Brits have more stolen payment card details listed for sale than any other country in Europe, according to new research of dark web data by cybersecurity company NordVPN.
The study of six million stolen details, discovered for sale illegally on online marketplaces, revealed that UK credit and debit cards were among the most common on the dark web, with only cards from the US and India more widely available.
Worryingly, two-thirds of Brits’ card data listed (63%) came bundled with a treasure trove of other private information, ranging from home addresses, phone numbers and email addresses to National Insurance numbers.
These details would make it easy for a cybercriminal to commit identity fraud and suggests the victim is likely to have had their details hacked rather than “brute-forced”, where card numbers are repeatedly guessed, usually with a computer.
Of the UK details stolen, 52% were from debit cards and 37% were from credit cards, with other payment cards making up the remainder. Visa cards were the most popular listed, making up 57% of the haul, followed by Mastercard (29%) and Amex (10%).
Researchers found that UK card details typically cost just £4.61. This was 18% lower than the global average (£5.61) and half the average price of payment data belonging to consumers from Denmark — at £9.23 the most expensive in the study.
The average cost of stolen payment cards has fallen by over a quarter since the end of 2021, reflecting the growth — and success — of low-cost online scams and fraud like phishing and malware.
NordVPN’s study showed the UK had a total of 164,143 payment card details listed on the dark web, almost as many as the next two biggest European victims, France (97,032) and Italy (78,676), added together.
However, despite the number of victims, the study found Brits are less vulnerable to the effects of card fraud than some of our global rivals.
NordVPN’s Card Fraud Risk Index measures how likely payment information is to appear on the dark web, in proportion to factors like a country’s population and cards in circulation — along with the risks of it being sold with additional identifying data. The UK ranked 22nd place on the index, with Malta, New Zealand and Australia the three most at-risk nations.
Russia finished bottom of the risk index, indicating the country was primarily a perpetrator rather than a victim of card fraud.
Adrianus Warmenhoven, a cybersecurity expert at NordVPN, says: “The card numbers found are just the tip of the iceberg when it comes to payment fraud. This is a crime with a huge ripple effect and the extra information being sold makes it far more dangerous as a skilled criminal can use these to acquire more personal details.
“Once an attacker has obtained the victim’s name, home address and email, they may even abuse legal methods, such as using the GDPR, to go further with identity theft or other malicious activities.
“In the past, experts linked payment card fraud to brute-forcing attacks — when a criminal tries to guess a payment card number and security code to use their victim’s card. However, most of the cards found were sold alongside the email and home addresses of their victims, which are impossible to brute force. We can therefore conclude that they were stolen using more sophisticated methods, such as phishing and malware.”
NordVPN cybersecurity expert Adrianus Warmenhoven has provided the following tips to help users feel more secure online: