Credit Card Safety in India 2026 -- Frauds, Risks, and How to Protect Yourself
Editorial Team
Credit Card Safety in India 2026 -- Frauds, Risks, and How to Protect Yourself
Credit card fraud cases in India jumped from around 2,300 cases involving Rs 87 crore in the first half of FY24 to over 12,000 cases involving Rs 630 crore in the same period of FY25. That is a 5x increase in one year. If you have a credit card, you need to understand how these frauds happen and what to do about them.
The Most Common Frauds
1. Phishing Calls and Vishing
Someone calls claiming to be from your bank or the RBI. They say your account has been flagged or your card is about to expire. They ask for your card number, CVV, or OTP to verify your identity. No bank ever asks for your CVV or OTP over the phone. End the call immediately.
2. Card-Not-Present Fraud on International Websites
Your card number, expiry date, and CVV are enough to make purchases on most international websites. No OTP required. RBI mandates two-factor authentication for domestic transactions. International websites are not bound by these rules. If your card is enabled for international transactions and someone obtains your card details through a data breach, phishing email, or skimming device, they can use your card on foreign platforms without your OTP. This is why international transactions should be disabled when you are not travelling.
3. SIM Swap Fraud
A fraudster visits your mobile operator's store with fake ID and gets a duplicate SIM issued in your name. Once they control your number, they receive all your OTPs. Within hours, they can access your bank accounts and credit cards. Red flag to act on immediately: Your SIM suddenly shows no network in places where you normally get signal. Call your telecom operator right away.
4. ATM and POS Skimming
Physical devices attached to ATM card slots or payment machines copy your card's magnetic stripe data. Use tap-to-pay wherever possible -- contactless payments do not expose your magnetic stripe. Wiggle the card reader before inserting your card to check if something is attached.
5. UPI Payment Request Fraud
A fraudster sends you a collect request on GPay or PhonePe and tells you to enter your PIN to receive money. You enter your PIN and money actually leaves your account. The rule: to receive money on UPI, you never enter any PIN or OTP. You only enter your PIN to send money.
6. Fake Websites
Fraudsters clone popular websites like IRCTC, Flipkart, or your bank's net banking page with URLs that look almost identical. Always check that the URL starts with https:// and matches exactly. Bookmark real URLs of sites you use for financial transactions.
Settings Every Cardholder Should Configure
Tap and Pay Limits
Transactions under Rs 5,000 do not require a PIN for tap-to-pay. If you lose your card, someone can tap it multiple times for small amounts without needing anything from you. Most bank apps let you set a lower contactless transaction limit or disable it entirely. Do this if you are not actively using contactless.
International Transactions
RBI directed banks to issue all new cards with international transactions disabled by default. Check your card's current status via your bank app. If you have international transactions enabled from a previous trip and forgot to disable them, do it now. Re-enable only when you are about to travel and disable again when you return.
Virtual Cards
Most bank apps let you generate a one-time virtual card number for online purchases. Even if the merchant site is breached, your actual card is not exposed. Use a virtual card for any purchase on an unfamiliar website.
The Five Rules
| Rule | Action |
|---|---|
| Never share CVV or OTP | Not even if the caller claims to be from your bank |
| Check statements monthly | Dispute any unknown charge within 30 days |
| Disable what you do not need | International spends, set contactless limits |
| Use virtual cards on unfamiliar sites | Available on most bank apps |
| Turn on transaction alerts | SMS and email for every transaction |
If Fraud Happens
Step 1: Call your bank's 24-hour helpline immediately and block the card. Step 2: Report to the bank within 3 working days -- under RBI rules, if reported within 3 days and it was not due to your negligence, the bank bears the loss. Step 3: File a complaint at cybercrime.gov.in or call 1930 (National Cybercrime Reporting Helpline). Step 4: Check your CIBIL report for accounts you did not open.
RBI 2025-26 Update
From April 2026, dynamic authentication is mandatory for all domestic digital transactions. Banks must use factors unique per transaction such as app-based approval or biometric verification. For cross-border transactions, banks must register their card details with global networks by October 2026.
Review your card portfolio and security settings using ValueNinja Wallet Analyser.