Credit-card scams: phishing, skimming, and identity theft

Credit-card scams have grown more sophisticated in 2026. Some target the cardholder directly via phishing, fake calls, and social engineering; others exploit merchants and account takeover. Understanding the common scam patterns helps you spot them before they cost you. Most people lose money to a small set of attack types, this guide covers each, the warning signs, and what to do if you're hit.

Phishing phone calls

Most common scam: a phone call appearing to be from your credit-card issuer. Caller ID often spoofed to show "Bank of America" or "Chase Customer Service."

Typical script

• "Hi, this is John from Chase fraud prevention. We've detected suspicious activity on your account."
• "A charge for $XXX at [merchant] just came through. Can you confirm if this is yours?"
• You say no.
• "OK, we'll need to verify your identity to dispute this. Can you confirm your card number? Your CVV? Your social?"

Real bank fraud departments NEVER ask for your full card number, CVV, or PIN over the phone. They have your account info already. If they really called you, they'd say "the last 4 of your card are XXXX, can you verify any large recent transactions?", they'd never ask you to provide your card number.

What to do

• Hang up immediately.
• Call your bank back using the number on the back of your card. Verify whether they actually called.
• If a charge actually was disputed: the bank will see it on their end.
• Never read your card number, CVV, or SSN to an inbound caller.

Text message phishing (smishing)

Same idea, via text: "CHASE ALERT: Suspicious charge of $749. Text Y to confirm or N to dispute." Replying takes you to a fake Chase login page that captures your username, password, and SMS verification codes.

Defense

• Don't reply to fraud alert texts asking you to click a link.
• Open your bank's official app and check directly.
• Real bank text alerts say "Reply STOP to opt out", they don't demand interaction.

Email phishing

Email pretending to be from your bank, with a "login required" or "verify your account" link. The link goes to a fake login page that captures credentials.

Defense

• Hover over links before clicking, verify the URL.
• Real bank emails come from official domains (chase.com, americanexpress.com).
• Never log in via an emailed link. Type the bank's URL directly into your browser.
• Forward suspicious emails to abuse@chase.com (or equivalent at your bank). Many banks reward reporters with $20-50 per verified phishing report.

Card skimming

Physical devices attached to ATMs, gas pumps, and POS terminals that capture your card data when you swipe. Increasingly rare with chip cards but still happens at older terminals.

Warning signs

• Loose card-reader feeling.
• Visible glue, tape, or unusual edges around the slot.
• Small camera (often disguised) above the keypad watching for PIN entry.
• Two terminals at the same gas station, one tampered.

Defense

• Use chip insertion or tap rather than swipe whenever possible. Chip-reader skimmers are far rarer.
• Cover the keypad with your other hand when entering PIN.
• Wiggle the card reader slightly before inserting, loose attachments fall off.
• Use ATMs inside banks rather than standalone units.
• For gas, pay inside or at terminals nearer the pump cashier (more visible).

Merchant fraud and overcharging

Examples:

• Restaurant adds $50 to the tip line after you sign.
• Hotel charges "damage" for nonexistent damage after checkout.
• Subscription service charges for years after you canceled.
• Overseas merchant uses Dynamic Currency Conversion at 7% markup.

Defense

• Photograph receipts when paying in cash-tip-bearing situations (restaurants, salons).
• Review statements monthly for any unfamiliar charges.
• Dispute charges within 60 days. See Disputing charges.
• Always pay in local currency abroad, decline DCC.

Application fraud (someone opens cards in your name)

Identity theft. Someone gets your SSN and personal info, then applies for credit cards or loans in your name. You only find out when:

• A new card arrives in the mail you didn't order.
• A bill collector calls about a debt you don't recognize.
• Your credit score drops 30+ points without explanation.
• A new hard inquiry shows on your credit report you don't recognize.

Defense

• Credit freeze at all 3 bureaus. Free, prevents new accounts being opened. Lift only when applying for legitimate credit. See Credit freezes and fraud.
• Monitor your credit report quarterly via annualcreditreport.com.
• Set fraud alerts (free, 1-year extendable), even with freeze, requires lender to verify your identity for new applications.
• Free credit monitoring via Credit Karma, Experian, or your bank's app to catch new accounts quickly.

Balance transfer fraud

Less common but devastating: scammer offers to "help consolidate your debt" via a balance transfer. They provide their own account number for the transfer. You transfer your balance to their account; they take the money; you owe both your old card and the new card's balance.

Defense: only initiate balance transfers via your bank's official portal. Never transfer to a third-party-provided account.

Rewards account takeover

Frequent flyer / hotel points accounts have less security than card accounts. Hackers gain access via:

• Reused passwords from a different leaked database.
• Phishing emails targeting loyalty accounts.
• Insider access at affiliate sites where you've linked accounts.

They redeem your points for flights or hotels (often booked for someone else). Once redeemed, points are gone, recovery rate is poor.

Defense

• Unique passwords per loyalty account. Use a password manager.
• 2FA on every program that supports it (most major airlines and hotel chains do).
• Monitor balances monthly.
• Don't hoard millions of points, burn them every 12-18 months.

Online "you have a card waiting" scams

Banner ads, promoted social posts, and emails claiming "You're pre-approved for [premium card]!" or "Click to claim your $1,000 bonus!" The link goes to a fake application form that captures your data.

Defense

• Apply for cards directly from the bank's website or via reputable card-comparison sites.
• If pre-approval is real, you'll see it in the bank's own pre-approval portal (Capital One, Discover, Amex).
• Don't click promotional links from unknown senders.

Recurring subscription scams

Some merchants make canceling subscriptions extremely hard. Free-trial signups quietly become $30-50/month subscriptions. Some merchants attempt to reactivate cancelled subscriptions.

Defense

• Use virtual card numbers (Capital One, Citi offer these) for free trials. The virtual number can be deleted, blocking future charges.
• Set calendar reminders 1-2 days before free trials end to cancel.
• Review monthly statements for any subscription charges. Dispute unauthorized renewals.

Check fraud during balance-transfer offers

Some balance-transfer convenience checks arrive in the mail. If stolen from your mailbox, criminals can deposit them, draw cash advances, or use them. Federal liability is limited but the headache is significant.

Defense

• Opt out of paper-check offers at issuer sites (Chase, Capital One, Citi all allow opt-out).
• Shred any unsolicited convenience checks immediately.
• Use a mailbox lock or P.O. box if mailbox theft is common in your area.

What to do if you're scammed

Step 1: Stop the bleeding

• Call the bank's fraud department immediately. Use the number on the back of your card.
• Card frozen, new card issued.

Step 2: Report

• File a police report (some banks require this).
• Report to the FTC at reportfraud.ftc.gov.
• For identity theft: identitytheft.gov.

Step 3: Freeze credit at all 3 bureaus

Even if the scam was just one card, freeze prevents the criminal from opening new accounts in your name.

Step 4: Monitor

• Pull credit reports from all 3 bureaus.
• Check loyalty program balances.
• Watch for unfamiliar accounts or charges over the next 6-12 months.

Recap

• Most scams target the cardholder directly: phone, text, email phishing.
• Real bank fraud departments don't ask for full card numbers, CVVs, or SSNs.
• Hang up on phishing calls; call your bank back at the number on the card.
• Credit freezes at all 3 bureaus prevent identity theft from opening new accounts.
• For loyalty accounts: unique passwords, 2FA, monthly monitoring. Burn points every 12-18 months.
• Use chip insert / tap rather than swipe at gas stations and ATMs.
• If scammed: call bank, report to FTC, freeze credit, monitor for 6-12 months.