines and social media.
• If in doubt, break off contact and use trusted contact details (such as those from a bill or statement) to verify the request. If you’ve given away information, call 159 to reach your bank’s fraud team.
• Read more of our advice on how to spot a fake, fraudulent or scam website.

3. Cancelled card fraud

You discover a suspicious transaction and hurriedly call your bank. It refunds you and cancels and replaces your card. You might breathe a sigh of relief at this point, but are you actually safe?

Victims are discovering that fraud follows them on the replacement card – sometimes before it has even landed on their doormat. This recurring fraud, which even happened to Which? fraud researcher Faye Lipson, can occur because of an invisible background technology, known as automatic billing updaters (ABU), run by card schemes American Express, Mastercard and Visa.

When your bank issues a new card, ABUs automatically pass the new long card number and expiry date to participating merchants. This is designed to remove the burden of manual updates from consumers; it means subscriptions such as Netflix and Spotify continue seamlessly. Mobile wallets such as Apple Pay and Google Wallet are also updated automatically.

How the scam works

The problem is that not all such accounts are set up by the genuine cardholder. Sometimes fraudsters add your stolen card details to an online account or mobile wallet in their control. These fraudster-controlled accounts are then updated via ABU, allowing spending to resume on your replacement card.

To stop this cycle, replacing a card isn’t enough. Your issuer (normally your bank) must actually break the link so that fraudulent accounts and wallets stop receiving ABU updates. This should happen when customers report fraud, but it’s clear that sometimes the link remains. 

When we published an article in January about Faye’s experience, we received emails from others claiming that this had happened to them, too.

How to spot this scam and stay safe

• When your card is saved on file on a mobile wallet or a merchant’s website, the technical term is a ‘token.’ If you’re unlucky enough to experience card fraud, ask your bank’s fraud team to check whether any new tokens have been set up recently and review them with you to check if they’re genuine. Any you don’t recognise should be wiped so the fraud can’t follow you.
• Ongoing vigilance is also important. Pay close attention to your bank statements or spending alerts in the weeks after you report card fraud.
• This type of fraud is closely linked with digital wallet scams; victims often compromise their own card details via scam websites. However, they can also be stolen in large data breaches. To minimise the risks, save your card details online only when there’s a clear benefit, such as keeping essential subscriptions running or paying for a cab late at night.

New Nationwide call checker tool: how is your bank fighting fraud?

4. Scammers want your number

Your mobile phone number is the gateway to your finances, and scammers want to steal it. If they can transfer your number to their own Sim card, they can intercept OTPs to unlock your online accounts.

Businesses are vulnerable to this too – the 2025 cyberattacks on M&S and the Co-op were reported to involve Sim-swapping. 

How the scam works

1. Armed with enough information to pose as you, scammers will contact your network provider and ask to switch your number to a new Sim card, perhaps by claiming that ‘their’ phone is lost. They may have already tricked you into divulging personal information through phishing, or perhaps they have paid for stolen data in criminal marketplaces.
2. A newer tactic is to hijack your email account first, knowing that some networks let customers reset their passwords by triggering an OTP to their registered email address.
3. Once in control of your number, they can do a lot of damage very quickly, hijacking any financial, email and retail accounts that use SMS security checks. Victims even report losing their Nectar points and other rewards.

Bigger banks work with mobile networks to check whether a Sim has recently been swapped or ported before sending sensitive data by SMS, but many other payment providers don’t. 

Fraud prevention service Cifas recently reported a 38% spike in unauthorised Sim swaps, rising from 3,645 to 5,058 in 2025. A third of victims are aged 61 and above. It predicts that attacks will continue to rise, warning that criminals are leveraging AI to create ‘hyper-personalised' scams, and using deepfake audio to fool call centres.

How to spot this scam and stay safe

• Act swiftly if you receive an unexpected message about your Sim being ported or requesting the Porting Authorisation Code (Pac) required to move a number to another network.
• You can block it if you contact your network in time. If it’s too late, you will unexpectedly lose service. Contact your network (via webchat or using another device to call) as well as your banks to freeze your financial accounts. You’ll need to change your passwords to any other sensitive accounts and disable SMS as an authentication method where possible.
• To protect yourself, turn on two factor authentication (2FA) for all your online accounts – check the 2FA Directory for a list – avoiding SMS-based checks if you can. SMS is better than nothing, but we prefer passkeys (supported by Apple, Google, Microsoft and Samsung), as they’re tied to a physical device rather than your phone number.
• Ask your network provider to set up a unique Pin or password that must be provided to approve any account changes online or over the phone.
• It’s also sensible to restrict who can see your social media profiles and avoid sharing details such as your date of birth and phone number. See our advice on how to create secure passwords.

We tell you everything you need to know about phone scams 

5. Sneaky subscription scams – or 'scamscriptions'

Barely a week goes by without someone contacting Which? to report a subscription scam after finding recurring card payments to companies they’ve never heard of.

We’ve unmasked many tactics in recent years, including fake QR code stickers linked to phishing websites at car parks and other public places, misleading adverts on search engines and fake competitions spread via social media. Charges can be ludicrous, such as £50 a month for worthless digital recipes.

What tactics do scammers use?

Social media sites crop up in many reports to us. You might be tempted by a ‘free’ trial to a health and beauty supplement, for example, or come across competitions to ‘win’ mystery boxes and cheap goods from popular retailers such as Boots and Screwfix.

In February last year, we spotted fake Decathlon surveys shared by multiple Facebook users, offering the chance to win a North Face backpack. Every visitor was ‘the lucky one’, with only two minutes to claim their prize, paying £3 to cover delivery costs. Decathlon confirmed it had nothing to do with these surveys. The backpacks were never delivered. 

The small print hidden at the bottom of the webpage revealed they were giving their card details to a website called ‘blogzone.io’, which charged £3 for three days and £46 every 14 days thereafter. We contacted the company behind this website – Cyprus-based Artez Ltd – and reported the posts to Meta (which owns Facebook), but didn’t hear back from either.

How to spot this scam and stay safe

• If you’re entering your card details or other sensitive data, pay close attention to the site you’re visiting, particularly if you’ve been directed there by a QR code or a link in an unsolicited message. These sites may look and feel legitimate, using AI-boosted brand logos, customer reviews and fully functional checkouts. You can also use a domain age checker.
• Steer clear of adverts you spot on social media, search engines and online games, as these are widely abused by scammers and dodgy businesses.

Who can stop this?

The volume of reports we’re seeing suggests that rogue subscription businesses are running riot.

Mastercard and Visa can fine ‘merchant acquirers’ – which enable online businesses to accept credit and debit card payments – for excessive fraud rates, or boot them off the network. It’s clear that some of these acquirers have poor due diligence.

You can cancel subscriptions by contacting your card provider, but you may face a battle to get refunded because firms see these as authorised transactions. We think they often fail to acknowledge that the ‘authority’ is only gained through misleading adverts and other underhand tactics, which can be impossible to prove.

If you need to challenge your bank, explain clearly that this is not simply a ‘dispute’ with a reputable retailer, and you did not consent to recurring payments. If you’re not happy with the outcome, escalate your case to the Financial Ombudsman Service.

Article adapted for online publication by Natalie Turner, June 2026.