Why cancelling your card might not stop fraud

Fraudsters could receive your replacement card details without you knowing. Here’s what happened when Which? senior researcher Faye had her card compromised
Faye LipsonSenior researcher & writer

Faye was Headline Money Consumer Money Journalist of 2023 and a Wincott Award finalist in 2025. She's been investigating scams for nearly a decade.

A woman holds a mobile phone to her ear and holds a bank card in her other hand, while looking anxious.

Did you know a fraudster can sometimes keep spending on your card even after you’ve cancelled it and received a replacement? I didn’t, until it happened to me. 

The festive season brings an increased risk of fraud on credit and debit cards, as scammers use fake and copycat shopping sites to trick us into parting with our card details.

What many people don’t realise is that spotting fraudulent payments and getting a new card doesn’t always end the problem. In some cases, fraudsters who’ve saved your details online can automatically receive your new card information.

Here's how that can happen and what you can do to protect yourself. 

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our privacy notice.

My experience of repeat card fraud

In July, I was relaxing by the pool on a family holiday in Cyprus when my bank called me out of the blue.

I wasn't sure if the call was legitimate, so I calmly hung up and called back using the number on my card. I learned it was a genuine attempt by the fraud team to query suspicious attempted transactions with Uber and other retailers.

None of those attempts had actually been successful. My card was cancelled and replaced, landing on my doormat a few days after I returned to the UK.

Just one month later, the fraud started up again on the replacement card. This time though, payments were successfully taken by Uber using my new details from my replacement card.

As a fraud expert myself, I am well versed in spotting scams and I am very careful to only input my card details into trusted sites. So how had my new card been compromised so quickly?

The most likely cause was that my former card details had been saved on a fraudster's Uber account during the first attempt (a month earlier). When my card was cancelled and replaced, this fraudulent account was automatically updated with my replacement card details thanks to something called the Visa Automatic Billing Updater (VAU). 

My card had to be replaced again, and this time my bank performed what it termed a 'full wipe', which prevented my card from being auto-updated on any online accounts or wallets. I then updated them all manually with my new card (the third one).

One of the fraudulent payments was reimbursed by my bank, and the other was reimbursed by Uber, which apologised for my experience and suspended the user account that defrauded me.

The experience of recurrent fraud was inconvenient and stressful. Although I was vaguely aware of updater services, I was not aware that a replacement card in the context of suspected fraud could still be compromised in this way. 

When I began researching my experience, I found many other reports on online forums, such as Reddit, from cardholders who believe they've experienced this type of recurrent fraud due to automatic updater services.

Get a year of super-useful advice

Get the best deals, avoid scams and grow your savings with expert guidance all year for only £49.

Join Which? Money

How card updater services work

Experiences like mine are possible because the three main card schemes – Visa, Mastercard and American Express (Amex) – all have 'updater' services. 

While Visa operates the VAU, Mastercard runs Automatic Billing Updater (ABU) and Amex calls its scheme Cardrefresher. Both banks and merchants, such as Uber, can choose to opt into these services. 

These schemes ensure that when you save your card details with a merchant and your card is cancelled or expires, the merchant automatically receives your new card details.

They are intended to prevent disruption to recurring payments, such as subscriptions, when a card expires or is replaced. They also mean you don’t have to update your details across every online account where your card is saved.

Which? understands that many big-name retailers are opted into these schemes, and banks can also turn them on by default for customers.

Why updater services can lead to repeat fraud

Because many people are unaware of updater schemes, they may not be aware of the risk of recurrent fraud, or know what options are available to prevent it.

Problems can arise when a fraudster obtains your card details (for example, via a big data breach, a phishing email or a shopping scam) and saves them to an online account they control, in order to spend your cash.

Even if you or your bank spot the fraudulent payments (or attempted payments) and your card is cancelled and replaced, there's a risk the fraudulent account could be automatically updated with your replacement card details, and spending can resume.

But there are ways to stop it. Your issuing bank (the one which has issued your card) can break the link, ensuring online accounts won't be updated – something my bank's fraud team termed a 'full wipe' when I was on the phone with them.

Be aware that once you manually add your new card details back to your legitimate accounts, those accounts may be eligible for automatic updates again in future.

You can also ask your bank to opt you out of updater services entirely, meaning your card details will never be updated automatically.

How to reduce the risk of repeat card fraud

You can take steps to prevent your card details being compromised, and to prevent recurrent fraud:

  • Learn how to spot a phishing message or an online shopping scam, to avoid handing your card details to a fraudster.
  • Don't save your card details on online accounts unless there’s a clear benefit, such as keeping essential subscriptions running or paying for transport late at night.
  • If you spot unauthorised transactions, report them to your bank immediately to cancel and replace your card. You shouldn't be left out of pocket for fraud you didn’t authorise. 
  • Ask your bank to 'wipe' online accounts and wallets associated with your card, to stop them being auto-updated. Alternatively, you can opt out of updater schemes altogether. (Be aware that both these options mean you'll need to update genuine accounts manually).
  • Keep an eye on your account in the months after card fraud, to monitor for more suspicious transactions, and query anything unexpected immediately.

Outsmart the fraudsters

free newsletter

Sign up for our free Scam Alerts service.

Our Scam Alerts newsletter delivers scams-related content, along with other information about Which? Group products and services. We won't keep sending you the newsletter if you don't want it – unsubscribe whenever you want. Your data will be processed in accordance with our privacy notice.

What the card schemes say

Visa told Which? that its VAU service is designed to ensure retailers have up-to-date card details where customers have agreed for their information to be stored. It said the service aims benefit cardholders by preventing disruption to payments, such as insurance or subscription services, when a card is reissued, removing the inconvenience of updating details manually.

Visa added: 'Cardholders can opt out of VAU completely or stop updates being sent to a specific merchant by contacting their card-issuing bank.'

Mastercard explained that its ABU is a paid-for service for banks, acquirers, and merchants. It said that in the event of lost or stolen cards, the service enables issuers to disable ABU and block updates to merchants, preventing them from receiving updated card information. Consumers can enquire about opting out of ABU by contacting their issuer.  

Amex told us that merchants can opt into its cardrefresher scheme and that it works with merchants to protect consumers when abuse is identified. It added that cardholders are not liable for unauthorised charges.

key information

Have you experienced recurrent card fraud?

Have you experienced continuing card fraud using your new card details after your old card was cancelled? Share your story at yourstory@which.co.uk and help Which? investigate and better understand this type of fraud.

More on this

About Us

Which? Limited (trading as Which?) is registered in England and Wales at 2 Marylebone Road, London NW1 4DF, company number 677665, VAT number GB238534158, email: which@which.co.uk.


Which? is an Introducer Appointed Representative (FRN 610689) of Inspop.com Ltd (trading as Confused.com), LifeSearch Partners Ltd, HUB Financial Solutions Ltd, Alan Boswell Insurance Brokers Ltd, Stickee Technology Ltd and Travel Insurance Facilities Plc. The mortgage service is provided by London & Country Mortgages. Which? is also a payment agent (FRN 1041191) of Bud Finance Limited.


If you buy a product using a link to one of our commercial partners, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Such links do not constitute an endorsement by Which?.


© 2025 Which? All Rights Reserved.