Why replacing your bank card might not stop scammers from spending your money

Having worked at the BBC and in commercial radio before joining Which?, James produces our always-on podcasts, and oversaw the launch of our member-exclusive podcasts in 2025.

We’ve reported before that fraudsters can keep on spending your money even if you replace your card due to a little-known feature of debit and credit cards. So we’ve investigated to see whether the banking industry is making it harder for scammers.
In this episode of Which? Money, our scams and fraud expert Faye Lipson explains what an automatic billing updater is and how handy it is when our cards expire. But she also unpacks how it aids financial criminals to maintain access to our money once they’ve already scammed us.
Faye tells us how she investigated nine banking brands and card providers to find out what processes they have in place to protect our money from scammers. She also details any inadequacies she saw during her research.
Plus, she shares her expert advice on what to do if your card details have been compromised to ensure you get all your money back.
James Rowe: It usually feels pretty bleak when we talk about scams on the podcast because it usually means fraudsters have found yet another way to get a hold of our money. But is the banking industry doing enough to keep you and me safe? Let's discuss that on this episode of Which? Money.
James Rowe: Hello, it's James in the Which? studio alongside our scams and fraud expert Faye Lipson. Faye, hello.
Faye Lipson: Hiya.
James Rowe: How are you?
Faye Lipson: I'm good, thank you. How are you?
James Rowe: I'm very good, thanks. Now, I said it's always pretty bleak to talk about scams and fraud. You deal with it on a day-to-day basis. Does it always feel pretty bleak to you when you uncover a new tactic by fraudsters?
Faye Lipson: Yeah, it can be a sharp intake of breath when you see what they're doing next. But there are some very cool tools coming out as well which can block their attempts. So, it can be uplifting at times. But yes, generally speaking.
James Rowe: It's ever-evolving on the fraudster side, but also on the prevention side, which is always good. Now, I've got this eight-page spread that you wrote about card fraud and the way card fraud is evolving. You wrote this for the latest Which? Money magazine. We're going to dive into it in just a second. But people might remember you were on the podcast with us a few months ago talking about a time when you were a scam victim. Do you want to just set the scene for us? Do you want to take us back to your – was it your summer holiday last year when it happened?
Faye Lipson: It was, almost a year ago now. So, yes, I always say anyone can be a victim of fraud, and it happened to me. It's happened to me more than once, in fact. Yeah, I was on holiday in Cyprus and we were having a nice time, we were by the pool, and then I got the phone call that nobody wants from somebody that's claiming to be from your bank's fraud team and saying there's suspicious transactions on your account. Me being me, I thought it was fake, thought it was a scam. But when I rang back, it was actually real, and there had been attempts on my card.
James Rowe: So, you did the right thing. I remember you told us you actually hung up and called the bank yourself to make sure it wasn't a fake number. They issued you with a new card. You thought that was the end of it, but then something else happened.
Faye Lipson: That's right, yeah. So, the new card landed on my doormat, I thought all was well. And then about a month later, some payments started up that I hadn't made. They were for Uber One, which is a subscription service on Uber. And Uber had been one of the attempted transactions originally when I was in Cyprus. So, that got me thinking that the two were linked. And then I dimly remembered that sometimes when you cancel your card or your card expires and you get a new one, there are accounts like Netflix, for example, that seem to just automatically get your new card details. And I thought, I wonder if that's what's happened here, but for the fraudster's account – the account the fraudster controls on Uber. And I spoke to my bank fraud team and they said, yes, that can happen, it does happen, and that's likely what has happened, and we will cut that link now to stop it auto-updating. And we will issue you yet another card that the fraudster's account won't receive.
James Rowe: So, what happened in that first instance: the fraudsters had your original card details, that card was cancelled, but because of this legitimate process that card providers offer as a service to us all, those new card details just automatically updated for the fraudster. So, they still had your new details.
Faye Lipson: Yes, exactly that. So, it's meant to be really convenient, isn't it? And when it's on a genuine account, it is, for the most part. You get a new card and you don't have to log in to all of your subscriptions and all of your mobile wallets and change all of your card details. That's why that service exists. But then it goes wrong when there's an account that a fraudster controls where they've uploaded your stolen card details. And then sometimes this process – if that link isn't severed by the bank, which sometimes it isn't, sometimes things go wrong – if it's not severed, then the fraudster can receive your new card details. So, the fraud doesn't stop, it just carries on.
James Rowe: So, it's always a good point to make here, just to always be aware of what's going in and out of your own bank account because it'll give you a bit of a clue. All these big card schemes provide this service. What do we call it? They all have different names for it, don't they?
Faye Lipson: Yeah, they do. So, we just call it the automatic billing updater because that's just a catch-all phrase, but they all have different names for it. So, for example, American Express calls it Card Refresher, Mastercard calls it the Mastercard Automatic Billing Updater, and Visa calls it the Visa Account Updater. So, it's slightly unhelpful. When you call your bank, you've got to look at the card that you've got and see what card scheme it's on before you know the correct terminology for asking your bank about this. It can be a bit complex for customers, certainly.
James Rowe: But in normal cases, is it fair to say that this service that these card providers offer is a really handy, really legitimate service just to sort of help make our lives a bit easier?
Faye Lipson: It can be, and I think for a lot of people who have their card details saved on lots of accounts, saved on lots of subscriptions or in multiple mobile wallets, for example, then this probably does save people a lot of time. But it goes wrong, unfortunately, when the fraudsters are saving your card details. And that's the thing that I think the industry hasn't quite figured out yet.
James Rowe: Yeah, I don't think I was even aware of this service until you joined us on the podcast last time. And then I think I clocked that the last time I'd got some new cards because they'd expired, on Apple Wallet, for example, I think they just automatically updated. But I just wasn't aware beforehand. As you say, though, it does have these unintended consequences if your card has been stolen or your details have been compromised, like it did for you. And also, you've been speaking to some Which? members as well because a lot of them also had this same circumstance where their new card – where the new card details were given automatically to the fraudster.
Faye Lipson: Yes, so when we published the story about my experience, we did hear from people saying that they'd had really similar experiences and that fraudster-controlled accounts and wallets had been auto-updated and allowed to continue spending.
James Rowe: Can we be forgiven for not knowing that this exists? Because, as I say, I didn't know it existed. I feel like I'm not the only one. Can we be forgiven for just sort of accepting that this happens and it's just a part of life?
Faye Lipson: It's just a really obscure piece of tech, and it's meant to run in the background. It's quite nerdy, even, you know? And there's really very little public-facing information about it from the big card schemes – Amex, Visa, and Mastercard – or from most of the banks. A few of the banks have got something on it, but most of them haven't. So, there's no reason why customers would actually know anything about this or about the possibility of this sometimes enabling fraud to continue.
James Rowe: You say customers might not know a lot about them, but I wonder how much employees of banks or card providers know about it. We'll get to that shortly because you have been doing some research into this. You've been doing an investigation into – we'll call it ABU for the sake of it today – this automatic billing updater. But I think people might be wondering why card fraud is so prevalent at the moment. Have you got any – can you give us some numbers about how prevalent it actually is at the moment?
Faye Lipson: Yeah, so we did a public survey to find this out, and we found that 14% of people had experienced card fraud in the last two years alone. You know, more than one in 10 people. It's a really common experience for people. And card fraud did dip a few years ago, but it's really rebounded now. I think fraudsters are finding it really lucrative. And as more people are saving their card details in different places, using wallets and so on, or being caught by fishing attempts and fake shopping websites, for example, people are compromising their own card details, and fraudsters are spending away on those.
James Rowe: I was really surprised, again going back to this piece that you wrote for the Which? Money magazine – Which? members will have read this in the latest issue – that number goes even higher for a younger part of the demographic. For 25 to 34-year-olds, it's one-fifth of people who responded to your survey said they'd been affected by card fraud. I'm surprised in a way that this younger group are targeted more often or are victims more often. Were you surprised by that?
Faye Lipson: Yeah, it's interesting, isn't it? I suppose perhaps they're the most active in terms of subscriptions and having more of their card details stored online, and so perhaps they may be more vulnerable to data breaches and things like that.
James Rowe: Now, that was not the only thing I've been reading recently. Maybe you, as well as I, have been reading UK Finance's annual fraud report of 2026. Have you given this a thumb?
Faye Lipson: It's a cracking read, yeah.
James Rowe: I tell you, it's a great read. I've just pulled out a few more stats as well because it gives us a bit of an idea into how prevalent fraud is at the moment. Their report suggested that eight people every minute are a victim of fraud, and £2,500 is being lost every minute. And in 2025, the number of cases compared to 2024 had risen by 11%.
Faye Lipson: Yeah, I know. And some particular types of fraud have soared even more than that. Yeah, it's the crime that keeps on giving, really. It's the crime that people are most likely to experience in their lives in the UK.
James Rowe: And as I say, you write about this, you cover this for Which? day in, day out. I guess, in a way, it doesn't actually surprise you because you see the new tactics that fraudsters are coming up with that just make it almost really easy for them to do what they want to try and do and trick us all, right?
Faye Lipson: Absolutely. They're not hampered by the law or compliance teams or anything that legitimate businesses have to do. So, they can just move with incredible speed to embrace new technology and new tactics and methods.
James Rowe: Now, getting back to our physical cards, fraudsters are able to add our cards to their own digital wallets, so we're talking things like Apple Pay and Google Pay, which I guess makes it even easier for them to then go and spend our money. How are they managing to do this?
Faye Lipson: Yeah, it's really, really clever. The way it's done often is that you'll see, as a victim, a fake shopping website or a really good fake online deal or something advertised on social media, and you'll click through and you'll think you're buying something. And you'll input your card details onto this fake shopping website. And there's a criminal at the other end actually monitoring this in real time. And as you are inputting your card details, they are inputting your card details into the wallet setup process – Google Pay or Apple Pay or something – on a device they control. And then they generate a one-time passcode to your phone. And that's part of the wallet setup process, but you think you're just approving the purchase that you think you're making. So, you get that one-time passcode and you input it onto the fake shopping website. That's the final piece of the puzzle that the fraudster needs, and then they can finish setting up that wallet. And then it's fully ready to go, and they can tap and spend on it.
James Rowe: It's remarkable. I'm trying to put myself in the position of the person who's being scammed and the scammer at this time. So, the scammer is goodness knows where, and they are seeing you type in your card number and then the three digits on the back. And they're taking those numbers and typing them into their phone to set up your card details on their Apple Wallet, for example. Their last piece of the puzzle says that they need a one-time passcode from the card, and then they basically ask you for it. It pings on your phone, you send them the number, and then bish, bash, bosh, they've got everything they need, right?
Faye Lipson: Exactly. You just think you're buying, I don't know, bulk-buying toilet roll or something. Really great deal, but you're actually letting a fraudster set up your card on their Apple Pay.
James Rowe: I guess this is such an easy target for scammers as well because so many of us are now relying on Apple Pay, on Google Pay, because there's no limit on how much you can buy using that. It's almost more convenient than using chip and pin or – well, not maybe not chip and pin, but contactless card, where there is usually sort of like an upper limit of £100 usually.
Faye Lipson: Yes, so the limits have been lifted now, but a lot of banks have kept them in place for the time being. So, yeah, that's very much the case. And it's really good for the fraudster because they can make in-person purchases, and also wallets are kind of plugged into a lot of websites as well. So, they can shop online or in person using your card in their wallet.
James Rowe: Because if they had your physical card, they would perhaps be limited by a contactless payment of £100, which most providers still have. But if they've got an Apple Wallet, they could sort of tap away and spend £200, £300 – it goes on and on, doesn't it? It's just crazy. How would you give somebody some advice to be wary of this kind of thing?
Faye Lipson: Yeah, you really have to make sure that any site or app that you're giving your card details to is completely legitimate. And just do your research. Look at the website, look at the age of the website.
James Rowe: How would you do that?
Faye Lipson: Yes, so there's – it's called ICANN, it's a lookup service where you can look up domains and see when they were registered. If you're following an ad on social media, really click through, look at that profile, see when that profile was created. Is it verified? Does it look completely legitimate or are there odd things about it? If in doubt, just don't. You've got to be really sure before you hand over your card details.
James Rowe: And the website who.is, you must have used this one before as well.
Faye Lipson: Yes, that's an alternative to ICANN, that's also a really good service for looking up the age of a website or when it was created.
James Rowe: And it's just a case of copying the URL, isn't it, and pasting it into one of these websites. I tried it on who.is a little bit earlier on for which.co.uk. So, I copied which.co.uk, pasted it into who.is, and it said it was registered back in 1996.
Faye Lipson: Ancient, isn't it?
James Rowe: It is. So, it gives us a bit of an idea – that will give you a bit of an idea maybe about how trustworthy this website is. Because we're sitting here, it's summer of 2026. If it said the website was registered in May 2026, you might get alarm bells there, wouldn't you?
Faye Lipson: Definitely, definitely.
James Rowe: Okay, let's get back to this process of ABU that we were talking about a little bit earlier on. So, when – let's say, in your instance, where your card details had been compromised and then the bank sends you a new card. They are meant to sort of cut this link between your old card and your new card. That's what they're meant to do, but it's not necessarily always happening, and it certainly didn't in your case.
Faye Lipson: Yes, so most of the time, they will cut this link so any fraudster-controlled accounts and wallets do not receive your card details. But things can go wrong. Sometimes, fraud teams can be under pressure – time pressure, lots of targets – and they might miss something or not cut that link off. I've also been told that sometimes, even when that link is cut off, retailers or payment firms that are in between the retailer and you can sort of somehow circumvent it. They can like reprocess the payment, and it gets round the block. So, it's really technical, but basically this link isn't always broken, and that's what means that sometimes the fraudster gets your new card details.
James Rowe: And with ABU, it's set up there as default, it's fair to say. But you can opt out of it to begin with, but it will obviously cause a bit of disruption if you were to then get a new card or that kind of thing.
Faye Lipson: That's the thing. So, lots of customers can't opt out. That's what we found. So, when we first talked about this earlier this year and we went to the card schemes, Visa and Mastercard said, "Oh, you can approach your bank as a customer and ask about opting out," which sounded really promising.
James Rowe: Because you would have to speak to the bank rather than Visa or Mastercard.
Faye Lipson: That's right. So, Visa and Mastercard kind of run in the background and don't interact with customers. Customers, when they have a problem, need to speak to their bank. So, the bank's responsible for opting people in or out of this invisible technology, basically. So, we thought we'd put that to the test. And when we did put it to the test, we found that most customers actually can't opt out – the bank doesn't let them, and they don't have that control, which was really disappointing. We think, even though this is convenient and many people would want to keep it on, people should have that choice, especially with fraud in mind.
James Rowe: Yeah, I remember when you last joined us, you said you were going to investigate this further to find out whether or not banks understand their obligations around this as well. So, give us a bit of an insight into what you did. Did you try and speak to certain banks on the high street or some of these newer digital banks as well?
Faye Lipson: Yes, we spoke to a mix of high street and newer digital banks and building societies. And we kind of just went in as ordinary customers and said, "We've heard about this billing updater service, and we're worried about fraud and we'd like to opt out." In most cases, the customer service rep at the bank had no idea what we were talking about initially. It was only Starling and Monzo that seemed to straight away grasp what we were talking about. Most of the other banks and providers, their staff seemed quite confused by the request, and it didn't sound like something they were kind of fully aware of themselves.
James Rowe: Why do you think this is? Is it because you didn't – I'm just looking at what we talked about before, this specific terminology for each of the cards. Did they not understand the terminology you used?
Faye Lipson: I think because there's almost no customer-facing information, probably they don't often hear from customers asking about it, perhaps they're not always trained in it themselves. And it really does run under the bonnet kind of stuff. And they may be only aware of it when it seems to cause recurring fraud, but it's not something they think about or is a big part of their training. But, yeah, they were all quite confused. And in the end, Monzo, during that undercover research, was the only one that offered an opt-out process during that research. There were others subsequently, when we went to them, that said, "Oh, we do, actually. You should have been offered." But Monzo was the only one to do it at the time. And you have to cancel your card to opt out. So, it's not terribly convenient, but they seem to be the best of the bunch in that regard.
James Rowe: Were you surprised by what you found?
Faye Lipson: Not really. I think it's just one of those things that hasn't been publicised, it's not something that people know they can ask about, and body staff don't know because they never hear about it from the customers. But it was disappointing, especially given the link with possible recurring fraud, that people don't really seem to have the power to get themselves out of that.
James Rowe: Presumably then, you weren't satisfied with what you found in that. Because I guess you were hoping that you would go to all these card providers or the banks and you would say, "I would like to opt out," and they would say, "Yes, no problem, here's what you do." You wanted to hear that presumably, and you didn't across the board.
Faye Lipson: No, so Monzo was the only one at the time. And then later on, when we went to these banks and providers with what we found, American Express, Amex, said that they do let cardholders opt out and we should have been offered that option. You're supposed to call the number on the back of your card. And then Starling and Monzo and NatWest said that they will opt a customer's card out of this billing updater if the customer is a victim of fraud. So, they take it upon themselves to opt you out. So, that's like a complete block on fraudsters getting your details. And then Starling had an interesting workaround, really, in that if you cancel your card for any reason – doesn't have to be fraud, you just cancel and request a new one for any reason – they will opt you out. So, it's kind of – it's not advertised as a way of opting out, but it is a way of opting out. So, it was really, really varied, and not well advertised. And then staff can't really help you action it in most cases. So, yeah, most people really don't have much control over whether they're opted into this.
James Rowe: And you were taking us through some of the responses from the banks there, just to say you can read all of the responses from all the banks that were involved in Faye's research on our website. There's a link in the show notes to read those. There's also something that banks call, or you called, or I've written in my notes at least, called a merchant block.
Faye Lipson: Yes.
James Rowe: What's that?
Faye Lipson: So, this is often, not always, but often used as an alternative to opting the customer out of this billing updater. What they will do instead is identify the individual fraudulent transactions that have been attempted by the fraudster and try and block those so that the fraudsters don't get your new card details. So, it's like a case-by-case kind of thing rather than a comprehensive opting you out of the billing updater entirely. But it can have some unintended consequences. So, it could, in some cases, actually prevent you as the genuine cardholder from shopping with those blocked retailers. So, it's not, in my view, great. And it is also, I think, by its nature, reliant on the bank fraud team actually spotting every single attempted fraudulent transaction and cutting that link off. And as I heard during this investigation from a banking insider, they can be under pressure – time pressure, targets – it may not always happen. So, yeah, merchant block is used, but it can be problematic sometimes.
James Rowe: It's not a straightforward fix then, no matter which angle you come at this from. Should we do some advice? And I wonder whether or not we sort of block this out into people who have been victims of this kind of fraud and then people who are just a bit wary. So, if you have been a victim of card fraud, should you get in touch with your bank ASAP and tell them what we've been discussing about ABU and ask them to do, you know, to make this cut to help make it easier for you in the future?
Faye Lipson: Absolutely. So, if you're a victim of card fraud and you can see all these suspicious transactions you haven't made, absolutely contact your bank, ASAP, immediately. Get them to cancel the card. They should reimburse you for all of those payments that you didn't make. And you can ask them explicitly whether they have definitely broken the link between your card and any fraudster-controlled accounts or wallets the fraudster might have set up. And you can be explicit about that. I think it's good to remind the fraud team that that's a possibility. And then afterwards, it's a very good idea to closely monitor your account. You might do that by logging in and looking at your statement, or you might set up push notifications for spending from your mobile app so you can see in real time when spending's happening. So, yeah, it's a case, sadly, of ongoing vigilance as well, not just assuming that all will definitely be well because the card was cancelled and replaced.
James Rowe: Because I guess in this instance, if you do ask them to perform this like sever between your old card and your new card, there's no real – I'm not trying to doubt what the banks have done, but there's no real proof that it's happened. So, it's best to be vigilant and just to keep an eye on your bank statements and your push notifications, make sure nothing is actually happening after that.
Faye Lipson: Yeah. So, some banks will have opted you out, but you can never be too careful, really, monitoring your account.
James Rowe: And what about people who have been listening to us talk, or they've read your piece in the mag or on the website, where they think, "I don't want this convenience of having my new card details updated all the time." Would you advise people to opt out generally?
Faye Lipson: So, if they're willing to do the work of manually, every time their card is replaced or expired, manually logging in and changing their card details themselves, and they're worried about the risk of recurring fraud, then that's something you can enquire about. But, obviously, they may run into difficulties – we certainly did in our undercover research. They may find that that's not an option or it's not offered. And if they're unhappy with what their bank's offered them or not offered them, they can make a formal complaint to the bank, and then ultimately the Financial Ombudsman Service if they're still unhappy.
James Rowe: Plenty to take away from that then. Before I let you go, what have you seen lately in the world of scams? Any new tactics to watch out for, anything new on the horizon that you really want to warn us about?
Faye Lipson: Yeah, so romance scams, sadly, and investment scams are absolutely soaring. And sometimes you can get a horribly hybrid of both where you start to be wooed and groomed by somebody on a dating site, and then they introduce an investment opportunity and claim they've made lots of money from it. So, these are two to be really wary of, especially if you're into online dating at the moment.
James Rowe: One to keep an eye on. And, of course, our scam alert newsletter comes out every Thursday, worth signing up for that. It'll detail all of the latest scams that we've seen. There's around half a million people who have signed up for that, so be sure to be one of those and join in. We'll pop a link to sign up in the show notes. What next for you, Faye? Are you working on anything new, scam or fraud-related? Or have you got a new magazine piece coming from you anytime soon?
Faye Lipson: Yes, I'm looking at the moment at fraudulent financial ads offering investment advice and investment schemes and financial services where people don't actually have the legal right to post those ads. So, stay tuned for that.
James Rowe: Lovely stuff. We'll keep an eye out in the mags, and then we'll have you on the podcast again soon as well, no doubt about it. Faye, thanks very much for your time.
Faye Lipson: Thank you.
James Rowe: That brings to an end another podcast from Which?. There's loads more for you to read about everything we discussed today. Just head to the episode description for more useful everyday advice. There, you'll also find an exclusive offer for podcast listeners like you to become a Which? member for 50% off the usual price, giving you access to our product reviews, our app, one-to-one personalised buying advice, and every issue of Which? magazine across the year. Plus, your membership helps us to make life simpler, fairer, and safer for everyone. If you'd like to know when we release a new episode, then make sure you press subscribe wherever you're listening. That way, you can be one of the first to listen. And for any questions, comments, or anything in between, follow us on social media @WhichUK or email us podcasts@which.co.uk. Goodbye.
Outsmart the fraudsters
free newsletter
Sign up for our free Scam Alerts service.
Our Scam Alerts newsletter delivers scams-related content, along with other information about Which? Group products and services. We won't keep sending you the newsletter if you don't want it – unsubscribe whenever you want. Your data will be processed in accordance with our privacy notice.
More podcasts from Which?
The Which? podcast showcases the best content from across our website and magazine.
In our Which? Money episodes, released on Fridays, we give advice to help you get on top of your bills and tackle the issues hitting your pocket, whether that's spiralling energy costs or your weekly food shop.
The Which? Shorts podcasts offer you a free insight into some of our favourite articles from our suite of magazines.
Plus, keep an eye out for bonus episodes that tackle important issues, from motoring and tech to health and wellbeing and travel.
How to listen to the Which? podcast
We're always releasing new episodes, and the podcast is available from wherever you usually get your podcasts.
Subscribe using one of the links below, or click this link on your mobile to find us in your favourite podcast app.
As part of your subscription, Which? members also get access to exclusive podcasts.
- Listen to member-exclusive podcasts on our website
- Listen on the go by downloading our app on Google Play
- Listen on the go by downloading our app from the App Store
If you're not already a member, podcast listeners can get 50% off the first year of an annual membership.



