7 ways to protect yourself from loading your debit and credit card onto a criminal’s digital wallet

Sophisticated phishing and smishing attacks are on the rise. Picture Supplied.

Sophisticated phishing and smishing attacks are on the rise. Picture Supplied.

Published Jul 9, 2024



There is an increase in phishing and smishing attempts aimed at loading debit and credit cards onto criminals’ digital wallets. Phishing is a type of cybercrime in which people are duped into providing sensitive information such as login credentials, passwords, PINs, card details, or ID numbers by using deceptive techniques such as fake emails and websites. Smishing is the use of text messages – apparently from reputable institutions – to trick people into disclosing similar information.

Criminals have realised that the process of loading a debit or credit card onto a digital wallet is similar to the process of making an online payment using these cards. Both processes require card details to be entered into an online portal and both require the submission of a one-time password (OTP) to confirm the process.

Criminals might, therefore, send SMSes asking for a small fee to be paid – for example, to release a parcel for collection. This will require the user to enter their card details. The user has no idea that the criminal is actually entering those details into their digital wallet. When a bank sends the criminal a request for an OTP to confirm the loading of the card, the criminal then asks the user for the OTP which the user mistakenly believes has been issued in relation to the fraudulent payment. If they hand it over to the fraudster, the criminal is now able to use the card by presenting their own biometrics – because the card has been fraudulently loaded on the criminal’s own device.

With cybercriminals becoming more sophisticated, consumers must remain vigilant and take proactive measures to protect themselves. FNB shares the following safety tips:

Don’t panic: Fraudsters rely on people acting hastily, due to a sense of panic. Their tactics include threats that your accounts will be blocked or that fraud has been identified and must be stopped immediately. Whatever the scenario, keep in mind that such things will never compel you to give away OTPs, PINs, or passwords. It is safer to end such communication and contact your financial institution right away.

Do not click on email or SMS links: When opening emails from unknown sources or those that appear suspicious, proceed with caution. Credible financial institutions will never ask you to click on links. Clicking on links or downloading attachments from these kinds of messages should be avoided because they may include harmful malware or redirect you to fake websites.

Pay careful attention to the wording of OTP requests. Most banks will never require a customer to share their OTP with anyone to use it anywhere on their behalf and there should never be a need to share an OTP over a phone or via message with any third party to complete a payment. The wording for an online transaction OTP request is different to that of a digital wallet OTP request – don’t rush or make assumptions about communications you might receive.

Enable two-factor authentication (2FA): Enable 2FA wherever possible since it adds an extra layer of security by requiring a second verification step, which is often transmitted to your mobile device or an authenticator app.

Take note of the card and digital safety measures recommended by your financial institution: There is a lot of misleading information about how people may protect themselves from fraud but it is always preferable to follow your financial institution’s recommendations on how to secure your money.

Keep software and devices up to date: Update your operating system, web browsers, and antivirus software regularly to guard against vulnerabilities. To ensure that you get the most recent security fixes, enable automatic updates whenever possible.

Verify contact details: If you are suspicious of a message or request, contact your bank using details directly from their website so that you’re not redirected to the fraudster’s “helpline”.

* FNB is a financial institution.