Affiliate disclosure: Some links in this article are affiliate links. If you buy through them, we may earn a commission at no extra cost to you.
34.5M
digital wallet fraud cases projected for 2026 (industry estimate)
1 text
is all it takes to start the attack
0
of the scammer's transactions need your fingerprint
You get a text. It says a new device was just added to your mobile wallet, and if it wasn’t you, tap here to stop it. Or it says your card was suspended and you need to verify it. Or someone “accidentally” sent you money and politely asks you to send it back.
You did not lose your phone. You did not hand anyone your card. And yet within minutes, someone is spending your money in a city you have never visited, approving each purchase with their own face.
This is mobile wallet fraud, and it works in a way most people get wrong. The scammer never needs your phone. They need your card details and one thing you say out loud: a code.
What Mobile Wallet Fraud Actually Is
A mobile wallet — Apple Pay, Google Wallet, Samsung Pay — does not store your real card number. When you add a card, the wallet replaces it with a token, a stand-in number tied to that one specific device. We explained how that tokenization works and why it normally protects you in where your card number actually lives.
That protection is real. It means a shop that gets hacked never sees your actual card number. But tokenization defends the number. It does nothing to stop a scammer who tricks you into approving the token in the first place.
That is the whole game. The scammer is not breaking the technology. They are getting you to set it up for them.
How It Works — The Mechanics
The attack runs in four stages, and the dangerous one is the stage in the middle that feels harmless.
Stage 1
The phish
A text or email claims your card was suspended or added to a new device. You tap the link and enter your card details on a page that looks real.
Stage 2
The code
Your bank sends a one-time passcode to confirm a new wallet setup. The fake page asks for it instantly. You enter it, thinking you are verifying yourself.
Stage 3
The handover
That code authorised your card onto the scammer’s phone. It is now a token on their device — not yours.
Stage 4
The spend
Every payment they make is approved by their own Face ID or fingerprint. Your authentication never comes up again.
Notice what happened at stage two. You read a code aloud, or typed it into a box, and you believed you were proving you were you. You were not. You were approving a card being added to a device — a device that belongs to someone else.
Why That One Code Matters So Much
Here is the part no warning label explains properly. People are told a thousand times never to share a one-time passcode. But they are never told what this particular code does.
When you buy something, your bank does not send a code for every purchase. The code in this scam is not approving a payment. It is approving an enrolment — the act of installing your card onto a phone. And once a card is enrolled on a device, that enrolment is permanent until your bank actively removes it. The person holding that phone can now spend, again and again, with no further code, no PIN, and no involvement from you at all.
If You Are Being Extorted
That code wasn’t approving a purchase. It was handing your card to a stranger’s phone — permanently.
A purchase code stops a single transaction. An enrolment code hands over the card itself — and only your bank can undo it.
A purchase code stops one transaction
An enrolment code is different — it installs your card onto a device and authorises everything that device does next.
After enrolment, their fingerprint approves everything
The scammer’s own Face ID or fingerprint authorises each payment. Yours is never asked for again.
Only your bank can undo it
The bank removes the token from their device. Cancelling the message or blocking the sender does nothing on its own.
This is also why victims are disbelieved: to the bank’s systems, that code was a valid approval, so the charges look authorised — because, technically, they were.
The Signals That Reveal It
Almost every version of this scam contains the same tells. If a message hits two or more of these, treat it as an attack.
It creates urgency
Your card is suspended. A new device was added. Act now or lose access. Panic is the point — it stops you thinking.
It contains a link or number
A real alert tells you to check your banking app. A scam gives you its own link or its own phone number to call.
It asks for a code
No legitimate bank or wallet provider will ever ask you to read back a one-time passcode. Ever.
Money arrives unexpectedly
A stranger sends you cash by mistake and asks you to return it. The cash came from a stolen card; your refund comes from your real one.
The sender looks almost right
The name shows as your bank, or the email is one character off. Spoofing a sender name is trivial.
It knows a little about you
It may show your name or the last four digits of a card. That data leaks in breaches and does not prove the sender is real.
The delivery method is almost always a phishing text or email. If you want to get sharper at spotting the message that starts the whole chain, how to spot a phishing email breaks the signals down further.
What To Do If It Happens
Speed matters more than anything here, because every minute the token lives on their device is a minute they can spend. The order of these steps is deliberate.
If you think you just gave a scammer your code
Call your card issuer immediately
Use the number on the back of your card — not any number from the message. Tell them your card was added to a digital wallet fraudulently and ask them to remove the token and reissue the card.
Ask them to de-tokenize the device
Each device gets a unique token. Your bank can see which device made the charges and can revoke that specific token, cutting off the scammer instantly.
Freeze the card in your banking app
While you wait to speak to someone, freeze the card yourself if your app allows it. This buys time without closing your account.
Document every charge
Screenshot each unauthorised transaction with time and amount. You will need this for the dispute and any report.
Report it
In the US, report to the FTC at reportfraud.ftc.gov and the FBI’s IC3 at ic3.gov. Elsewhere, report to your national fraud authority. Reporting is sometimes required before you can be reimbursed.
If a stranger “accidentally” sent you money
Do not return the payment
However convincing the apology, do not send anything back. A genuine mistaken payment is resolved by the sender’s bank, not by you transferring funds to a stranger.
Report the incoming payment to your app
Flag it as suspicious inside the payment app so there is a record that you did not solicit or keep it.
Block and ignore the sender
Do not negotiate, explain, or engage. Any reply tells them a real person is reading.
How To Protect Yourself Going Forward
You cannot stop scammers sending messages. You can make sure none of them ever works on you. Run through this once and the entire attack chain breaks at stage two.
Your mobile wallet safety check
5 minutes
Never read a code aloud or type it into a link
A code is only ever entered into the real app you opened yourself. Not a link. Not a phone call. No exceptions.
BothTreat every “card added to new device” text as a trap
If you get one, do not tap the link. Open your banking app directly and check there.
BothTurn on transaction alerts
Real-time alerts mean you see a fraudulent charge in seconds, not on next month’s statement.
BothUse a credit card in your wallet, not a debit card
Credit cards generally offer stronger fraud reversal than debit, and the disputed money is the bank’s, not yours, while it is investigated.
BothLock down the phone itself
A strong passcode and biometrics mean that even a lost or stolen phone cannot approve payments.
BothSave your bank’s real number now
Store the number from the back of your card in your contacts, so in a panic you never have to trust a number a message gave you.
BothThe Honest Summary
Mobile wallet fraud is not a story about weak technology. Tokenization works. Biometrics work. The fraud succeeds for one reason: it convinces you to do the one thing the system trusts completely — confirm a new device with a code.
So the defence is equally simple, and it does not require you to understand any of the cryptography. A code is never something you read to another person or type into a link. It is something you enter, yourself, into an app you opened, yourself. Hold that one line and the attack has nowhere to go.
If you handle payments or fraud inside a bank rather than as a customer, the same tokenization mechanics shape how these disputes are investigated on the issuer side — that is a different conversation, and one I cover in the professional section.