That's because a feature designed to reduce friction when renewing credit and debit cards may allow criminals to use replacement card details, Which? has found, with most major high street banks failing to offer customers the choice to opt out.
How card details are automatically updated
The tech that updates these details when you get a new card runs in the background and is provided by the three big card schemes – Visa, Mastercard and American Express (Amex). Each calls it something different, but for ease we’ll refer to it as an automatic billing updater (ABU).
Card schemes have this switched on by default for banks, and many major online merchants are opted in.
While it can be a useful feature, it can also have unintended consequences. If a scammer has saved a victim’s card details to a major online merchant or digital wallet and the link isn't broken, the new card details will update there, too, allowing the fraud to start again.
If you haven’t heard of ABU, you’re not alone – there’s very little information available for customers. Yet fraud continuing on a replacement card appears to be very common.
In our recent survey,* among those who have been a victim of card fraud in the past two years, 61% said they had experienced further fraud on their replacement card within three months of receiving it, though not all of these cases will involve ABU.
Why do things go wrong?
Banks normally block ABU updates in the case of fraud, but mistakes can be made and the link might not always broken.
One banking insider told us fraud teams are sometimes under pressure to hit targets (such as closing a certain number of cases per hour).
Banking body UK Finance also told us of cases in which fraud teams correctly blocked fraudulent payments and ABU updates, but the merchant (the shop or company taking your payment) or middle-man payment firms got around this by reprocessing the payment.
Can you opt out of automatic updates?
Last year, Visa and Mastercard both told us cardholders could ask their issuer (the bank, credit card firm or building society who provided their card) to opt them out of ABU.
This would mean that when a card expires or is cancelled, accounts and wallets where it's saved would not be updated and you'd need to input new details manually.
We decided to put this to the test. Our team of researchers contacted Amex, Barclays, HSBC, Lloyds, Monzo, Nationwide, NatWest, Santander and Starling and asked to be opted out of ABU on their own card.
In many cases, the employee appeared to have no idea what ABU was or what we were asking for, even when we used the correct terminology; only representatives at Starling and Monzo showed any prior understanding of it.
Starling said it couldn’t opt us out, while Monzo said opt-out was only possible if we ordered a new card and ticked an opt-out box on screen during that process.
Monzo was the only one to offer an opt-out process controlled by customers during our research.
Amex later told us that it lets cardholders opt out by calling the number on the back of their card. Based on our experience, some frontline staff may not be aware of this.
Starling, Monzo and NatWest said that when they cancel a customer's card due to fraud, they fully opt its replacement out of ABU. Starling also opts cards out whenever they are cancelled by a customer for any reason.
Stopping recurring fraud
Opting customers out of ABU entirely is not the only way that banks can prevent fraud carrying over to new cards.
For example, Amex, Lloyds, Santander and Nationwide said they block payments and/or ABU updates to the particular merchants involved in the fraud (sometimes called ‘merchant block’).
However, banking industry body UK Finance said merchant blocks can sometimes have 'unintended consequences'.
Problems might arise if the fraudster and the victim both shop at the same merchant. For example, in some cases a merchant block applied to stop the fraudster using the card on Uber might also prevent the genuine cardholder from shopping there.
Companies respond
Mastercard said ABU reduces ‘the inconvenience of missed or delayed payments by keeping card details up to date with retailers and service providers. If a card is lost or stolen, these updates are stopped following the cardholder’s bank marking the card as closed. Cardholders can opt out via their bank.’
Both Mastercard and UK Finance said fraud linked to ABU is low.
Visa said its service (Visa Account Updater, or VAU) allows ‘critical recurring payments to continue without interruptions, even when a card has been updated or replaced. VAU [helps customers by] reducing the chance of declined payments, service interruptions, late fees and missing critical payments such as life or car insurance.’
It added that ‘banks are responsible for handling the service for each cardholder, which includes stopping VAU or stopping it for a specific merchant where fraud has been detected.’
Visa said it works to keep fraud levels low.
A Starling spokesperson said the bank uses Mastercard’s Automatic Billing Updater 'for our customers' best interests. It ensures customers can use their new card with minimal interruption while preventing unnecessary declined payments, late fees or service cancellations. Customers consent to Starling sharing their data with Mastercard when signing up for an account with us.
'The ABU process does not apply to cards that are cancelled by the customer or because of fraud. This is an additional layer of protection for our customers. New card details will need to be updated manually with merchants, while Mastercard alerts merchants to the fact that the previous card experienced fraud. ABU is a requirement of the Mastercard scheme and has been designed with customer protection at its heart.'
Lloyds' spokesperson said: 'Visa Account Updater allows genuine payments to continue when a card is replaced. If a customer requests for a payment to be blocked or there is suspected suspicious activity on the account, we apply Continuous Payment Authority blocks which are carried over to newly issued cards.'
And Nationwide told us: 'We don’t currently offer an opt‑out from Visa Account Updater, but we will keep this under review. If a customer spots a fraudulent recurring payment, we will refund and take action quickly to keep their account safe. If necessary, we can block specific recurring transactions or change account details and issue new cards to them.'
How to reduce your risk of card fraud
It's a good idea to closely monitor your account after being a victim of card fraud, to make sure it isn't continuing on your replacement card.
Always report any unrecognised or suspicious payments to your bank immediately. It should refund unauthorised payments in almost all cases.
If you're asking to be opted out of ABU, look at your card to see which card scheme it's from, and try to use the correct jargon when speaking to your bank:
However, our research suggests you should be prepared for confusion and/or a 'no' from customer services.
If you're unhappy with how you've been treated, or you think your bank has made a mistake, you can make a complaint.
*Our research: Based on a survey of 2,079 members of the public and are representative of the UK population aged 18+. Data collection was conducted online in March 2026.source https://www.which.co.uk/news/article/beware-the-cancelled-card-loophole-that-can-allow-fraud-to-follow-you-aRusC2T1bWda