Where do scammers get my bank details?
Bank details are most commonly obtained through phishing attacks, data breaches at companies that stored your payment information, and malware installed on devices used for online banking.
Last reviewed: 10 June 2026
Explanation
Your bank account number, sort code, or card details can reach a scammer through several routes, none of which require the scammer to have broken into your bank directly. The most common is phishing: a convincing fake email, text, or website that leads you to enter your credentials into a form controlled by the scammer. The fake site may look pixel-perfect, copying the real bank's design, and the user session can even be proxied in real time so the victim believes they successfully logged in.
Data breaches at merchants, subscription services, and payment processors expose card details that were stored — often improperly — by companies you have bought from. Even if the breach does not expose the full card number, partial information combined with other leaked data can be enough for sophisticated fraud. Card-skimming devices attached to ATMs and petrol station pumps are a physical variant of the same attack.
Malware is a targeted but serious threat. Keyloggers installed on a computer or mobile device can capture every keystroke you type, including passwords and account numbers entered during a genuine banking session. Some malware specifically looks for financial application data and uploads it to a command-and-control server. Infecting a device via a malicious attachment, a fake app, or a compromised website requires only that the victim interact with the malicious element once.
Social engineering is another route. Scammers posing as bank fraud investigators will sometimes call and convince a panicked customer to read out account details or authorisation codes during the call. The caller creates urgency by claiming suspicious activity is happening on the account right now, and the victim's instinct to cooperate with their bank overrides caution. No bank will ever call you and ask you to confirm your full PIN, password, or one-time passcode.
Common red flags
- An email or text asks you to verify your bank details by clicking a link
- A caller claiming to be from your bank asks for your full card number or PIN
- An ATM slot feels loose, the card reader looks different, or there is an unusual overlay
- You receive a one-time passcode you did not request
- Unrecognised small transactions appear on your account before a larger one
- A pop-up on your banking app asks you to re-enter credentials
What to do now
- Enable real-time transaction notifications on your bank account
- Never enter banking credentials via a link sent by email or SMS — go directly to the bank's website
- Contact your bank immediately if you suspect your details were compromised
- Freeze or cancel your card as soon as you notice unauthorised activity
- Keep your operating system, browser, and banking apps updated to patch security vulnerabilities
- Check your accounts weekly so that unfamiliar charges are caught quickly
Frequently asked questions
If I give someone my sort code and account number to receive a payment, can they take money from me?
In most countries, knowing only your sort code and account number is not sufficient to take money from your account. However, it is enough to set up a direct debit in some systems, so treat these details with care and only share them with trusted parties.
What should I do if a phishing site captured my banking password?
Change your banking password immediately, then call your bank to alert them. Also change the same password anywhere else you have used it, and enable two-factor authentication if you have not already.