Banks are reporting a surge in a type of fraud where customers are tricked into disclosing online login passcodes they are sent, which has helped to fuel a 22% jump in crimes where scammers go shopping using people’s stolen details.
The banking body UK Finance revealed that “remote purchase” fraud hit its highest-ever level in 2024, with almost 2.6m cases logged, which works out at more than 7,000 incidents a day, or almost five a minute.
Urging the government to treat fraud as a “national security threat”, UK Finance said the rise in cases suggested that criminals were changing their tactics, amid evidence that another scam – where people are tricked into sending money to fraudsters – was in decline after tougher rules were introduced last autumn.
Overall last year, criminals stole about £1.2bn through the various types of financial fraud. This figure was broadly the same as the previous year, but the number of confirmed cases rose by 12% to reach just over 3.3m.
The vast majority of these cases involved remote purchase fraud, where criminals use stolen card details to buy items online. Incidents of this type of crime had been falling in recent years, but last year the total amount lost to this scam rose for the first time since 2018.
Banks say they are increasingly seeing criminals use sophisticated techniques to get people to disclose one-time passcodes they are sent. These codes usually take the form of a unique set of numbers, a bit like a pin number, and banks typically send them to customers via text message when they use their card to make purchases online, log on to internet banking, or change their personal details.
Once in possession of a passcode, a criminal can often use it to authenticate fraudulent online card transactions.
These frauds often begin with the familiar methods criminals have developed to encourage people to share their bank details, including sending text messages with a promise of a payment, links to false websites, or offers on social media for cheap products.
One variation of the scam involves fraudsters using the details they have obtained to transfer the bank cards of victims to the digital wallets of their own phones and then buy goods online and in high street shops.
In its report, UK Finance said its discussions with the industry “point to an increase in the compromise of one-time passcodes”. It warned: “This perhaps points to an over-confidence in one-time passcodes and the protection they offer customers, which is now being exploited to a growing degree by criminals.”
Data hacks at third parties, such as retailers, were another “major driver” of remote purchase fraud, with criminals using stolen card details to make purchases online, said the banking body.
It added: “The data stolen from a breach can be used for months or even years after the incident. Criminals also use the publicity around data breaches as an opportunity to trick people into revealing financial information.”
The warning comes after Marks & Spencer was hit by a cyber-attack, though the retailer said this month that the customer data accessed did not include usable payment or card details.
Victims of unauthorised fraud – which includes remote purchase scams – are legally protected against losses, and UK Finance said its research indicated that customers were fully refunded in more than 98% of cases.
