What To Do If a Phishing Site Captured Your Card Details
Immediate steps to protect your card, reverse any fraudulent charges, and secure your accounts after entering payment details on a phishing website.
Last reviewed: 1 June 2026
First 10 minutes
- Call your card provider's fraud line immediately using the number on the back of your card — not a number from the suspicious site
- Report that your card details have been entered on a suspected phishing site and request the card be cancelled and replaced
- Ask the agent to review recent transactions and dispute any charges you did not make
- Change the password for any online account that uses the same email address as your card account
- Screenshot the phishing website URL and any confirmation page shown after your details were entered
First 24 hours
- Check your card statement and set up transaction alerts if your card provider offers them
- Report the phishing site to your national cybercrime service and to the relevant brand being impersonated
- Check whether you used the same password on any other account and change it if so
Contact your bank or payment provider
- Request immediate cancellation and replacement of the compromised card
- Ask the card provider to place a fraud marker on the account and monitor for card-not-present transactions
- Dispute any fraudulent charges under Section 75 (UK credit cards) or your card provider's chargeback rights
Evidence to preserve
- The URL of the phishing site (screenshot before it disappears)
- The original email, text, or message that led you to the site
- Screenshots of any confirmation or 'thank you' page shown after entering your details
Secure your accounts and devices
- Change passwords for email and any financial accounts linked to the email address you used
- Enable two-factor authentication on your email account and card provider's app
- Check whether your email address appears in data breach databases (e.g., haveibeenpwned.com) for additional exposures
Report it
- Report to your national fraud/cybercrime service
- Report to the platform, bank, or provider involved
- Keep any reference numbers you're given
Card details entered on a phishing site are typically sold or used within hours, so speed is the most important factor in limiting damage. Cancelling the card before it is used is far less disruptive than disputing multiple fraudulent transactions after the fact.
Also consider what other information the phishing site may have captured: if you entered your name, address, and date of birth alongside card details, your risk extends to identity fraud, not just card fraud. Review the section on identity theft recovery if you entered more than card numbers.
Frequently asked questions
I only got as far as the first page before I realised — am I still at risk?
If you did not submit any form with your card details, your card is likely safe. However, simply visiting the page may have triggered a malware drive-by on older browsers. Run a malware scan and monitor your card statements for the next 30 days as a precaution.
Can I get money back if fraudulent charges have already been made?
Yes. In the UK, your card provider must refund unauthorised transactions. In the US, zero-liability policies cover fraudulent card-not-present transactions. Contact your provider, dispute each charge, and keep a reference number for every dispute you raise.