Category: Security
Home / Security /

Credit Card Numbers Keep Getting Stolen? This might be the culprit.

Credit Card Numbers Keep Getting Stolen? This might be the culprit.

Almost all of us, at some point, have had the experience of having to shut a credit card down for fraudulent charges. The good news is, because credit card companies are on the hook for fraudulent charges, they’re pretty good at screening for these types of suspicious charges and alerting you immediately

Almost all of us, at some point, have had the experience of having to shut a credit card down for fraudulent charges. The good news is, because credit card companies are on the hook for fraudulent charges, they’re pretty good at screening for these types of suspicious charges and alerting you immediately.

But what happens if you shut down the card, only to have the fraud immediately recur? Why would this happen? And what can you do about it?

You may have noticed that when you get a new card with a new number or new expiration date, it’s not nearly as hard as it used to be. Your recurring payments don’t get interrupted due to new technology that essentially allows the information associated with your credit card account to be updated without you having to do anything. If the card was previously on file with a merchant, the credit card company can now send the new expiration date, CVV code, and/or card number to that merchant without the card holder having to do anything. The great news is, it’s extremely convenient. Fewer payments rejected, less likelihood of missing a payment and getting a late charge, and in general, less work for you.

But like all technology that adds convenience, this one comes with a downside. The process that allows this update for recurring payments and saved cards at online retailers can also be exploited by bad-actors, so that when fraud occurs and your credit card issues you a new card with a new number, it is almost immediately compromised through an automatic update that allows the new card number and credentials to keep moving easily through payment systems under someone else’s control.

Is There Any Way to Prevent This Automatic Update of Information?

In short, yes. Although many credit card companies have some precautions in place to prevent this automatic update if the new card was reissued due to fraud, we’ve seen numerous examples of this not occurring when it should. What can you do about this?

Ask for it!

When working with your credit card to re-issue a new card if yours has been compromised, you can ask the card provider to fully wipe the card and not update the information for any of your retailers or recurring payment sites. This means you’ll need to go in and update that information yourself manually.

If the fraud appears to be occurring from just one or two retailers, it’s also possible to request that they simply block the update for these sites. Each card provider may have different methods and options for you, but the critical component is you need to ask. Even though it should happen automatically (or the card company should at least initiate a conversation with you about whether you want it to happen), the reality is, that’s not a safe assumption to make.

What if You Have a Recurring Fraud Problem, Even After Explicitly Requesting Your Credit Card Company Not Automatically Update Your Information?

Credit Card - Automatic Updates

In this case, it’s important to ask if there might be another problem. Cards are extremely difficult to use fraudulently with just the card number alone (since most online retailers now require a zip code, CVV code, and expiration date to use the card number). That means, even the first time the fraud occurred on the initial card, it was likely because someone got access to not only the card number, but also the validating credentials that went with it. And while it can happen through an external data breach at a company that has your card information on file, if it keeps happening after new cards are issued, you may need to look closer to home for the source of the security breach.

So, if you’ve ensured that your credit card company automatically updating your info isn’t the problem, you need to continue looking for what it might be:

  • Are you making purchases or accessing financial accounts on public wifi networks?
  • Do you order online through unverified vendors or unsecured websites, like those that prey on people through social media advertising?
  • Have you had your computer screened for viruses and/or malware that may be lurking in the background and stealing your card info?
  • Have you changed the passwords on all of your financial accounts associated with the cards that are being stolen, and ensured they’re not duplicates of passwords you are using elsewhere?

Repeated cases of fraud on credit cards are extremely annoying, but they are unlikely to go away unless you find the source of them. Advancements in technology can be a double-edged sword, so it’s important to both celebrate when technology makes things easier for us, but also be vigilant about protecting yourself and your financial information.

What is Website Spoofing and How Can You Protect Yourself from It?

What is Website Spoofing and How Can You Protect Yourself from It?

Website spoofing is the act of creating fraudulent websites that look almost identical to legitimate websites. The purpose of these sites, while sometimes political or satirical, is most often malicious. They want you to believe that you’ve arrived at your bank or investment company, so that you enter your login credentials and give them what they need to get into your actual bank or investment accounts and steal your money.

What is Website Spoofing?

Spoofed websites are increasingly common, and new ones pop up every day. They do everything they can to look and feel identical to the website you are used to seeing, so it’s not surprising that people are fooled by them.

Think of it like someone creating a parallel street to 5th Avenue in New York City or Rodeo Drive in Los Angeles. On that street, they’ve put up identical store fronts, and when you walk inside each of the stores look and feel the same as the original. The only difference is, they’re selling knock-offs of everything and stealing your credit card information when you make a purchase. And they’ve set the whole street up just one block down from the actual 5th Avenue or Rodeo Drive. So, a savvy local shopper can probably detect the issue, but someone from out of town may find themselves walking down the street of fraudulent shops, thinking they’ve arrived where they intended to be. After all they are very close to their destination, and they see everything they expect to see.

Why Are We Vulnerable to Website Spoofing?

While it’s true that we can be lured to fraudulent websites through phishing emails, another reason we can be vulnerable to website spoofing is that we often initiate the visit to the fraudulent site without being lured there, so our defenses are not up in the same way they would be with a link in a phishing email.

How is it even possible that we voluntarily take ourselves to these fraudulent sites? There are a few ways that this happens.

It’s rare that any of us are typing in a full URL, like https://sustain-financial.com/ into our browsers these days.  More commonly, we’re typing in the name of a company like “Charles Schwab” or “Sustain Financial” into our search engines, or directly into our browser.

Then, we’re relying on the fact that the browser or search engine is going to bring up what we’re looking for. The problem is that the browser or search engine may bring up something that’s almost, but not quite what we’re looking for. And because no one lured or coaxed us into it, our general defenses about suspicious websites are not heightened as they might be after receiving an email inviting us to click a link.

Even if you are typing in a full URL, you can still be vulnerable, as many of these sites use a technique called typo-squatting, essentially just waiting for you to make a single mistake in how you’re keying in that website name.

How Can We Protect Ourselves from Fraudulent Websites?

Bookmark Important Sites

A great habit to get into is to bookmark your frequently visited sites, especially those related to your finances. Rather than using a search engine or an IP address, push yourself to use the bookmarked sites on your web browser, ensuring you are always returning to the same place.

Use a Reputable Password Manager

In our previous post on password management, we recommended using a strong password manager to create and store passwords for you. Not only does this promote the use of strong, unique passwords, but there’s another huge benefit to this practice: a password manager won’t recognize a fraudulent site, so it won’t autofill your login credentials.

If you find yourself at what feels like a familiar site, but your password manager isn’t automatically filling your credentials, it should be a cue to stop and think, is there a reason that the password manager doesn’t recognize this? Am I really in the right place?

Turn on Two Factor Authentication

Two-Factor Authentication is just one additional step between the bad guys and your accounts. Even if you get duped by a spoofed website and accidentally hand over your username and password for your bank account, if you have 2FA set up on that account, when they go to use it, they won’t be able to get past the 2FA requirement. If you haven’t already been forced to set up 2FA on your accounts, then now is a good time to start!

Keep Your Awareness Up

This is really at the heart of internet safety… if something feels off, it probably is. The problem for most of us is that we’re often emailing, logging in, and doing all of our other internet tasks while we’re thinking about other things, so we can miss small but obvious cues that something is off.

If your password manager doesn’t auto fill your login information, but you simply override it and enter it in manually, without asking yourself whether there’s a good reason it may not be working, then you’ve missed a critical cue.

We know how hard it is to do, but put aside your other tasks before sitting down to log in to your accounts, and make sure you’re paying enough attention to spot the red flags that you may encounter. Usually, there are a lot of small cues that can tell us something is off, the problem for many people who get spoofed by these sites is often that the bad actors are relying on people not paying enough attention to catch them.

What Can You Do If You’ve Been Spoofed?

Don’t panic. If all you’ve done is navigate to a site that’s not legitimate, and you didn’t enter any of your login credentials or download anything from the site, there’s likely nothing to worry about.

If you did enter in your credentials (only to have them rejected a couple of times, which may have caused you to suddenly be suspicious of the site, and now you’re panicking), then stop, take a deep breath, and head directly over to the actual site you were trying to get to in the first place.

Log in and change your password immediately. Remember, as long as you’ve got 2FA set up, even with your username and password the bad actors aren’t going to be able to get into your account immediately (but also remember not to give that 2FA code to anyone asking about it), but you should still change your password as soon as you can.

If you can’t get into your account, though, act fast and call the company immediately to let them know there is a problem. Time is of the essence when it comes to fraud and compromised accounts. If you suspect someone has gained access to your accounts, you need to drop everything and get on the phone with your account provider.

Protecting Yourself and Your Money

We know that cybersecurity isn’t really top of mind for most people, but taking the time to implement even just 1 or 2 of these tips could mean saving yourself from losing thousands of dollars. Website spoofing is just one of the many scams out there and even reading this article means you’re at least more aware (and hopefully a little more cautious) about the ways even familiar internet routines can pose a potential threat to your online identity and log in credentials.

What is Good Password Hygiene in 2026?

What is Good Password Hygiene in 2026?

In some of our more recent cyber-security posts, I’ve referenced the importance of good password habits as a vital element of making your online accounts harder to compromise. But what exactly does good password hygiene look like in 2026 and why is it something you need to continue to pay attention to?

Let’s answer the second question first. Hackers and data breaches are more common than ever, and not going away any time soon. It is virtually impossible to not have any online presence in today’s world, so we each have to do our part to keep our information as safe as possible online.

We often hear people expressing stress or angst about these potential threats, while continuing to engage in lazy cyber-security habits that leave them vulnerable. And password creation, use, and storage is one of the habits putting many of us at risk of exploitation by bad actors.

But password advice comes and goes… so what constitutes password best-practices today, in a world of rapidly advancing technology?

Consider Whether a Password is the Right Access Tool

Before we even discuss creating good passwords and storing them safely, it’s worth saying that the use of a numeric pin or biometric (facial recognition or fingerprint) passkey is actually a substantially safer option than a password where available. So, if you are logging into an account that has already transitioned to making a passkey available as a password alternative, that’s a far better option than even the longest, most complex, most unique password out there.

Right now, these are not universally available on every site where you might order coffee or check on your health insurance, but they’re becoming more and more available on larger platforms (like Google, Microsoft, and Apple) as well as on many sites that require higher levels of security, like those involved in money storage and financial transactions.

Set up Two Factor Authentication (2FA)

We know it’s a pain to have to retrieve that text message or open that authenticator app, but 2-Factor Authentication provides a high additional level of protection in a day and age where it is a near certainty that some of your passwords will be compromised at some point. So, wherever it is an option, turn it on, and use a text message or an authenticator app to receive the 2FA code (not email).

Not only will this typically prevent someone who has stolen your password from logging into your account, it will also alert you if you’ve got a compromised password that someone is trying to use. If you receive a text with a verification code, and you’re not trying to log in to the site it’s coming from, that means your password has been compromised, and you need to log into the site immediately and create a new one.

And, although we wish we didn’t have to say it, DON’T share a 2FA code with anyone.

No one legitimate will ever call you and ask you for that code. If you get a 2FA code, and a phone call from the company who sent it asking you for it, HANG UP!

2FA codes are not meant to be shared, and no legitimate company is ever going to call, text, or email you and ask you for them.

Make Your Passwords Long, Complex, and Unique

Long and complex passwords are harder to hack by “Brute Force” (where someone sets a computer to simply try as many passwords as possible on your account until they find one that works). How long, and how complex, they need to be to resist this type of hacking changes over time, but going into 2026, we’d recommend 16 characters or longer.

Hive Systems puts out a table each year that basically shows you how quickly your passwords could be brute-force hacked based on length and complexity, and their 2025 table can be found here.

Unique passwords are also extremely important, but for a different reason. And by unique, we don’t mean slight variations on the same password. An extremely common way that bad actors get access to your accounts is by hacking a relatively non-secure site, and then using the data found there, including your username and password, to attempt to log in to higher stakes sites – like your bank or your email.

If you’re using the same password for everything, you’re basically giving someone a free pass into those accounts. The reality is, while it’s important to protect from hacking, most security breaches start with password reuse, not brute force hacking.

We understand that the requirement for unique passwords can be extremely overwhelming now that the average person has between 170 and 190 password protected accounts.

So, if you’re feeling overwhelmed by the task in front of you, start with the most critical log-ins first! Online banking, email, and any other place where highly sensitive data is stored should be at the top of your list to create long, complex unique passwords, making it less likely that if your health insurance provider gets hacked, they’ll be giving up the key to your bank account.

Use a Reputable Password Manager

Strong passwords can be hard to remember and even harder to generate, so the use of a good, reputable password manager is an important tool. Not only does it securely store passwords, but a good password manager also encourages the creation and use of long, complex, and unique passwords.

Even better, a password manager provides additional layers of protection against things like phishing attempts by not auto-filling a password on a site that appears to be the same as the one you normally use, but is actually a fraudulent set up to steal your login information.

Typically, it is best not to rely on the password managers built into your browser, as they often lack important security features.

For example, Google Chrome lacks a zero-knowledge infrastructure, meaning that technically, your passwords stored in the Google Chrome password manager can be accessed by Google. But, even more problematically, if your Google Account is compromised, so are all your passwords. And, since people often take a very relaxed approach to their email security, often leaving themselves logged in indefinitely on all of their devices, it’s best NOT to have your password protection connected to your Google/Gmail account, as it creates a single point of failure (especially if your Gmail account is also what you’re using for 2 Factor Authentication, which is why we recommend text or authenticator apps).

Keep your Computer and Other Devices Password Protected

Leaving your computer, phone, tablet or other devices without password protection (or password protected, but regularly unlocked when you’re not around), in combination with habits like staying perpetually logged in to sites like your email provider, or skipping two factor authentication on your home or recognized computer, is a dangerous combination of behaviors that can be addressed by simply making sure you have a strong password on your computer, and routinely, habitually, locking your devices when you are away from them.

To lock your computer, you can use the keyboard shortcuts Windows Key + L on a PC or Ctrl + Shift + Q on a Mac. Once you do that, you, or anyone else trying to access your computer, will be required to re-enter your password, pin, or biometric ID to regain access to your computer, and all the things you may have left yourself logged in to.

Most of us don’t consider the people we invite into our homes to be major security risks, but the reality is, there are often a lot of people in and out of our homes (friends, family, and service providers).

If you wouldn’t leave $500 lying around on the table when these folks were visiting, you should ask yourself why you feel so comfortable leaving easy access to an unprotected computer that could be easily logged into your bank account.

Again – we wish we didn’t have to say it, but please don’t leave your password taped to the bottom of your keyboard. No sticky notes allowed!

Ideally, pick a password you can remember, and don’t write it down anywhere, or if you do need to write it down, keep it locked up securely.

Your Awareness Remains Key in Keeping Your Log In Credentials Safe.

The unfortunate reality is that technology is constantly evolving, and you can put a lot of systems in place to protect your passwords but still be a victim of fraud.

One of the best tools you have is to maintain awareness while using the internet to keep yourself and your login credentials safe.

In many ways, the mindlessness with which we engage our technology is a major culprit here. We wouldn’t dare cross a busy 4-lane road while distracted by a million other things (well, we shouldn’t anyway), yet we’re prone to do just that when it comes to clicking around on the internet.

We know it’s hard, but working to adopt more intentional and awareness-based habits when you’re using email, downloading apps, and entering your log in credentials is extremely important.

So, as you embark on creating safer overall password practices for yourself, we also encourage you to try to stay present while working online.

It’s a good idea to practice:

  • An intentional pause before you click on links in emails. If you’re not sure, don’t click on it, and find an independent way to verify its legitimacy.
  • Notice that feeling you get when something feels off. If you’ve gone to a website, but your password manager isn’t automatically filling your credentials, that might at first make you wonder if your password manager is working correctly, but realistically, what you should be wondering is, “am I really on the site I think I am?”
  • Take security breaches seriously and assume that after them, your login credentials are out there. Using a site like Have I been Pwned? can help show you just how many of your supposedly secret passwords have been found in data breaches, and may help motivate you to create newer, stronger, more unique passwords in the future.

The Best Way to Eat an Elephant…

…is still one bite at a time. We know how poor most people’s password and computer security habits are. We see it and hear about it all the time. But we also know that for many, it can be overwhelming and incredibly time consuming to do this all at once, and that the overwhelm can stop you in your tracks.

So, if all you do today, to start, is go set a unique, long, complex password (or better yet a passkey) on each of your financial accounts. Even just for one! That’s a great place to start.

Maybe next week, tackle another item on this list. Don’t let the amount of work that might be in front of you stop you from taking small, meaningful steps in the right direction.

Disclosures & Policies

Sustain Financial Inc. is a Registered Investment Advisor in the State of Washington and California.

ADV Part 2A

Privacy Notice

Table of Fees for Services

Connect with Us

Copyright Sustain Financial Inc. 2025