Fake Bank Order Confirmation Phishing
Criminals send emails mimicking bank purchase-confirmation notifications for large orders victims never made, with a bank-branded 'cancel this order' link that harvests online banking credentials — using the bank's authority to lend credibility to a fake e-commerce notification.
Part of: Fake Order Confirmation Phishing Scams
Last reviewed: 7 June 2026
Banks send genuine purchase notifications when your card is used, and many also send spending summaries. Scammers have adopted the format of these bank-branded purchase notifications to create fake order-confirmation emails that appear to come from the victim's bank rather than from an unknown retailer — making them harder to dismiss as generic spam.
The email says something like: 'Your [Bank Name] account has been charged for an order with [Retailer]. If you did not make this purchase, click here to cancel and protect your account.' The framing positions the bank as a protective party and the action — clicking to cancel — as responsible consumer behaviour.
The 'cancel and protect' link leads to a fake version of the bank's online portal that harvests login credentials. Because the email appears to come from the bank rather than the retailer, it bypasses the victim's knowledge that 'order confirmation scams' usually impersonate retailers — the bank angle is less recognised.
How this scam works on the Your Bank brand
Real bank purchase notifications confirm charges that have already been processed and do not typically include 'cancel this order' links — because the bank cannot cancel a retail order on the victim's behalf. Genuine fraud dispute processes go through the bank's app or website and involve the victim logging in independently and using the dispute flow.
Fake order-confirmation emails reference plausible retailers and amounts. The bank's logo, typography, and colour scheme are copied accurately. The email may include a partial card number and the correct bank account type (checking, savings) — details sourced from prior data breaches — to appear more credible.
After credentials are entered on the phishing page, some pages present an additional 'order details' step asking for the full card number and expiry to 'process the cancellation and refund the charge'. This step collects card data that enables card-not-present fraud at other merchants.
Common red flags
- A bank-branded email about an order you did not make, with a cancel link
- Sender address is not your bank's official email domain
- The cancel link goes to a domain other than your bank's official website
- A page asking for your full card number to 'process the cancellation' — banks do not need this for disputes
- The bank name and partial card number are used to seem credible, but the order is unrecognised
- Urgency: 'You have 2 hours to cancel before the order ships and becomes non-refundable'
- The email describes an order at a retailer you did not visit
How to protect yourself
- Log in to your bank app directly to check whether any charge was actually made
- If no charge appears, the email is fake — do not click the cancel link
- Dispute genuine unauthorised charges through your bank's app or by calling the number on your card
- Banks cannot cancel retail orders on your behalf — the cancellation route is always with the retailer
- Do not enter card details to 'process a cancellation' — this is always fraudulent
- Enable your bank's genuine push notifications to see real charges as they occur
- Forward suspicious bank emails to your bank's phishing reporting address
How to report it
- Call your bank's fraud line using the number on the back of your card
- Forward phishing emails to your bank's security team (address listed on the bank's official site)
- Report the phishing URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- File a complaint with the FTC at reportfraud.ftc.gov
- Report to Action Fraud at actionfraud.police.uk (UK) or the FBI's IC3 at ic3.gov (US)
Frequently asked questions
Can my bank cancel a retail order on my behalf?
No. Your bank can dispute a charge after the fact — reversing a transaction that has already settled — but it cannot cancel an order before it ships. Any email claiming to offer order cancellation through a bank link is a phishing attempt.
What if a charge from an unrecognised retailer genuinely appears on my bank statement?
Log in to your bank's app, find the transaction, and use the in-app dispute tool or call the number on your card. Do not click email links. The genuine dispute process does not require you to enter your card details again.
Why does the fake email appear to come from my bank rather than the retailer?
Using your bank's name and branding adds authority. Victims who might dismiss a fake retailer email may engage more carefully with what appears to be a bank security alert. Criminals adapt their phishing themes to the most trusted brands in the victim's financial life.