“You Gave Them the Code”: The New Mobile Wallet Scam

If you’re a credit union member, you probably joined because you thought it was safer and more local than a big bank. That trust is exactly what scammers are trying to use against you right now.

A long-time credit union member gets a text that looks like it’s from her cell phone carrier:

“You have 5,000 unclaimed reward points. Tap here before they expire on 12/31.”

She clicks the link. The site looks real. It has the carrier’s logo, the right colors, and a clean design. It says she can turn those points into a bill credit, but first, she needs to “verify” her card.

She types in her credit union debit card.

The page then says:

“We’ve sent a one-time code to your phone. Enter it here to finish.”

Her real credit union sends a real one-time passcode (OTP). She types it into the website.

The next day, she sees a bunch of tap-to-pay charges in another city. Her debit card is still in her wallet. But the money is gone.

When she calls the credit union, she hears:

“These are card-present Apple Pay transactions.”
“You gave someone the code, so you authorized them.”
“We’re denying your claim.”

From the member’s point of view, that feels like gaslighting. And she’s right to feel that way.

Other versions of this same scam use fake tax refunds, package delivery problems, or “billing issues” instead of reward points. The trick underneath is the same.

In this post, I’ll walk through:

How these Apple Pay / Google Pay fraud scams really work
The quieter threat of fake online stores that do the same thing
What your rights are under the Electronic Fund Transfer Act (EFTA) and Regulation E
How credit unions often get the law wrong
What to do if this happens to you

I’m a consumer protection lawyer. I represent people when their credit unions, banks, and debt collectors break federal law.

How the Mobile Wallet Scam Really Works (Apple Pay / Google Pay Fraud)

To understand your rights, you first need to understand the trick.

Step 1: The bait

The scammer reaches out in a way that feels routine:

A text about reward points or bill credits
A text about a tax refund or “rebate points”
A message about a package that needs a small payment

You’re busy. The message has a deadline. You tap the link.

Step 2: The fake site

The link takes you to a website that looks like a real brand—a phone carrier, a retailer, or a billing portal. It has a logo you recognize, matching colors, and a clean design. Nothing screams “phishing text message” at first glance.

Step 3: They ask for your card

The page asks for your credit union debit card number, expiration date, and CVV. You think you’re redeeming points or paying a small fee. It feels like normal online shopping or account verification.

Step 4: The one-time code (OTP)

This is the key part. The page says:

“To keep your account safe, we’ve sent a one-time code to your phone. Enter it here.”

Your credit union sends you a real one-time code. That text is real. It’s from them. You type the code into the fake website.

Step 5: What’s really happening behind the scenes

Here’s the part most people never see:

The scammer is using your card information on their own phone to add your card to their Apple Pay, Google Pay, or Samsung Pay wallet.
Your credit union sends the OTP as a safety step whenever a new device tries to add your card.
That code is not for finishing a purchase. It is the provisioning code that says: “Yes, it’s okay to add this card to this device.”

By typing that code into the fake site, you are unknowingly telling your credit union: “Go ahead and add my card to this new phone.” Except that phone belongs to the scammer.

Step 6: Spending your money

Once your card is in the scammer’s mobile wallet, they can walk into stores and tap-to-pay like any other customer. To the payment system, these look like normal card-present contactless transactions. That is why this kind of Google Pay / Apple Pay fraud often slips past fraud filters.

A six-step vertical flowchart illustrating the mobile wallet scam process. Step 1: Victim receives a phishing text. Step 2: Victim clicks the link. Step 3: Victim enters debit card info on a fake site. Step 4: Victim enters the OTP code. Step 5: (Highlighted in red) The card is secretly added to the scammer's digital wallet instead of verifying a purchase. Step 6: Scammer makes unauthorized tap-to-pay purchases. — “It happens in seconds. You think you’re redeeming points or fixing a delivery, but behind the scenes, that one-time code is actually handing the ‘keys’ to your bank account to a scammer’s phone. Here is the step-by-step breakdown of the trick banks don’t want to explain.”

The Quieter Threat: Fake Online Stores Using the Same Trick

Not every case starts with a smishing text. A growing number of scams start when you think you’re just doing normal online shopping.

How fake e-commerce stores work: Scammers set up full fake stores that buy ads on Google, Facebook, Instagram, and TikTok. They use slick product photos and offer big discounts on hard-to-find items.

You click an ad, browse the site, and go to checkout. During checkout, the same thing happens:

You enter your debit card.
The site says it needs to “verify” your card.
Your credit union sends a one-time code.
You type that code into the checkout page.

Behind the scenes, the scammer is again using that OTP to add your card to their mobile wallet, not to complete a purchase.

These are dangerous because there is no obvious spam text to warn you. The site can run for weeks before being shut down. You may not realize it was fraud until the product never shows up and you see tap-to-pay charges on your statement.

What the Law Says: EFTA and Regulation E in Plain English

Now let’s talk about your rights. The Electronic Fund Transfer Act (EFTA)is a federal law that protects consumers when money is taken electronically from their accounts. The Consumer Financial Protection Bureau (CFPB) wrote a rule under that law called Regulation E.

These rules apply to credit unions just like they apply to banks.

What is an “unauthorized electronic fund transfer”?

A transfer is usually unauthorized if:

You did not actually authorize that transfer;
It was not done by someone you gave permission to use your account; and
You did not benefit from the transfer.

In these mobile wallet scams, ask yourself: Did you mean to add your card to a phone you don’t control? Did you mean to make those tap-to-pay purchases in another city?

If the answer is “no,” that points toward unauthorized use under the EFTA, even if you typed in a code while a scammer lied about what you were doing.

“You Gave Them the Code” – Why Your Credit Union May Be Wrong

When a credit union denies your claim with “you gave them the code,” they’re leaving out half the story.

1. You didn’t agree to what actually happened Yes, you entered a code. But you thought you were redeeming points or fixing a bill. No one told you: “This code will add your debit card to a stranger’s mobile wallet.” Under the law, authorization isn’t just typing numbers. It’s intending the specific action that occurred.

2. “Card-present” doesn’t mean you were present Credit unions love to say, “These were card-present transactions, so you must have done them.” With mobile wallets, that logic fails. The system sees a secure token from a device, but it does not know who is holding the phone. It only knows the technical rules were followed.

3. “You were negligent” is not a free pass Credit unions sometimes blame the member: “You should have known better.” Even if you made mistakes, that does not give the institution a blank check to ignore the EFTA. The law sets caps on your liability and mandates an investigation regardless of your “carelessness.”

Why Organized, Known Scams Matter

These scams are not rare, one-off events. Security researchers and journalists have been writing about them for years. If your credit union failed to update its systems or staff training for known threats, that can strengthen your legal case.

What To Do If You’ve Already Been Hit

If you’re reading this because the money is already gone, here’s what to do now.

1. Lock things down

Use your app to lock or cancel your debit card immediately.
Call your credit union. Tell them your card was compromised and added to a mobile wallet on a device you don’t control.
Ask them to revoke all mobile wallet tokens linked to that card.

2. Save all the evidence

Before anything gets deleted, take screenshots of the scam text, the website URL, and your call logs. This timeline will be vital later.

3. Send a written dispute to your credit union

Do not rely on phone calls alone. Send a letter or a secure message through their online system. Include language like this:

A visual checklist graphic showing a formal dispute letter on a desk. The checklist highlights four critical steps: 1. List specific unauthorized transactions with dates and amounts. 2. Explicitly state "I did not authorize these transfers." 3. Cite the "Electronic Fund Transfer Act (EFTA) and Regulation E." 4. Request "Provisional Credit" while the investigation is pending. — Phone calls are not enough. When you dispute these charges, you must do it in writing to fully protect your rights. Use this checklist to make sure your letter includes the ‘magic words’—like Regulation E and Provisional Credit—that force the credit union to take your claim seriously.

4. Demand Provisional Credit

Provisional credit means the credit union puts the disputed money back in your account while they investigate. In many debit-card cases, if they can’t finish their investigation within 10 business days, they are required to give you this temporary credit. They cannot leave you with an empty account for months while they drag things out.

When It’s Time to Talk to a Lawyer

Were you blamed for the fraud then your case was closed? That denial might violate federal law.

My firm holds financial institutions accountable when they ignore the Electronic Fund Transfer Act. We can review your statements, demand the real evidence (like device logs), and fight to get your money back and more.

Don’t let them keep your money. Contact my office now for a free evaluation.

Quick FAQs

I did type the OTP, but I had no idea I was adding my card to someone else’s phone. Do I still have a case? Very often, yes. The key question is whether you intended to authorize the specific transfers that happened, not just whether you were tricked into typing a code.

What if I waited a few weeks to notice the charges? You should report them as soon as you see them. Delay can affect how much you may be held responsible for, but waiting a few weeks does not automatically mean you have no rights.

Does it matter that the transactions show up as “card-present”? It matters to the credit union’s story, but it doesn’t end the legal analysis. Mobile wallet “card-present” labels do not prove you were physically there.

Final Thoughts: Being Tricked Is Not the Same as Giving Permission

You did not wake up and decide: “I want to add my card to a stranger’s phone so they can drain my account.” You were tricked.

Under federal law, being tricked is not the same thing as giving permission.

If your credit union’s answer is, “You gave them the code, so it’s your fault,” that may not be the end of the story. If you’re dealing with this kind of fraud and your credit union has refused to make it right, get real legal advice about your options.

About The Author

Bill Clanton

Over the years my office has helped thousands of consumers who were cheated, ripped-off, and mistreated by debt collectors, credit reporting agencies, banks, credit unions, and car dealers. If you have a problem with a business being dishonest with you give me a call. I’d love to set them straight.