WITH virtual banking cards being offered across all digital banking platforms, and with the ability to load these cards on phones and other wearable devices, virtual cards are gaining ground over traditional physical cards or cash. 

Unfortunately, this digital alternative is also increasingly being used by fraudsters when targeting unsuspecting bank customers.

The National Financial Ombud Scheme (NFO) has seen a significant increase in digital banking fraud complaints, rising from 1 436 cases between January and May 2024 to 2 483 cases during the same period this year - a whopping 73% year-on-year increase. 

In contrast, ATM card complaints rose from 237 to 332, but remained lower in number than virtual or digital fraud cases. Between January 2024 and May 2025, digital fraud complaints exceeded ATM fraud complaints by 3 350 cases, marking a dramatic shift in card fraud from plastic to virtual.

The convenience of accessing a virtual card directly through a secure banking app on the phone is undeniable. Whether shopping online or tapping a device in-store, consumers now enjoy payment capabilities at their fingertips. The growing adoption of these methods is clearly reflected in the rising volume of transactions made via virtual cards.

Virtual cards are designed for secure online transactions and come with a unique card number, expiration date, and CVV, just like a physical card, but they offer extra security because they can't be lost, stolen, or duplicated.

Compromised virtual card = fraud

Nerosha Maseti, the Lead Ombud for Banking and Credit at the NFO, said while virtual cards offer enhanced convenience and security, they are not immune to fraud, and opportunities for fraudsters to exploit unsuspecting bank customers remain.

Maseti said the NFO’s investigations reveal that virtual cards are typically compromised through unauthorised access to a customer’s banking app. The methods of compromise such as vishing, smishing, and phishing - all sneaky tactics used by cybercriminals to steal personal and confidential information - are consistent with those used to compromise physical cards. In the majority of reported cases, the compromise and use of virtual card numbers to perform transactions occurred only after a customer’s digital banking credentials were compromised.

“Fraudsters are able to create virtual cards and then use the virtual card credentials to perform transactions once gaining access to a customers digital banking profile. This happens when bank customers have compromised their confidential access credentials, shared One Time Pins (OTPs) or accepted authentication messages for the creation of virtual cards.

“Despite ongoing awareness campaigns by banks, including media outreach and direct communication via SMS, email, and in-app notifications to educate customers on the functionality and associated risks of virtual cards, the majority of complainants to our office indicated that they were unaware of the existence or use of virtual cards,” she said.

R500 000 siphoned

Maseti cited the case when a consumer was contacted by fraudsters pretending to be calling from the bank (vishing scam). The fraudsters managed to convince the consumer that she needed to provide them with her confidential access information for her online banking profile. Upon gaining access to the customer’s online banking profile, the fraudsters created a number of virtual cards and concluded online card purchases totalling R500 000. The online card purchases were authenticated through in-App approvals via the consumer’s banking application.

The consumer reported the incident to the bank and claimed a full refund. The bank repudiated her claim. The customer lodged a complaint with the NFO.

When responding to the NFO, the bank again repudiated the consumer’s claim on the basis that the consumer’s online banking login credentials were compromised, and more specifically, that the disputed transactions were approved via the consumer’s mobile banking application which was accessed through the entering of the correct mobile banking application credentials.

“The bank provided proof of the creation of the virtual cards on the online banking profile as well as proof of the authentication messages delivered to the mobile application linked to the consumer’s online banking profile in terms whereof the fraudulent online card purchases were authorised. The consumer confirmed that her phone was in her possession at all times.

“The facts showed that the consumer had compromised her online banking credentials and approved the In-App messages required to authorize the online card purchases in question. The bank could not be held liable for the loss suffered by the consumer as a result of the compromise,” Maseti said.

She added the bank confirmed that the fraudulent online card purchases could not be concluded without the fraudsters gaining access to the complainant’s online banking profile and the consumer authenticating the In-App messages. No proof was provided that the transactions took place as a result of maladministration or safety and security failures on the part of the bank. There was accordingly no basis for the NFO to recommend that the bank reimburse the loss suffered by the complainant.

Maseti said consumers are responsible to keep their confidential access credentials safe and secure. Consumers must never disclose confidential banking information to anyone – the bank will never request disclosure of same. Consumers must carefully read each and every notification which they receive from their bank. Immediately report any suspicious activity to the bank.

Some ways to keep your virtual card safe:

• Never share your confidential card parameters or PIN, login credentials, passwords or One Time PIN with other people. The bank will not phone you to ask for this confidential information. When you are authenticating a transaction, read what you are approving carefully as fraudsters may try to convince you to approve transactions for their own financial gains. 
• Enable Multi-Factor Authentication (MFA) – Ensure your banking app requires extra verification, like a one-time PIN or biometric authentication.
• Use a Secure Internet Connection – Avoid making transactions on public Wi-Fi, where hackers can intercept your data. 
• Create Unique, Strong Passwords – Use a password manager to store complex passwords instead of reusing the same ones.
• Set Spending Limits – Some banks allow you to set transaction limits for virtual cards, reducing risk if your card is ever misused.
• Turn Off Auto-Save – Avoid saving card details in browsers or apps unless absolutely necessary.
• Don't panic: Fraudsters rely on people acting hastily, due to a sense of panic. Their tactics include threats that your accounts will be blocked or that fraud has been identified and must be stopped immediately. Whatever the scenario, it should never compel you to give away sensitive personal information such as OTPs, PINs, or passwords. It is safer to end such communication and contact your bank immediately. 
• Do not click on email or SMS links: Proceed with caution when opening emails from unknown or suspicious sources. Credible financial institutions will never ask you to click on links. Avoid doing so or downloading attachments from these kinds of messages as they may include harmful malware or redirect you to fake and malicious websites. 
• Pay careful attention to the wording of OTP requests: Familiarise yourself with the way your financial institution communicates notifications about online transactions and OTP requests. If you have any doubt, contact your banking institution immediately to confirm the veracity of such messages. 

If you have a dispute with your bank that remains unresolved, you may escalate the matter to the NFO.

Maseti said it is essential to report any suspected fraud to your bank as soon as possible. The NFO cannot assist with blocking or recovering funds - only your bank can take immediate action to protect your account. Only refer a complaint to the NFO once your bank has responded and you are dissatisfied with their outcome or resolution.

Original Article - MSN