Card-not-present (CNP) fraud is a growing threat to online businesses and customers. In 2024, CNP fraud accounted for over $10.16 billion in payment fraud losses in the U.S., a 101.59% increase from $5.04 billion in 2019^[1]. The rising trend of online shopping and digital payments has made it easier for fraudsters to steal personal information, such as card numbers, and use it for fraudulent transactions.

In this guide, we’ll explore CNP fraud—the ways it happens, common tell-tale signs, and methods for protecting yourself. You'll also learn about how virtual cards can help secure your online card payments and avoid fraud.

What Is CNP Fraud, and How Does It Happen?

Card-not-present fraud is a type of payment fraud that happens with transactions where the credit or debit card isn’t physically there. It's common with phone or online purchases.

CNP occurs when a cybercriminal obtains a cardholder's payment card information, such as card number, expiration date, and CVV code, and uses it to make unauthorized transactions. 

Since there’s no physical verification of the card or its owner, CNP fraud might be easier to commit and harder to detect than card-present fraud.

Card-Not-Present Fraud Scheme—Common Methods Cybercriminals Use

The most common methods used in CNP fraud include:

1. Data breaches
2. Social engineering
3. Malware attacks
4. Skimming devices
5. Man-in-the-middle attacks

Data Breaches

In a data breach, cybercriminals target databases of large organizations like retailers, payment processors, and financial institutions to obtain sensitive data such as credit card numbers, usernames, and login credentials. 

The hackers use sophisticated methods such as SQL injections^[2] or DNS tunneling^[3] to gain access to the data. Once they have the information, they can sell it on the dark web or use it for criminal activities.

Social Engineering

Social engineering is a tactic fraudsters use to manipulate and deceive you into sharing confidential information^[4]. For CNP fraud, malicious actors might pose as a trusted individual or organization (bank, ecommerce store, or government agency) to trick you into revealing your payment card details or login credentials through emails, phone calls (vishing), or text messages (smishing).

Malware Attacks

Malware is malicious software hackers use to access your device and steal sensitive information. It can take the form of viruses, worms, or Trojan horses and be installed through email attachments, malicious websites, or infected USB drives. Once the malware enters your device’s system, it can record keystrokes, capture screenshots, and steal card information you enter on shopping sites.

Skimming Devices

Skimming devices are small tools that cybercriminals install on ATMs, pay-at-the-pump, or other payment terminals to steal credit or debit card information. When you insert your card into the machine, the skimmer reads and stores the information from the magnetic stripe. Fraudsters can then use this information to create cloned cards or make fraudulent purchases online.

Man-in-the-Middle Attacks

A man-in-the-middle (MitM) attack occurs when a malicious actor secretly intercepts and alters communication between two parties, such as a customer and an online merchant. The attacker can then access sensitive information, including payment card details, without the victim's knowledge. This type of attack is common when using public Wi-Fi networks, where hackers can easily intercept data transmitted between a customer and an online store.

How Does CNP Fraud Affect You?

Under the Fair Credit Billing Act (FCBA) and Electronic Fund Transfer Act (EFTA), you have limited liability for unauthorized transactions made on your credit or debit card. The FCBA limits your liability to $50 for credit card fraud, but most issuers offer zero-liability policies, meaning you won't be responsible for any fraudulent or unauthorized charges^[6]. 

For debit card fraud, your liability depends on how quickly you report the fraudulent activity. If you report an incident before any losses occur, you won't be liable, while reporting within two days limits your liability to $50. Waiting longer can increase your liability up to $500 or more^[7]. Still, many banks are pro-consumer when it comes to debit card fraud and often provide the same zero-liability protection for debit cards as they do for credit cards.

Despite these protections, CNP fraud can still have a significant impact on you, including:

• Financial losses if you fail to report it on time
• Credit score damage if the fraudulent transactions lead to missed, late, or defaulted payments
• Potential identity theft if the fraudster obtains additional personal information from you
• Difficulty getting loans or credit cards in the future
• Time, effort, and resources spent disputing the fraudulent charges

CNP Fraud Detection—Signs You Should Look Out For

Early detection of CNP fraud is crucial in preventing significant financial losses. Some signs that could indicate you have been a victim of CNP fraud include:

1. Transactions you don't recognize
2. An influx of spam emails and calls
3. Alerts from your financial institution

Transactions You Don't Recognize

When hackers steal your card information, they often make small transactions to test if it's valid before making bigger purchases. This is why one of the first signs of CNP fraud is noticing transactions on your bank account that you don't remember making. These could include purchases, subscription charges, or transfers you didn't authorize. 

An Influx of Spam Emails and Calls

After a successful hacking incident, fraudsters may sell your information on the dark web, leading to an influx of spam emails and calls from scammers offering fake products or services. Don’t respond to or interact with these messages or calls, as they may be phishing attempts to gather more of your personal information. 

Alerts From Your Financial Institution

Financial institutions have advanced fraud detection systems that flag unusual or suspicious account activity. They assess your transaction history, spending patterns, and location data to detect potential signs of fraud. 

Your bank or card issuer may alert you if: 

• A transaction is made from an unfamiliar location or device
• You make a large purchase that's unusual for your spending patterns
• There are multiple failed attempts to access your account 
• There’s an unusually high volume of transactions in a short period

CNP Fraud Protection—Ways To Protect Yourself

With CNP fraud on the rise, here are some steps you can take to protect yourself:

1. Monitor your accounts—Keep track of bank and credit card accounts, set up alerts for large transactions, and report unfamiliar activity immediately.
2. Create strong passwords—Use unique, complex passwords for all your online accounts. A robust password manager like LastPass, 1Password, or Bitwarden can help you generate and store secure passwords.
3. Be cautious of phishing attempts—Avoid unsolicited requests for personal information, as legitimate institutions will never ask for this data via email, text, or phone.
4. Avoid unsecured public Wi-Fi—Always use a VPN like Windscribe, Surfshark, or NordVPN when connecting to public networks to prevent hackers from intercepting your online traffic.

To complement these methods, you can also use virtual cards for your online transactions. Virtual cards come with random card numbers, expiration dates, and CVVs that act as a stand-in for your real payment card details. This way, even if the merchant suffers a data breach, potential hackers might only get hold of your virtual card details while your actual financial information remains secure.

Banks like Citi and Capital One might offer virtual cards under the condition that you have an account with them. On the other hand, getting your virtual cards from a dedicated provider like Privacy lets you benefit from advanced card controls and convenience features without having to open an account at any specific bank. 

Safeguard Your Online Payments With Privacy Virtual Cards

Privacy is a BBB^®-accredited and PCI-DSS-compliant company trusted by over 250,000 Americans. After connecting your bank account or debit card to it, Privacy lets you generate multiple virtual cards for one-time or recurring use. 

You can choose from three card types, as explained in the table below:

With Privacy, you can set two types of controls on your cards:

• Spending limits—This feature helps reduce the risk of billing errors, such as overcharging, hidden fees, and duplicate charges, as Privacy will decline any charges above the limit.
• Card pausing or closing—After pausing or closing your virtual card, Privacy will block all future transaction attempts, helping protect you against accidental charges like those that sneaky merchants might impose on you while canceling a subscription.

Privacy Makes Your Online Payments More Convenient

Privacy offers additional features to make your online shopping experience seamless and convenient. The Privacy Browser Extension, available for Firefox, Edge, Chrome, Safari, and Safari for iOS, enables faster transactions by autofilling your card details at checkout. 

Additionally, the Privacy App (available for Android or iOS) lets you create and manage virtual cards on the go. The mobile app sends instant notifications whenever your Privacy Cards are charged or declined, allowing for quick reaction in case of potential unusual activity.

Other features include:

• 1Password integration—The integration lets you store and manage your Privacy Cards and passwords within the 1Password browser extension.
• Card Notes—This feature allows you to attach helpful notes, such as the merchant name or next charge date, to each virtual card for better organization and easier usage tracking.
• Shared Cards—With this feature, Privacy lets you share your virtual card details with trusted family members or friends without revealing your actual card details.

How To Join Privacy

To join Privacy, you must be a U.S. resident over 18 years old with a valid checking account at a U.S. bank or a credit union. If you meet these requirements, complete these four steps to get your first Privacy Card:

1. Create an account
2. Provide the required KYC information to verify your identity
3. Connect a funding source (debit card or bank account)
4. Request and generate your virtual card

Privacy has four monthly plans, as outlined in the table below:

With the Personal plan, you can generate Single-Use and Merchant-Locked Cards, enjoy all card controls, and get access to the mobile app and browser extension. 

The other plans come with additional features, including:

• Category-Locked Cards
• Fee-free international transactions
• Shared Cards
• Card Notes
• Priority support and Live Chat (Mon–Fri, 9 a.m.–5 p.m. ET)
• 1% cashback on eligible purchases (totaling up to $4,500 per month)

References

^[1] eMarketer. https://www.emarketer.com/chart/260023/us-total-card-fraud-losses-by-channel-2019-2024-billions, sourced March 19, 2025

^[2] Imperva. https://www.imperva.com/learn/application-security/sql-injection-sqli/, sourced March 19, 2025 

^[3] ClouDNS. https://www.cloudns.net/blog/dns-tunneling-attack-what-is-it-and-how-to-protect-ourselves/, sourced March 19, 2025 

^[4] Kaspersky. https://www.kaspersky.com/resource-center/definitions/what-is-social-engineering, sourced March 19, 2025 

^[5] IC3.gov. https://www.ic3.gov/PSA/2022/PSA220208, sourced March 19, 2025

^[6] FTC. https://consumer.ftc.gov/articles/using-credit-cards-and-disputing-charges#:~:text=Federal%20law%20(the%20Fair%20Credit,open%2Dend%20credit%20accounts).&text=you%20can%20dispute-,Unauthorized%20charges.,for%20unauthorized%20charges%20to%20%2450., sourced March 19, 2025

^[7] FTC. https://consumer.ftc.gov/articles/lost-or-stolen-credit-atm-and-debit-cards, sourced March 19, 2025

‍