Skip to main content

How to protect yourself against credit card fraud

In this article, we intend to sensitise you to possible credit card fraud.

Harry Dittmann avatar
Written by Harry Dittmann
Updated over a month ago

This article is relevant for all employees.

Credit or debit cards offer a convenient way to pay online and in everyday life. At the same time, it is important to remain vigilant, as fraudsters are constantly using new methods to obtain sensitive card data. We had the intention of writing this article to alert you to the possibility of card fraud. Take the issue seriously. Protect yourself and your company from financial loss. Your attention is the best protection.

⚠️ Please note: The full credit card number, the expiry date and the three-digit security code (CVV) are sufficient for a fraudster to commit credit card fraud.

Treat your credit card details confidentially

Your credit card number, expiry date and three-digit security code (CVV) are sensitive data. Never pass this information on carelessly. Neither by e-mail, over the phone nor via untrustworthy websites.

  • Never store your card data outside of finway. Your data is secured in finway by a 2FA and cannot be accessed by others. Only you have access to the credit card number, the expiry date and the three-digit security code (CVV) in finway. Make sure that you do not make your finway password, your finway PIN and access to your mobile phone number accessible to others.

  • Do not take photos of your card and do not share them via your messenger or social networks in which card information can be recognised. Make sure that none of your credit card number, the expiry date and the three-digit security code (CVV) are recognisable. If in doubt, ask your manager about the company's internal regulations.

  • Be sceptical of unexpected calls or messages asking you to hand over your data.

  • Some retailers use outdated forms that have to be filled in by hand, in which credit card information has to be entered manually. If you have to use such a form and there is no alternative, use one-time cards if possible, which can be applied for via a purchase request.

Pay attention to secure websites when shopping online

When paying online, it is particularly important to pay attention to the security of the website.

What you should look out for:

  • The web address should begin with https://.

  • Look for a small lock symbol in the address bar of your browser.

  • Check that the shop is reputable: Is there an imprint? Customer reviews? Is the design professional?

Use strong passwords and two-factor authentication (2FA)

If you store your credit card in a user account as a means of payment (e.g. for online shops such as Amazon or payment services), make sure that your account is well secured.

Our recommendation:

  1. Use a separate, strong password (at least 12 characters, combination of letters, numbers and special characters) for each merchant user account.

  2. If possible, activate two-factor authentication for additional protection.

Keep an eye on your transactions

A quick look at your transactions in finway can help to detect unauthorised debits at an early stage. To do this, click on the Cards tab in finway and select your card. Here you can see your past card transactions.

Our recommendation:

  1. If you receive one or more authentication text messages that you have not requested, act immediately and report the card as stolen in finway. To do this, call up the card in question in finway under the ‘Cards’ tab and click on Options in the top right-hand corner. Then click on ‘Report card as stolen’. The card will then be blocked.

  2. Check your card transactions regularly and also pay attention to smaller amounts.

Protect yourself from scams

Beware of scams such as phishing and scam e-mails, as well as scam text messages. Not all fraud attempts are aimed directly at your credit card details. Many start with a harmless-looking e-mail, text message or message. These so-called phishing attempts are designed to trick you into revealing sensitive information.

How to recognise phishing emails & co:

  • The message suggests urgency (‘Your account will be blocked!’, ‘Final reminder!’).

  • You are asked to click on a link or enter data.

  • The email address appears legitimate at first glance, but is slightly altered (e.g. @Booking123.com instead of @booking.com).

  • The language is atypical or contains many spelling mistakes.

What you can do:

  • Never click on suspicious links. Do not open attachments of unknown origin.

  • Find out from your internal IT department how to deal with such attempts. For example, some companies do not allow opening e-mails from the spam folder.

  • Never enter your credit card details, passwords or TANs on links from emails or text messages.

  • If you are unsure: Talk to a superior about it.

⚠️ Please note: No reputable provider will ever ask you to disclose personal data or credit card information by e-mail or text message.

Known scams:

  • Fraudster pretends to be the CEO of your company and asks you by e-mail to buy prepaid cards.

  • Fraudster pretends to be a customs office. They claim that a parcel for your company is stuck at customs and a fee needs to be paid to release it or ask you to disclose credit card information.

  • Fraudsters pretend to be a hotel booking portal (e.g. Booking.com) and claim that a transaction has failed and needs to be repeated.

  • Fraudsters pretend to be a merchant and ask you to update your payment information.

3DS

3D Secure is an additional security step for online payments with credit/debit cards. If you shop online and the merchant supports 3DS, you will be redirected to a secure page when paying, where you must also authenticate yourself using an SMS code (mTAN).

Advantages:

  • More security with widespread use: Even if someone knows your card details, no payment could be made without the additional authentication step. (However, pay attention to the following paragraph)

  • Less fraud: Online merchants can better secure payments.

  • Stronger regulation: In Europe, the PSD2 directive makes 3D Secure mandatory for most online payments.

However, there are different regulations for 3D Secure (3DS) depending on the country. Particularly with regard to legal requirements, technical implementation and exceptions.

In the EU, 3DS is mandatory due to PSD2:

  • In the European Union, the Payment Services Directive PSD2 applies, which stipulates strong customer authentication (SCA) for online payments. This means that 3DS is almost always mandatory for online payments.

  • Exceptions are only possible under certain conditions (e.g. small amounts, ‘trusted merchants’ or low-risk transactions).

Outside the EU, 3DS is regulated differently:

Different standards apply in other countries:

  1. USA: 3DS is not mandatory. Many merchants and banks use it voluntarily, but it is not established across the board.

  2. Canada, Australia, Singapore: 3DS is frequently used, but it is not required by law in all cases.

  3. United Kingdom: Following Brexit, the UK introduced its own SCA rules, but these are largely comparable to PSD2 - 3DS is also standard here.

  4. Emerging and developing countries: 3DS is sometimes not widespread at all or only used selectively, depending on the technical infrastructure and regulation.

How fraudsters try to outsmart 3DS

Although 3D Secure (3DS) makes online payments much more secure, fraudsters still try to exploit loopholes and exceptions in the system. Here are some typical methods:

1. Small amounts are often ignored

Some transactions are not subject to a 3DS check, e.g. if they:

  • are below a certain threshold (e.g. < €30 in the EU),

  • come from a merchant that has been classified as ‘trustworthy’,

  • are considered ‘low risk’ by the payment service provider's risk assessment.

Fraudsters take advantage of this:

They test stolen credit card details by making lots of small payments. If these go through, they know: The card details are active and can then be used for larger or more targeted amounts.

2. Targeted exploitation of regional differences

As 3DS is not applied equally strictly everywhere, fraudsters often try to process payments via foreign merchants or platforms:

  • In countries without mandatory 3DS (e.g. USA), the 3DS query is often optional.

  • Some online shops deliberately do not use additional authentication to speed up the checkout process.

⚠️ Please note: Criminals know this and specifically use platforms with weaker security.

3. Testing card data - so-called ‘card testing’

In this method, stolen card data is automatically tested with software, often with microtransactions (e.g. €0.01). These often go unnoticed and do not trigger a 3DS check.

What can you do about this?

  • Watch out for unusual micro-transactions - even under €1.

  • React immediately to unknown, very small suspicious debits. They are often harbingers of larger fraud attempts.

What is the right course of action in the event of credit card fraud?

If you suspect that your card details have been compromised or your card has been lost, act quickly:

Report the card as stolen immediately:

  • Click on the Cards tab.

  • Select your card.

  • Click on the options menu at the top right.

  • Click on ‘Report card as stolen’ in the drop-down menu

  • Then report any suspicious incidents to an admin in your company.

For admins:

  • Firstly, make sure that the card has been suspended, closed or reported stolen. Every minute counts here.

  • Report credit card fraud to our support team immediately. Our support will help you with a refund and assist you in finding a solution.

Last updated, 3rd June, 2025.


Did this answer your question?