Online card fraud has evolved significantly since the 2010s. Here is the working mum’s practical guide to protecting yourself, your family, and your small business from the scams that are actually prevalent in 2026.
If you run any kind of small business, run a household, or simply use the internet for shopping, banking, and family admin, you are exposed to card fraud. The good news is that almost all of it is preventable with a small number of habits. The harder news is that the techniques fraudsters use have moved on dramatically since the early days of online shopping. The advice that worked in 2015 (check the padlock, use a secure password) is no longer enough.
This is the updated version. What is actually happening, what works, and what every working mum running a household or a side business should be doing as a matter of routine in 2026.
The Fraud Landscape Has Changed
A decade ago, online card fraud was largely about stolen card numbers being used at unauthorised retailers. The mainstream defences (3D Secure, chip and PIN at the point of sale, bank monitoring) worked reasonably well against this.
Today, the dominant attack vectors are different:
Authorised Push Payment (APP) Fraud. This is now the largest single category of fraud loss in the UK. Rather than stealing your card details, fraudsters trick you into authorising a payment to an account you believe is legitimate. The bank cannot easily protect you from a payment you genuinely authorised, even if you were deceived.
Smishing And Phishing With AI-Generated Content. Text messages and emails impersonating your bank, HMRC, courier companies, your child’s school, and your subscription services. These are now well-written, often personalised, and can include details fraudsters have scraped from data breaches.
Marketplace And Social Media Scams. Fake sellers on Facebook Marketplace, Vinted, eBay, and Etsy. Fake job adverts targeting working mums looking for flexible work, with “training fees” or “starter kit” payments required.
Investment And Cryptocurrency Scams. Sophisticated, multi-week scams that build trust through messaging apps before extracting large sums.
Subscription Trap Sites. “Free trial” subscriptions that lock you into recurring charges that are deliberately difficult to cancel.
SIM Swap And Account Takeover. Fraudsters convincing your mobile network to transfer your number to their SIM, then resetting your bank passwords using SMS verification.
The common thread: most modern fraud is about manipulating you, not stealing your card. Your defences have to evolve accordingly.
The Habits That Genuinely Protect You
Treat Every Unsolicited Contact As Suspicious By Default
The biggest single behavioural shift that prevents fraud is this: assume that every text, call, or email claiming to be from your bank, HMRC, the police, a courier, or any other authority is fraudulent until proven otherwise.
Genuine organisations:
- Will never ask you to move money to a “safe account”
- Will never pressure you to act immediately
- Will never ask for your full PIN, password, or one-time codes
- Will never ask you to download remote access software so they can “help you”
If you receive a contact you cannot immediately verify, hang up or close the message. Then call your bank back using the number on the back of your card, not the number the caller gave you. Five minutes of caution prevents most APP fraud.
Use Bank Account Verification On Every New Payment
Since the rollout of Confirmation of Payee in UK banking, when you set up a new payment recipient, your bank checks the name you have entered against the name on the receiving account. If they do not match, you get a warning.
Take that warning seriously. Every. Single. Time.
The most common APP fraud pattern is a fraudster pretending to be a legitimate payee (your solicitor, your builder, your child’s school) and giving you “updated” bank details. The Confirmation of Payee check usually flags this. The mistake people make is overriding the warning because the message felt urgent. Slow down. Verify by phone using a number you already trust.
Keep Your Bank’s Fraud Monitoring Working In Your Favour
Most UK banks now have sophisticated fraud detection. Help it work:
- Log in to your banking app at least every few days, not just when you need to check a balance
- Enable transaction notifications so you see every payment as it happens
- Update your phone number with your bank if it changes
- Use the official banking app, not the website, when banking on your phone
- Never ignore a fraud alert from your bank, even if it feels like a false alarm
If something looks wrong, report it through the app immediately. Fraudsters move money out fast, and the first hour is critical for recovery.
Lock Down Your Online Accounts
Account takeover (someone gaining access to your existing account, then making purchases or changes) is preventable with two basic steps:
- Use A Password Manager. Free options like Bitwarden, or paid options like 1Password, generate and store unique passwords for every site. The single biggest password mistake is reusing passwords across sites. One breach exposes everything.
- Enable Two-Factor Authentication (2FA) Everywhere It Is Offered. App-based 2FA (Google Authenticator, Authy, your bank’s app) is significantly safer than SMS-based 2FA. Use SMS only when nothing better is offered.
For your most important accounts (email, banking, anything with payment details on file), use the strongest 2FA available.
Protect Your Email Above Everything Else
Your email is the recovery mechanism for almost every other account you have. If a fraudster gets into your email, they can reset every other password.
A few specific protections:
- A strong, unique password just for your primary email
- Two-factor authentication on the email account
- A separate, less-shared email for online shopping accounts
- A regular check of “recent activity” or “logged in devices” to spot unfamiliar logins
- Review of forwarding rules (fraudsters often set up rules to forward your email silently)
Be Cautious About What You Share Online
Fraudsters now scrape social media for the personal details that help them target you. Date of birth. Mother’s maiden name. The street you grew up on. The names of your children and pets (which are commonly used as security question answers).
You do not need to vanish from social media. You do need to be deliberate. Birthday posts that share your full date of birth. “First school” or “first car” memes that quietly harvest security question answers. Holiday posts that signal your house is empty. All of these create attack surface.
Specific Risks For Working Mums Running Side Businesses
If you take payments from customers as part of a side business, additional protections matter:
Use A Reputable Payment Processor, Not Direct Bank Transfers. Stripe, PayPal, Square, GoCardless. These platforms handle fraud protection on your behalf and protect your customer’s card details from ever touching your systems. Direct bank transfer payments leave you exposed to chargebacks and customer disputes you cannot easily resolve.
Separate Your Business And Personal Finances. A dedicated business bank account or even a separate personal account for business income limits the damage if anything goes wrong.
Watch For Customer Fraud. Customers who buy high-value items and then dispute the charge. Customers who insist on overpaying and ask you to refund the difference (always a scam). Customers who use stolen cards to buy from you, leaving you to absorb the loss when the fraud is reported.
Insure Where Necessary. If your side business handles meaningful sums, professional indemnity and cyber insurance are not luxuries. Speak to a specialist broker about what cover fits.
What To Do If You Have Been Defrauded
If you suspect fraud, act fast:
- Contact Your Bank Immediately. Most banks have a 24/7 fraud line. Use it. The faster you act, the higher the chance of recovery.
- Report To Action Fraud at actionfraud.police.uk or 0300 123 2040. This is the UK national fraud reporting centre.
- Change Passwords for any accounts that may have been exposed, starting with email and banking.
- Check Your Credit Report with Experian, Equifax, or TransUnion (all free for basic monitoring) for any unfamiliar accounts opened in your name.
- Document Everything. Save messages, emails, screenshots. You will need them for any insurance claim or police investigation.
If you have transferred money under deception (APP fraud), the Contingent Reimbursement Model applies in many UK banks. You may be entitled to reimbursement even where you authorised the payment. Push your bank on this, and escalate to the Financial Ombudsman if they refuse.
A Note On Children And Online Card Use
If you have older children using devices with stored payment details, a few specific protections matter:
- Do not save the card on the device or in app stores; require entry each time
- Use a low-limit prepaid card for any online accounts your children access
- Enable “Ask To Buy” or equivalent purchase approval on app stores
- Have honest conversations about scams that target children (gaming purchases, fake giveaways, “free V-Bucks” offers)
Children are increasingly targeted in their own right. The approach is not surveillance. It is open conversation and structural limits that prevent serious losses.
The Tax Year Note
April is a useful moment to refresh your fraud defences for one specific reason: HMRC scams spike around the new tax year. Texts and emails claiming to be from HMRC about tax refunds, outstanding balances, or self-assessment returns are particularly common from now through to autumn. HMRC will never text you to say you have a refund waiting. They will never email you for bank details. They will never call demanding immediate payment. If in doubt, log into your government gateway account directly to check, and report scam contacts to HMRC’s phishing reporting service.
One Honest Word Before You Go
Online card fraud cannot be entirely eliminated, but the vast majority of losses are preventable with the habits above. The goal is not to make yourself impossible to defraud. It is to make yourself a hard enough target that fraudsters move on to easier ones.
Block thirty minutes this week to do three things: enable two-factor authentication on your bank and email accounts, install a password manager and start replacing reused passwords, and turn on transaction notifications in your banking app. Those three steps alone protect against most modern fraud.
For more honest, practical articles on holding a working life together with awareness and grace, sign up to the Mothers Who Work newsletter at the foot of this page. For nineteen years we have been walking alongside working mums on exactly this kind of practical work that matters more than it looks.
Stay alert. Stay sceptical. The vast majority of “urgent” messages claiming you need to act now are exactly that: trying to get you to act before you have time to think.
