In a concerning trend, fraudsters have found a new way to exploit digital wallets like Apple Pay and Google Pay, emptying victims’ bank accounts without ever physically accessing their cards. The elaborate scheme involves phishing to steal personal and financial details, which the criminals then use to add the victim’s card to their own digital wallet, allowing them to make high-value purchases that are quickly resold on the secondary market.
Banks and building societies have reported a surge in these types of “digital wallet fraud” attempts, with Santander citing it as the second biggest reason for card scam losses last year. HSBC has also seen an increase over the past 18 months. UK Finance, the banking trade body, says the number of attempts has surged, in part because security systems have prevented criminals from being successful, forcing them to make more attacks.
The scam often begins with a phishing attempt, where the victim provides personal and bank details in response to a message promising a winter fuel allowance or cheap products. After a few weeks, the fraudsters will then contact the victim, posing as the victim’s bank. They may ask the victim to confirm their address or postcode to appear legitimate, before fabricating some transactions and claiming the account has been compromised. The criminals then say a notification is on the way, and the victim should approve it to secure the account.
“The notification the customer receives is entirely legitimate, as it’s the genuine notification your bank sends when a new Apple Pay or Google Pay card is being added to a device,” explains Danai Antoniou, the chief scientist at Gradient Labs, a financial services AI company. “They have just added your card into their Apple Pay or Google Pay and you are now receiving a text, or a notification, to approve it.”
From there, the fraudsters can quickly drain the victim’s account, making high-value purchases at tech stores and fashion retailers that can be easily resold on the secondary market. “The appeal is simple: electronics and designer goods can be quickly resold on the secondary market with minimal loss of profit during the money-laundering process,” Antoniou adds.
Banks are urging customers to be vigilant, stressing that they will never ask you to approve a notification or share one-time passcodes to secure your account. “Never trust anyone who calls you from your bank unless you arranged that phone call in advance,” Antoniou advises. “If somebody calls, tell them you will call the bank back yourself.”
Customers are also encouraged to set up bank alerts, check transactions regularly, and report any suspected scams immediately. While the digital wallet fraud may appear harmless, the consequences can be devastating, with criminals able to quickly empty accounts and disappear.