Innovations and Payment Systems

7 hot spots for credit card theft and how to cut your risk


Seven places and ways your credit card info may be stolen include leaving your plastic in the open in your car and phishing (smishing and vishing) scams.

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Misery loves company, and those miserable after their credit cards were stolen have a whole lot of company.

A little over one-fourth of American adults say they’ve had a credit card number stolen, an April 2018 survey by the American Institute of CPAs found. About the same number of adults say they’ve been the victim of an email “phishing” scam.

Crooks employ a number of tactics to capitalize on credit card data, and they find that data in an array of places.

What follows is a rundown of seven hot spots for your credit card information to be stolen and advice on what you can do to protect your personal info.


1. Your car (wherever it’s parked).

Thieves who break into your car are hunting for anything valuable, and they often come across wallets or purses that contain credit cards.

The crooks then will take off and almost immediately start running up charges, oftentimes by buying gift cards so they can essentially convert stolen credit cards into cash.

While thieves often break into locked vehicles via “smash and grabs,” leaving a wallet or purse in an unlocked car is an open invitation.

Hot spots for card theft from cars: Vehicles parked at shopping centers, hiking trails, gyms and other public places where the owners are likely to be gone for a while.

How to protect yourself: Don’t leave wallets or purses (or loose credit cards) in your car or lock them in the trunk, away from prying eyes.


2. Gas pumps and ATMs.

Card skimmers at gas pumps and ATMs have been on the rise. In Florida alone, authorities expect to uncover skimmers at 1,000 gas pumps this year, compared with more than 650 in 2017.

With skimmers, criminals steal, or “skim,” your credit card or debit card information, and then use that data to produce counterfeit cards.

To check the gas pump or ATM, gently nudge and pull both the card reader and keypad to see whether it doesn’t fit well, says Paige Hanson, chief of identity education at LifeLock, a provider of identity theft protection services.

This could signal a scammer has installed a skimmer.

“It’s important to note that inspecting an ATM or gas station pump will not help you identify the skimmers that are placed inside the terminals,” Hanson says.

Don’t use the gas pump or ATM if you come across something that’s loose or that looks as though it’s been tampered with, says Ken Allen, senior vice president of identity and fraud at Equifax.

How to protect yourself: If you’re buying gas and suspect a skimmer may be installed at a pump, go to another pump, drive to a different gas station or consider paying with cash. If you’re trying to use a card at an ATM, head to a bank branch and do a face-to-face transaction with a human teller, or pick another ATM.

For ways you can cut your fraud risk by using your eyes, your fingers, a free app and even your common sense, read how to spot a gas station or ATM skimmer.


3. Restaurants and bars.

After you’ve savored a steak-and-lobster dinner at a four-star restaurant or sipped on a couple of martinis at a trendy bar, it’s time to pay the tab. That’s when the chance for card theft increases.

“We hand our credit cards over to total strangers numerous times a day without thinking twice about it,” Hanson says. “However, unlike most transactions, servers at restaurants and bars take your credit card out of sight. We’re instilling a lot of trust in them.”

Most servers are honest, Hanson says, but you might be handing over your card to an employee who is capturing your data with a mobile skimmer – like those at a gas pumps or ATMs – or by simply jotting down your card info.

How to protect yourself: To stop a bar or restaurant worker from feasting on your credit card information, pay in cash or use a credit card instead of a debit card. When you pay by credit card, you have stronger consumer protections under federal law than if you use a debit card. Increasingly, restaurants are trying to protect your card information by installing tabletop payment terminals.


4. Stores.

Data breaches are the new normal at stores, hotels, restaurants and other businesses. In 2018 alone, retailers such as Best Buy and Sears have reported that consumer data has been compromised.

In a typical data breach, a hacker accesses a retailer’s point-of-sale system, installs malware and steals information captured via the magnetic strips on the back of credit cards.

Personal information stolen can include names, credit card numbers, expiration dates and security codes.

How to protect yourself: Dip your chip card, don’t swipe your magnetic stripe card.

Chip cards are “more secure, as each transaction creates a new, unique code to confirm the purchase and share the cardholder’s information with the store,” Hanson says.


5. Airports and hotels.

A cybercrook can fly away with your credit card information while you’re waiting for your flight or lounging at the hotel pool.


Most airports and hotels offer free Wi-Fi, but it typically is unsecured. This means credit card information you enter on your laptop keyboard or smartphone screen is unencrypted and vulnerable to cyberthieves.

Free, unencrypted Wi-Fi service “is the path of least resistance for those skilled in hacking Wi-Fi,” warns Robert Siciliano, a security analyst with Hotspot Shield, which offers virtual private network (VPN) software.

How to protect yourself: Log on to a secured Wi-Fi network so your credit card information will be encrypted (the data is scrambled and shielded from unauthorized access). Siciliano also suggests using a VPN.

“VPNs create virtual tunnels that encrypt all information being passed in and out of your device, protecting you and your data from prying eyes,” Hanson says.

Also, whenever you’re online, look for “https://” preceding the name of the site. Through encryption, an “https://” website protects your information. Credit card numbers sent through a website preceded by “https://” are not encrypted.


6. Your trash.

When you toss something in the trash, you don’t want it anymore. Some thieves, however, do want what you’ve thrown away.

Crooks will dig through the trash container in front of your home, the dumpster at your apartment complex or the business center in your hotel in search of discarded papers.

These dumpster divers could grab preapproved credit card offers, credit card bills or bank statements to steal your identity and set up accounts in your name, Hanson says.

How to protect yourself: Shred any mail and other paperwork that contains sensitive information. Also, give the fraudsters less time to steal your info: Take out the trash the morning of pickup day, rather than the night before, Hanson says.


7. Your inbox.

Around the world, about 269 billion emails were sent and received every day in 2017. And billions of those emails carry the potential to steal our card information.

In many cases, the senders of those emails dupe us through “phishing.” Fraudsters create what looks like a legitimate website and email a link to it, says Rafael Amado, a strategy and research analyst at Digital Shadows, a digital security company.

If you click on the link, you’re taken to a fake site, where you’re asked to divulge information such as your credit card number.

Phishing scams also pop up in text messages on mobile devices. This is known as SMS phishing, or “smishing.”

In addition, Hanson urges us to be alert for voice phishing, or “vishing.” With vishing, a scammer calls and asks for details, such as a card number and a PIN, because your card supposedly has been compromised. 

How to protect yourself: Don’t click on a link that looks even the slightest bit suspicious. If you’re in doubt, contact the credit card issuer or whichever company supposedly sent the email to confirm whether the message is legitimate.

To avoid a vishing scam, offer to call back before offering any security information. A credit card issuer or bank will never ask for your PIN over the phone.

See related: Suspect card fraud? How to file a claimCredit cards are top source of ID theft complaints, FTC says, Infographic: Credit cards bring new fraud trends, First-time fraud victims likely to be hit again

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Innovations and Payment Systems

AmEx to roll out credit card made from ocean plastic

Credit cards aren’t known for being environmentally friendly, but a new card from American Express may change that

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more