When your credit or debit card info is found to have been leaked, the immediate concern is that thieves could go on a shopping spree using your card. In most cases a compromised card will need to be canceled and replaced. The good news is that banks and credit card companies are well-aware of this, and they have easy procedures for challenging suspicious charges, canceling a compromised card, and getting you a replacement card quickly.
You may have both credit cards and debit cards, and each has a different risk if they get stolen. The primary difference between them is that credit card transactions are charged to an account that you pay for in the future. Debit card transactions are taken directly from your bank account.
The Fair Credit Billing Act (FCBA) protects your rights with regards to fraudulent charges on your credit card, including limiting your total liability to not more than $50. In practice, most credit card companies offer what's called "zero liability" meaning that they don't even charge the $50.
The Electronic Funds Transfer Act (EFTA) protects you with regards to your debit card, but its provisions are not quite as lenient. Under the EFTA your liability may be limited to a max of $50, but only if you report your card as lost or stolen within 2 business days. After that you may be liable for up to $500 of the fraudulent charges.
Important: For both credit and debit cards if you don't dispute the charges within 60 days there isn't any legal protection from responsibility, and it will be up to your bank or credit card issuer as to whether they'll insist you pay the charges.
It's almost always safer to use a credit card than a debit card.
First step - Check for suspicious transactions
We want to quickly check for suspicious transactions for two reasons:
To see if the card has already been used by somebody else
If it has been used, to challenge those transactions so we don't end up having to pay for them ourselves.
Important: Under U.S. law you must report any fraudulent transactions promptly to be protected from having to pay some or all of the balance.
To check your account
Sign into your account either with the official app on your device, using a saved favorite in your browser, or by doing an internet search for their official website. Never sign in thru a link in an email, text message, or advertisement; those are common tricks attackers use to try and steal your username and password.
Tip: Paper statements can be useful but checking your account online will show you the most recent transactions which might not appear on a paper statement yet.
Look at the list of recent transactions. Ideally, you'll want to go back at least as far as the known date of the breach. Take note of any you don't recognize.
Don't ignore very small transactions. Thieves will often charge a small amount -- like $1 -- to a card just to test the card and see if it still works. They know that $1 charges are more likely to go unnoticed than a big charge. They might even reverse that $1 charge right away, making it less likely the legitimate cardholder will report a problem to the credit card company.
Once they've confirmed that the card still works, however, they know they can use the card for larger transactions or sell the card info to other criminals who will.
Set up a credit monitoring service
You can check for suspicious transactions by setting up the Defender’s Identity theft monitoring feature (which includes credit monitoring), to watch your credit file for any unexpected credit activity.
With this feature, you can view your credit score, retrieve new and historic events affecting your credit score, and receive notifications whenever a new event occurs related to your credit.
Any unexpected or unknown credit activity is a strong indicator of a potential identity theft. This feature enables you to notice such events early and take a corrective action faster.
Once a suspicious activity is detected, you can also use the lost wallet and restoration service to assist you in taking action. The lost wallet and restoration feature is available only for identity theft monitoring subscribers.
For information on how to set up identity theft monitoring, see Getting started with identity theft monitoring in Microsoft Defender.
Challenge any bad transactions
If you find fraudulent transactions, most credit card companies and banks have a way for you to initiate a dispute right there in your online account statement. Under U.S. law if you report the fraudulent transactions within 60 days you have little, if any, responsibility to pay for them.
Second step - Request a new card
Even if you don't find any suspicious transactions the fact that your card's number is out there makes the risk of fraudulent transactions higher than normal. It's a good idea to request a new card from your credit card company so they can cancel the old card and make sure criminals can't take advantage. Most credit card companies are anxious to limit future fraud and are happy to issue you a new card if your old one has been compromised.
Tip: Remember to update any accounts that might use the compromised card for automatic payments.
Tips for protecting your card
Here are a few easy things you can do to reduce the chances of your card getting stolen or used fraudulently.
Use a virtual credit card
Using your card online? See if your credit card company offers virtual cards that you can use. Most of them offer this service now at no charge.
The way this generally works is that you install a browser extension from your credit card company, and when you need to pay for something online the browser extension will create a custom credit card number just for paying that vendor. It gets charged to your card, as usual, but you don't have to reveal the number that is on your physical card.
The benefit of this is that the virtual card number you get can ONLY be used at that vendor. Even if a thief somehow managed to get that info they wouldn't be able use it to purchase goods or services anywhere else.
Additionally, many credit card companies let you specify a time range or a number of transactions, after which that virtual number expires. For example, you might decide that the virtual card is only going to be good for this week...if someone tries to use it at the same retailer next week, the transaction will be denied, and your account stays safe.
You can usually get as many virtual numbers as you need.
Pay with your phone instead of your physical card
Need to pay for something in person at a shop or restaurant? Use a mobile app like Google Pay or Apple Pay. Payment apps like those let you add your various credit cards to them. When it's time to pay you simply tap your phone or smartwatch to the payment device of the retailer and your device securely transmits the payment information and completes the transaction.
Mobile payment apps like that can be more secure than inserting your physical card, especially if you would have to hand your card to another person and let it out of your sight, even for just a few seconds.
Sign up for alerts
Most banks and credit card companies will let you set up alerts that notify you - usually by email or text message - if a transaction occurs on your account. You can specify a minimum amount if you don't want to get notified every time you buy a coffee but do want to get notified if somebody buys a TV on your account.
This can be a good early warning system to help you spot potential fraud early and cut it off before it causes bigger problems.