Affiliate disclosure: Some links in this article are affiliate links. If you buy through them, we may earn a commission at no extra cost to you.

34.5M

digital wallet fraud cases projected for 2026 (industry estimate)

1 text

is all it takes to start the attack

0

of the scammer's transactions need your fingerprint

You get a text. It says a new device was just added to your mobile wallet, and if it wasn’t you, tap here to stop it. Or it says your card was suspended and you need to verify it. Or someone “accidentally” sent you money and politely asks you to send it back.

You did not lose your phone. You did not hand anyone your card. And yet within minutes, someone is spending your money in a city you have never visited, approving each purchase with their own face.

This is mobile wallet fraud, and it works in a way most people get wrong. The scammer never needs your phone. They need your card details and one thing you say out loud: a code.

What Mobile Wallet Fraud Actually Is

A mobile wallet — Apple Pay, Google Wallet, Samsung Pay — does not store your real card number. When you add a card, the wallet replaces it with a token, a stand-in number tied to that one specific device. We explained how that tokenization works and why it normally protects you in where your card number actually lives.

That protection is real. It means a shop that gets hacked never sees your actual card number. But tokenization defends the number. It does nothing to stop a scammer who tricks you into approving the token in the first place.

That is the whole game. The scammer is not breaking the technology. They are getting you to set it up for them.

How It Works — The Mechanics

The attack runs in four stages, and the dangerous one is the stage in the middle that feels harmless.

Stage 1

The phish

A text or email claims your card was suspended or added to a new device. You tap the link and enter your card details on a page that looks real.

Stage 2

The code

Your bank sends a one-time passcode to confirm a new wallet setup. The fake page asks for it instantly. You enter it, thinking you are verifying yourself.

Stage 3

The handover

That code authorised your card onto the scammer’s phone. It is now a token on their device — not yours.

Stage 4

The spend

Every payment they make is approved by their own Face ID or fingerprint. Your authentication never comes up again.

Notice what happened at stage two. You read a code aloud, or typed it into a box, and you believed you were proving you were you. You were not. You were approving a card being added to a device — a device that belongs to someone else.

Why That One Code Matters So Much

Here is the part no warning label explains properly. People are told a thousand times never to share a one-time passcode. But they are never told what this particular code does.

When you buy something, your bank does not send a code for every purchase. The code in this scam is not approving a payment. It is approving an enrolment — the act of installing your card onto a phone. And once a card is enrolled on a device, that enrolment is permanent until your bank actively removes it. The person holding that phone can now spend, again and again, with no further code, no PIN, and no involvement from you at all.

If You Are Being Extorted

That code wasn’t approving a purchase. It was handing your card to a stranger’s phone — permanently.

A purchase code stops a single transaction. An enrolment code hands over the card itself — and only your bank can undo it.


1

A purchase code stops one transaction

An enrolment code is different — it installs your card onto a device and authorises everything that device does next.

2

After enrolment, their fingerprint approves everything

The scammer’s own Face ID or fingerprint authorises each payment. Yours is never asked for again.

3

Only your bank can undo it

The bank removes the token from their device. Cancelling the message or blocking the sender does nothing on its own.

This is also why victims are disbelieved: to the bank’s systems, that code was a valid approval, so the charges look authorised — because, technically, they were.

The Signals That Reveal It

Almost every version of this scam contains the same tells. If a message hits two or more of these, treat it as an attack.

It creates urgency

Your card is suspended. A new device was added. Act now or lose access. Panic is the point — it stops you thinking.

It contains a link or number

A real alert tells you to check your banking app. A scam gives you its own link or its own phone number to call.

It asks for a code

No legitimate bank or wallet provider will ever ask you to read back a one-time passcode. Ever.

Money arrives unexpectedly

A stranger sends you cash by mistake and asks you to return it. The cash came from a stolen card; your refund comes from your real one.

The sender looks almost right

The name shows as your bank, or the email is one character off. Spoofing a sender name is trivial.

It knows a little about you

It may show your name or the last four digits of a card. That data leaks in breaches and does not prove the sender is real.

The delivery method is almost always a phishing text or email. If you want to get sharper at spotting the message that starts the whole chain, how to spot a phishing email breaks the signals down further.

What To Do If It Happens

Speed matters more than anything here, because every minute the token lives on their device is a minute they can spend. The order of these steps is deliberate.

If you think you just gave a scammer your code

Do not waste time inside the payment app trying to cancel. Apps often cannot reverse these transfers. Your card issuer can kill the token. Call them first.
1

Call your card issuer immediately

Use the number on the back of your card — not any number from the message. Tell them your card was added to a digital wallet fraudulently and ask them to remove the token and reissue the card.

2

Ask them to de-tokenize the device

Each device gets a unique token. Your bank can see which device made the charges and can revoke that specific token, cutting off the scammer instantly.

3

Freeze the card in your banking app

While you wait to speak to someone, freeze the card yourself if your app allows it. This buys time without closing your account.

4

Document every charge

Screenshot each unauthorised transaction with time and amount. You will need this for the dispute and any report.

5

Report it

In the US, report to the FTC at reportfraud.ftc.gov and the FBI’s IC3 at ic3.gov. Elsewhere, report to your national fraud authority. Reporting is sometimes required before you can be reimbursed.

If a stranger “accidentally” sent you money

The money in your wallet came from a stolen card. When the real owner reports it, that payment is reversed — but the refund you send comes from your own real funds. You end up out of pocket twice.
1

Do not return the payment

However convincing the apology, do not send anything back. A genuine mistaken payment is resolved by the sender’s bank, not by you transferring funds to a stranger.

2

Report the incoming payment to your app

Flag it as suspicious inside the payment app so there is a record that you did not solicit or keep it.

3

Block and ignore the sender

Do not negotiate, explain, or engage. Any reply tells them a real person is reading.

How To Protect Yourself Going Forward

You cannot stop scammers sending messages. You can make sure none of them ever works on you. Run through this once and the entire attack chain breaks at stage two.

Your mobile wallet safety check

5 minutes

0/6

Never read a code aloud or type it into a link

A code is only ever entered into the real app you opened yourself. Not a link. Not a phone call. No exceptions.

Both

Treat every “card added to new device” text as a trap

If you get one, do not tap the link. Open your banking app directly and check there.

Both

Turn on transaction alerts

Real-time alerts mean you see a fraudulent charge in seconds, not on next month’s statement.

Both

Use a credit card in your wallet, not a debit card

Credit cards generally offer stronger fraud reversal than debit, and the disputed money is the bank’s, not yours, while it is investigated.

Both

Lock down the phone itself

A strong passcode and biometrics mean that even a lost or stolen phone cannot approve payments.

Both

Save your bank’s real number now

Store the number from the back of your card in your contacts, so in a panic you never have to trust a number a message gave you.

Both

The Honest Summary

Mobile wallet fraud is not a story about weak technology. Tokenization works. Biometrics work. The fraud succeeds for one reason: it convinces you to do the one thing the system trusts completely — confirm a new device with a code.

So the defence is equally simple, and it does not require you to understand any of the cryptography. A code is never something you read to another person or type into a link. It is something you enter, yourself, into an app you opened, yourself. Hold that one line and the attack has nowhere to go.

💡
If anyone — by text, call, or web page — wants you to share or enter a one-time code, stop. Open your real banking app and check from there. A real alert will be waiting for you inside it. A scam will not.

If you handle payments or fraud inside a bank rather than as a customer, the same tokenization mechanics shape how these disputes are investigated on the issuer side — that is a different conversation, and one I cover in the professional section.