Skip to content
Breachfolio
GUIDES · PAYMENT FRAUD

I entered my credit card on a fake website: what to do now.

This is urgent, but it isn't out of control. The next fifteen minutes matter more than the last fifteen — here's exactly what to do, in order.

July 9, 20267 min read

Fake checkout pages usually impersonate a real retailer, a delivery company, or a payment processor. They ask for your card number, expiration date, CVV, name, billing address, and sometimes a one-time code sent by text. If you typed any of that into a page you now suspect was fake, the goal is simple: cut off the card's ability to be used, and leave a paper trail while you do it.

1. Call your card issuer right now

Use the number on the back of the physical card, or your bank's official app — not any number or link from the site or message that led you there. Ask them to lock or freeze the card immediately. Most major US card issuers let you do this instantly from their app; use that first, then follow up with a call to make sure a formal fraud flag gets attached to the account.

Under the Fair Credit Billing Act, your liability for unauthorized credit card charges is capped at $50 if you report promptly, and in practice most issuers waive that entirely. Debit cards are less protected the longer you wait, which is exactly why speed matters here more than it would for a credit card.

2. Check pending and recent transactions

Pending charges often show up before a final, posted transaction — don't wait for something to "clear" before flagging it. Write down the amount, the merchant name shown, and the date for anything you don't recognize, even small ones. Small test charges (sometimes $1 or less) are a common way fraudsters confirm a card still works before making a bigger purchase.

3. Don't confirm anything by phone or text after this

Once a card's details are out, a second wave often follows: a call or text pretending to be your bank's "fraud department," asking you to "verify" a transaction by reading back a code. That code is almost always the one-time passcode that would authorize a real transfer or a new card being added to a digital wallet. No legitimate fraud department needs you to read them a code to cancel something. Hang up, and call the number on your card yourself.

4. Save everything before it disappears

Fake pages get taken down fast, sometimes within hours. Before that happens, save:

  • The full URL, copied from the address bar — not retyped from memory
  • Screenshots of the page, especially any checkout or payment form
  • The text message or email that led you there, with the sender's number or address
  • Date and time you visited, and what you actually typed in

5. Report it

File a report with the Federal Trade Commission at reportfraud.ftc.gov — this is the FTC's actual consumer fraud intake, and it feeds directly into the database law enforcement uses to spot patterns across victims. If the amount is significant or you suspect organized fraud, also file with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. Neither of these gets your money back directly — that's your card issuer's job — but they're what actually gets fake storefronts and phishing infrastructure investigated and taken down at scale.

You can also report the page directly to Google Safe Browsing and to Microsoft, which helps get it flagged in Chrome and Edge for other people who click the same link.

6. Change reused passwords

If the fake site also collected your email, a password, or your address, change any password you've reused elsewhere — starting with your email account, since it's usually the recovery path for everything else. Turn on two-factor authentication anywhere you haven't already.

7. Expect a follow-up attempt

Scammers who got real data from you once often try again, using what they learned to sound more credible the second time — a "refund" that requires you to pay a small fee first, a "delivery" that needs address confirmation, a "security alert" with another urgent link. Treat any unexpected follow-up contact about this incident with the same suspicion as the original message.

The one-sentence version. Freeze the card through your bank's app in the next five minutes, check pending charges, never confirm a code over the phone, and file at reportfraud.ftc.gov once the card itself is safe.