Here are some of the most common ways hackers can get hold of other people’s credit card data – and how you can keep yours safe
The cybercrime underground is a well-oiled machine worth trillions of dollars annually. On dark websites hidden from law enforcers and most consumers, cybercriminals buy and sell huge quantities of stolen data as well as the hacking tools needed to obtain them. There are thought to be as many as 24 billion illegally obtained usernames and passwords currently circulating on such sites, for example. Among the most sought-after is fresh card data, which is then bought in bulk by fraudsters to commit follow-up identity fraud.
In countries that have implemented chip and PIN (also known as EMV) systems, it’s challenging to turn this data into cloned cards. So most commonly it’s used online in card-not-present (CNP) attacks. Fraudsters could use it to buy luxury items for onward sale, or potentially they could buy gift cards in bulk – another popular way to launder illicitly obtained funds. The scale of the market in these cards is difficult to estimate. But the administrators of the world’s largest underground marketplace recently retired after making an estimated US$358m.
With that in mind, here are five of the most common ways hackers could get hold of your credit card data – and how to stop them:
1. Phishing
Phishing is one of the most popular techniques for cybercriminals to steal data. At its simplest, it’s a con trick in which the hacker masquerades as a legitimate entity (e.g., a bank, an e-commerce provider, or a tech firm) to trick you into divulging your personal details, or unwittingly downloading malware. They often encourage users to click on a link or open an attachment. Sometimes doing so takes the user to a phishing page – where you’ll be encouraged to enter personal and financial information. Phishing is said to have hit an all-time high in Q1 2022.

Example of a phishing email. For more details about this email, check out this article: Don’t get phished! How to be the one that got away.
These scams have evolved in recent years. Instead of an email, today you may receive a malicious text (SMS) from a hacker pretending to be a delivery company, a government agency, or another trusted organization. Scammers may even call you up, again pretending to be a trusted source, with the aim of obtaining your card details. SMS phishing (smishing) more than doubled year-on-year in 2021, while voice phishing (vishing) also surged, according to one estimate.
2. Malware
The cybercrime underground is a huge marketplace, not just for data but also malware. Over the years, different types of malicious code have been designed to steal information. Some record your keystrokes – for…