The Rise of Virtual Cards and the Growing Threat of Digital Fraud
With the increasing adoption of digital banking, virtual cards have become a popular alternative to traditional physical cards. These digital cards can be loaded onto smartphones and wearable devices, offering users convenience and flexibility in making payments both online and in-store. However, this shift towards digital banking has also attracted the attention of fraudsters, who are exploiting vulnerabilities in these systems.
The National Financial Ombud Scheme (NFO) has reported a significant rise in complaints related to digital banking fraud. Between January and May 2024, there were 1,436 cases, but this number jumped to 2,483 in the same period this year—a 73% increase. In contrast, ATM card-related complaints rose from 237 to 332, but remained lower than those involving digital or virtual cards. Over the past year, digital fraud complaints exceeded ATM fraud complaints by 3,350 cases, highlighting a clear shift in the nature of card-related fraud.
Virtual cards are designed with security in mind. They come with unique card numbers, expiration dates, and CVVs, similar to physical cards. However, they offer additional protection because they cannot be lost, stolen, or duplicated. Despite these features, they are not immune to fraud, as cybercriminals continue to find ways to exploit weaknesses in the system.
How Virtual Cards Are Being Compromised
According to Nerosha Maseti, the Lead Ombud for Banking and Credit at the NFO, virtual cards are often compromised through unauthorized access to a customer’s banking app. Cybercriminals use tactics such as vishing (voice phishing), smishing (SMS phishing), and phishing (email phishing) to steal personal information. In most cases, the compromise of a virtual card occurs after a customer’s digital banking credentials are stolen.
Maseti explained that once fraudsters gain access to a customer’s online banking profile, they can create virtual cards and use them to make transactions. This typically happens when customers share One Time Pins (OTPs) or accept authentication messages for the creation of virtual cards.
Despite ongoing awareness campaigns by banks, many consumers remain unaware of the risks associated with virtual cards. In one notable case, a consumer was targeted through a vishing scam, where fraudsters pretended to be from the bank. They convinced the consumer to provide her confidential access information, which allowed them to create multiple virtual cards and make online purchases totaling R500,000.
The consumer reported the incident to the bank and requested a refund, but the bank denied the claim, stating that the transactions were authorized through the consumer’s mobile banking application. The NFO investigated and found that the consumer had indeed compromised her online banking credentials and approved the transactions through in-app approvals. As a result, the bank could not be held liable for the loss.
Tips for Keeping Your Virtual Card Secure
To protect yourself from digital fraud, it is essential to follow best practices for securing your virtual card:
- Never share your confidential card parameters, PIN, login credentials, passwords, or One Time PIN with anyone. Banks will never ask you to disclose this information.
- Be cautious when authenticating transactions. Read what you are approving carefully, as fraudsters may try to trick you into authorizing their own transactions.
- Enable Multi-Factor Authentication (MFA). Ensure your banking app requires extra verification, such as a one-time PIN or biometric authentication.
- Use a secure internet connection. Avoid making transactions on public Wi-Fi, as hackers can intercept your data.
- Create strong, unique passwords. Use a password manager to store complex passwords instead of reusing the same ones across different platforms.
- Set spending limits. Some banks allow you to set transaction limits for virtual cards, reducing the risk if your card is misused.
- Turn off auto-save. Avoid saving card details in browsers or apps unless absolutely necessary.
- Stay calm and avoid panic. Fraudsters often use threats to pressure victims into giving away sensitive information. If something feels suspicious, end the communication and contact your bank immediately.
- Do not click on links in emails or SMS messages. Credible financial institutions will never ask you to click on links. Avoid doing so or downloading attachments from unknown sources, as they may contain malware or lead to fake websites.
- Pay attention to OTP requests. Familiarize yourself with how your bank communicates about online transactions and OTP requests. If you’re unsure, contact your bank directly to verify the message.
If you encounter any issues with your bank, you can escalate the matter to the NFO. However, it is crucial to report suspected fraud to your bank as soon as possible. The NFO cannot assist with blocking or recovering funds—only your bank can take immediate action to protect your account. Only refer a complaint to the NFO after your bank has responded and you are dissatisfied with their resolution.
