/ Shopping

Scam watch: fake verification pop-up

creidt card

While shopping online, a Which? member nearly fell victim to a sophisticated online credit card scam that none of our experts have come across before.

Member Alastair Robertson told us:

After placing an order with an online butchers and filling in my debit card details, the Bank of Scotland card verification page popped up. I’d seen it before and began to fill it in, but soon realised it was asking for more information than usual. It had boxes for the 16-digit card number, expiry date and security code. 

I closed the pages and placed my order by phone. 

A few hours later, I received an automated call from the Bank of Scotland fraud department. The voice asked for the 16-digit number on the front of my debit card in order to deal with the problem. It told me I had entered this incorrectly and asked for the card’s expiry date. It then claimed I also entered that incorrectly and asked for my sort code. At this point, I hung up and phoned Bank of Scotland directly – neither the pop-up nor the phone call had come from it.’

Our say on fake verification pop-ups

This is a very clever scam that none of our experts have come across before. The pop-up emerged at the exact time you’d expect such a page to appear, and the phone call was well timed, too.

The details needed to pull off this scam may have been obtained as a result of spyware being installed on the member’s PC.

We can confirm that card verification pages and automated calls from your bank rarely ask for additional card details. You should report such cases to the police and Action Fraud.

Have you come across a similar scam? What happened?


MLD- I tried two Virgin Train websites and didnt see any malware on both when I went to “buy ” , on the other hand I got a warning box asking me if I wanted to let Virgin ( this website ) know my location , obviously I clicked on the -never for this website .Secondly Virgin use Java script, beloved by hackers , as my protection was blocking it for this website I had to re-direct to a non-Java website , worth keeping in mind, so if you still have problems its your computer thats got them not the website – at PRESENT ( nothing is 100 % safe in digiland )

Ron Thornton says:
30 October 2016

This happened to me when buying premium bonds from the National Savings and Investments web site. I was purchasing a large amount of bonds so presumed Lloyds (my bank) were being more careful than usual. I have up to date F-Secure protection installed on my computer and have not seen this bank verification request appear with any other on line purchase before or since. Is it feasible the NS&I website has been illegally accessed?


Ron I cant find any malware on the website , although the initial informational webpage is insecure that is not the case when you go to the actual website to do business , but the new log-in states last month they changed the password situation . I noticed that NS+I although government owned is a non-ministerial dept. also the server is in London while GOV.UK server is in the US , now that worries me, that means it is subject to US law and given a US High Court order YOUR info is available to US authorities , and that is now being changed by the US government under Homeland Security to allow access WITHOUT a Court Order. Any company in the UK , in US Law is a FOREIGN company and therefore more open to information gathering than a US owned /based company. All our data under the new EU Agreement has been transferred to the US its supposed to be secure but it is not from US security agencies .


A ‘retailer’ phoned me and apologised profusely for over charging. ‘Could I please let them have my new CC details so that they could refund me and give a substantial discount on recurring orders?’ They did not refund me. They doubled the the charge. Happily the Natwest proved to be on my side on this occasion They charged back all transactions and reported the fraud.