What is credit card fraud, and how do you protect yourself?

When a credit card is misused, the effect can be immediate. A fraud-related block or frozen account can prevent you from paying for things you need, while an unfamiliar charge can set off disputes and account checks that take time to resolve. In some cases, the damage can reach your credit record and take months to fix.

This guide covers how it happens, what to watch for, and how to respond if it happens to you.

Please note: This information is for general educational purposes and not financial or legal advice.

Understanding credit card fraud

Credit card fraud happens when someone uses a card or its details without the owner’s consent to get goods, services, or cash. The information might be obtained through phishing attacks and other forms of social engineering, malware planted on payment pages, a card reader that’s been tampered with, or a major data breach.

Once the information is in the criminal’s hands, it doesn’t sit idle. There may be a small purchase first, just to see if the card works. If that goes through, the spending can escalate: larger buys, converting value into gift cards, or even withdrawing cash if a PIN is known. In more organized setups, the process is automated, with stolen card numbers being run through software that can test thousands in a short burst.

How credit card fraud differs from identity theft

Credit card fraud involves using stolen card details (such as the number, expiration date, and CVV) to make unauthorized transactions. Canceling the compromised card stops further use of that account. If no other personal data is exposed, the damage is usually limited to reversing fraudulent charges.

Identity theft is wider in scope. It uses enough personal information (like your name, date of birth, and government ID or Social Security number) to impersonate you. This can lead to new credit accounts, loans, or other services being opened in your name, with consequences that can last for years. Resolving identity theft often requires repairing your credit, placing security freezes or alerts, and monitoring for new activity long after the initial incident.

Types of credit card fraud

Credit card fraud comes in many forms, from stolen card numbers to sophisticated scams, and understanding the different types is the first step to protecting yourself.

Lost or stolen credit cards

A stolen card can be used for transactions within minutes if it is not blocked. Offenders usually focus on payments that require no extra verification, such as low-value contactless purchases, in-store transactions where ID is not routinely checked, or ATM withdrawals (when they also know the PIN).

PINs are sometimes captured along with the card through shoulder-surfing (someone watching you enter your PIN), miniature cameras, keypad overlays, or skimming devices fitted to payment terminals. In some cases, stolen cards are quickly resold, used to buy goods with a strong resale market, or exchanged for gift cards to make tracing more difficult.

Card-not-present (CNP) fraud and online scams

CNP fraud happens when your card details are used without the card itself, such as for purchases on e-commerce sites, in mobile apps, or over the phone. Criminals get the information from breaches, by planting malicious code known as e-skimming on checkout pages, or by creating phishing sites that imitate real businesses.

These sites often look and feel like legitimate sites and could include things like HTTPS and a padlock. However, HTTPS only means the connection to the domain is encrypted and the certificate matches the domain name. It does not confirm that the site belongs to the company it claims to be. A close copy of a retailer’s site with a slightly altered address can still steal your details.

Enumeration and card-testing attacks

In CNP fraud, criminals sometimes run enumeration or card-testing campaigns. They use bots to cycle through possible combinations of a card number, expiry date, and CVV by sending small authorization attempts to multiple online merchants. If a set of details is accepted, that card is then used for larger purchases or sold to other offenders. Essentially, this is a version of a brute-force attack.

Visa’s Spring 2025 Biannual Threats Report recorded a 22% rise in these attacks compared with the previous six-month period, linking them to more than $1.1 billion in subsequent fraud losses worldwide. The report notes that Visa has employed generative AI to identify enumeration attacks early and notify affected merchants so that they can block rapid-fire authorization attempts, but given the rising trend in enumeration attacks, it’s clear that many merchants remain vulnerable.

Credit card application fraud

Fraudsters open a new card in your name with stolen or synthetic identity data, then run up charges. US identity-theft reports topped 1.1 million in 2024, and credit card was the top identity-theft category reported to the FTC. If this happens, place a fraud alert or security freeze with the three credit bureaus and follow dedicated identity-theft remediation steps.

Public Wi-Fi and unsecured network risks

Hackers sometimes set up fake Wi‑Fi networks (called evil twins) that mimic official connections to trick people into sharing sensitive information. In one incident, the Australian Federal Police charged a man who deployed such fake hotspots on domestic flights; passengers logging in were redirected to counterfeit login pages and had their credentials stolen.

Even legitimate public Wi-Fi can be risky if it’s unsecured, as attackers on the same network may still intercept unencrypted traffic or inject malicious content. Treat these networks as high-risk for any financial activity, and use a trusted VPN like ExpressVPN when handling payments.

Triangulation marketplace scams

A scammer sets up a fake storefront on a marketplace and lists popular goods at a discount. When you place an order, they charge your card and keep that payment. To fulfill the order, they then buy the product from a legitimate retailer using someone else’s stolen credit card details.

The item arrives at your door, but once the real cardholder disputes the fraudulent charge, the issuer reimburses them and pushes a chargeback through the network. That leaves the retailer covering the cost of the purchase, while the scammer has already pocketed your marketplace payment. In some cases, buyers can also be questioned during the fraud investigation. Be wary of too-good-to-be-true marketplace listings from new or low-reputation sellers.

Emerging fraud trends: AI phishing, deepfakes, and mobile-wallet fraud

Criminals are starting to use AI to copy voices, create fake videos, and write messages that look like they came from someone you trust. These tactics are being used to push people into making quick payments or giving up security codes. The FBI and FTC in the U.S. and the National Cyber Security Centre in the UK have all warned about more scams using AI and voice cloning in recent years.

Provisioning fraud, where threat actors add stolen card details to a mobile wallet (Apple Pay, Google Pay, etc.) on a device they control, is present but changing shape: Visa’s Spring 2025 Biannual Threats Report notes that cybercriminals now wait longer to use the account after provisioning (delayed cashout). To get past bank verification, criminals may also carry out a SIM swap (transferring your phone number to a SIM card they control so they can intercept text messages and calls) or trick you into handing over a one-time passcode through phishing.

Once provisioned, the card can be used for in-store purchases with contactless payments, making the fraud hard to spot at the register. If you receive an unexpected wallet setup or verify-now request, always confirm it through your bank’s official app or phone line before acting.

What is the most common type of credit fraud?

In the United States, CNP fraud now makes up the largest share of card-fraud activity. This dominance emerged after the rollout of Europay, Mastercard, and Visa (EMV) chip cards, which use embedded chips to create a one-time cryptographic code for each transaction, making skimmed data useless for counterfeiting. As counterfeiting at physical terminals dropped, criminals shifted to channels where the card isn’t swiped or inserted.

The trend is similar in Europe. Industry monitoring shows that CNP transactions carry the highest fraud rates, even though overall card-fraud levels remain low. Remote purchases are attractive to criminals because they can be made from anywhere in the world, require no physical access to the card, and often face less stringent verification than in-person payments.

Reducing the risk of CNP fraud means limiting where your card details are stored, enabling strong authentication such as app-based or hardware-key verification, setting spending and region limits on your card if the card provider offers this possibility, and setting up real-time alerts to flag suspicious activity as soon as it occurs.

Signs of credit card fraud

Credit card fraud often leaves subtle warning signs, and spotting them early can save you from bigger financial trouble.

Unfamiliar charges on your statement

Flag any transaction you did not authorize. Early signals include tiny test charges, duplicate transactions minutes apart, foreign-currency charges with no travel, and new subscriptions you never started.

Declined transactions without reason

A sudden decline may be triggered by fraud screening. Signals include rapid small transactions that resemble card testing, a burst of recent online attempts, AVS or CVV mismatches, unusual locations compared with your normal use, or many retries in a short window. Merchants also run their own risk checks, so a decline there with no bank alert still merits attention when paired with other signs.

Notifications for accounts you didn’t open

“Welcome” emails, new-account texts, mailed cards you never requested, or messages about a new device on your banking profile indicate impersonation risk. So do password reset emails you did not request. These point to identity theft rather than a single compromised card.

ExpressVPN’s Identity Defender provides identity and credit alerts in the ExpressVPN app to help catch new account fraud early. It’s available to subscribers in the U.S.

What to do if you suspect credit card fraud

Discovering suspicious charges can be stressful, but acting quickly helps limit the damage. Start by confirming what you’re seeing.

Confirm fraudulent charges

Verify what you are seeing. Read the full merchant descriptor on your statement because billing names can differ from storefront names. Separate temporary authorizations from posted charges.

Look for duplicate transactions minutes apart, small test charges followed by higher amounts, unexpected foreign currency, and new subscriptions you did not start. Check with any authorized users. Review saved cards in your major shopping accounts and remove any you do not recognize. Keep screenshots, bank alerts, and emails as evidence.

Notify your card issuer immediately

Use the number on the back of your card or the issuer’s official app to lock the card, request a replacement, and dispute unauthorized charges. Ask the issuer to remove the old card from any digital wallets and revoke tokens tied to it.

Credit cards often come with zero-liability protection if you report fraud promptly. The exact terms, timelines, and liability limits can vary by country and by your card issuer’s policies, so check your bank’s rules and local consumer protection laws.

File a police report

File a report if your card or wallet was stolen, if identity documents are involved, if a creditor or insurer requires a report, or if you need a case number for follow-up. Use your national police or cybercrime portal and keep a copy of the report. If new accounts have been opened in your name, follow an identity theft recovery plan and consider longer-term monitoring.

What to expect during a fraud investigation

Once fraud is reported, banks typically block the compromised card and issue a replacement. They review transaction data and merchant records and may ask you to sign a statement. Many card issuers provide a provisional credit, allowing you temporary access to funds while the investigation proceeds. These investigations normally wrap up within 30 to 90 days, though disputes with merchants can extend the timeline.

Continue paying any portion of your balance you're sure is valid and keep written records (screenshots, bank alerts, emails) until the bank confirms the final resolution in writing. It’s wise to monitor your statements and alerts for several months after, because fraudsters may reuse stolen information or attempt new attacks on the compromised account.

ExpressVPN’s Credit Scanner, available to users in the U.S., offers ongoing credit monitoring inside the app, which helps detect new-account fraud early and watch for follow-on misuse after an incident.

Credit card fraud prevention strategies

You can reduce your risk of credit card fraud by adopting a few everyday security habits:

Never share your credit card details with anyone

Do not share your full card number, CVV, expiry date, PIN, or one-time codes by phone, email, chat, or text. Banks and payment providers do not ask for these. Do not upload photos of your card. If someone claims to be from your bank and asks for a code or PIN, end the conversation and contact the bank through the official app or the number on the card.

Set up fraud alerts with your bank

Turn on real-time notifications for all card transactions, card-not-present purchases, international charges, cash advances, and contactless payments over the offline limit. Add alerts for password changes, new device sign-ins, and payee additions on your banking profile. If your bank supports an account lock or travel notice, use it. Respond to alerts quickly and lock the card if anything looks wrong.

Use virtual cards for online purchases

Use single-use or merchant-locked card numbers for e-commerce. Set a spending cap when possible and expire the number after the transaction. If a merchant is later breached, the virtual number can be disabled without replacing your main card. Keep a separate virtual number for subscriptions so you can cancel it without affecting your primary card.

Final thoughts: Stay informed, stay protected

Credit card fraud moves fast. You can stay ahead by knowing how it works, watching for clear signs, and acting the moment something looks wrong. Use strong authentication, alerts, and virtual cards for online payments. Keep your devices clean and your passwords unique. Avoid public Wi-Fi for banking, and check domains before entering card details. If fraud occurs, secure your accounts, report it through official channels, and monitor for follow-on activity. Informed habits turn a high-risk target into a hardened one.