Payment Fraud Incident Response: A Step-by-Step Guide
Victim of bank or payment fraud? Step-by-step response for consumers, merchants, and ATM operators — what to document, freeze, report, and recover.
Last Updated: February 2026
Disclaimer: This guide is for educational purposes. If you are experiencing fraud right now, contact your bank immediately and, if necessary, call local law enforcement. Do not delay action.
Quick Definition: An incident response to payment fraud means taking swift, documented, coordinated action after discovering that you or your organisation has been victimised — to stop ongoing losses, preserve evidence, recover funds where possible, and prevent recurrence. Speed is the most critical variable in all fraud response.
Why a Response Plan Matters
Most people know they should "call their bank" if they notice fraud. Fewer know what to say, in what order, what documentation to gather, who else to notify, or what to do when the bank disputes their claim.
For merchants and ATM operators, the stakes are higher still: a compromised POS system or ATM may continue affecting customers every minute it remains in service, and regulatory notification requirements may create tight deadlines.
This guide provides three separate response tracks: one for individual consumers, one for merchants, and one for ATM operators. Use the one that applies to you, and read across if relevant.
TRACK 1: CONSUMER FRAUD RESPONSE
The Core Principle: Every Minute Counts
Banks can typically freeze accounts and raise disputes instantly. Fraudulently transferred funds can sometimes be recalled if the receiving account has not yet been emptied. The faster you act, the better your chance of minimising loss.
Step-by-Step: Consumer Response
Step 1 — Stop the bleeding
- Freeze your card immediately using your banking app (most apps have an instant card freeze)
- If you cannot access the app, call your bank's fraud line — the number is on the back of your card
- Ask the bank to flag your account and stop all outgoing transfers pending investigation
Step 2 — Gather information before you call Before calling, note:
- Which transactions are fraudulent (dates, amounts, merchants/locations)
- When you first noticed the fraud
- The last time you used your card legitimately
- Any recent unusual events: card used at an unfamiliar ATM, any links clicked, any calls received from "your bank"
Step 3 — Call your bank's fraud line
- Use the number on your card or your bank's official website — not a number you received in a suspicious message
- Report each fraudulent transaction individually
- Ask for a case reference number — keep this
- Ask what dispute process applies and what the expected resolution timeline is
- Ask whether you need to attend a branch or provide a written statement
Step 4 — Raise formal disputes
- For each unauthorised transaction, formally dispute it
- Your bank should provide provisional credit while investigating (in most jurisdictions for consumer card fraud)
- If your bank disputes your claim or delays, ask for an escalation process and refer to your national financial ombudsman or regulatory body How to Dispute a Fraudulent Bank Charge: A Step-by-Step Guide
Step 5 — Change credentials and secure your accounts
- Change your online banking password from a clean device
- Change your PIN when your replacement card arrives
- Enable or strengthen two-factor authentication Online Banking Security: How to Protect Your Accounts
- Check that your registered email address and phone number in your banking account have not been changed
Step 6 — Report to authorities Filing a fraud report:
- UK: Action Fraud at actionfraud.police.uk or 0300 123 2040
- US: FTC at reportfraud.ftc.gov; optionally FBI IC3 at ic3.gov (for online fraud)
- EU: Your national financial supervisory authority and/or local police
- Your bank may require a crime reference number for the formal dispute process
Step 7 — Check for wider identity impact
- Request your credit report — look for accounts or credit queries you don't recognise
- Consider placing a fraud alert or credit freeze How to Place a Credit Freeze: A Step-by-Step Guide
- Check all other accounts that use the same password or phone number for 2FA
Step 8 — Document and monitor
- Keep a log of every call: date, time, who you spoke to, what was said, reference numbers
- Monitor your accounts daily for at least 60 days
- Follow up with your bank if disputes are not resolved within the stated timeframe
TRACK 2: MERCHANT FRAUD RESPONSE
Suspected POS Compromise
If you suspect your POS terminal has been tampered with or compromised by malware, the following steps apply.
Immediate (within the first hour):
- Take the suspected terminal offline — stop processing card transactions on it; do not power it off (evidence may be lost) unless your acquirer instructs you to
- Do not tamper with or clean the terminal — forensic evidence may be present
- Call your acquiring bank's fraud or compromise helpline — they have a dedicated process for merchant compromise notifications; have your merchant ID ready
- Identify the scope — which terminals, which time period? Use CCTV footage and transaction logs to establish when tampering might have occurred
- Preserve CCTV footage — identify any person who had access to the terminal(s) during the relevant period; back up the footage immediately before it is overwritten
Short term (within 24 hours):
- Document your findings — written record of what was observed, when, and by whom
- Review recent transactions — look for small test amounts, duplicates, or unusual patterns
- Notify law enforcement — file a police report; your acquirer may require a crime reference number
- Determine data scope — in consultation with your acquirer, identify approximately how many cards may have been at risk, and for what period
Regulatory and notification obligations:
Under GDPR (EU/UK), if cardholder data was exposed, you may have an obligation to notify your data protection supervisory authority within 72 hours. Your acquirer will advise on card scheme notification requirements (Visa/Mastercard have their own incident notification processes).
- Replace compromised terminals — only with certified, verified hardware from your payment provider
Consumer notifications:
In some jurisdictions, if you determine cardholder data was compromised, you may have an obligation to notify affected customers. Your acquirer and legal counsel will advise.
Merchant POS Compromise Checklist: Suspected Terminal Tampering POS Security for Merchants: The Complete Guide
TRACK 3: ATM OPERATOR RESPONSE
Suspected ATM Tampering or Skimmer Detection
If physical tampering (skimmer, shimmer, or other device) is discovered:
- Do not remove the device — it is evidence; removing it may damage forensic value and could be dangerous (some devices include booby traps)
- Take the ATM out of service immediately — use your remote management system or physically place an out-of-service notice; do not allow further transactions
- Secure the area — prevent access by the public and unauthorised personnel; do not allow cleaning of the area around the ATM
- Call your card scheme's fraud notification line — Visa and Mastercard both operate compromise alert programmes with specific ATM tamper notification procedures; your acquirer or card scheme contact will be your primary call
- Call local law enforcement — file a report; provide the ATM location, ID number, time of discovery, and description of what was found
- Preserve CCTV footage — identify footage from the period when the device may have been installed; make a copy before it loops
Establish the compromise window:
- Determine when the device was last absent — your last inspection records should show the most recent clean check; this establishes the earliest possible start of data capture
- Pull transaction logs for the compromise period — the number of transactions during this period approximates the number of potentially affected cards
- Report to your card scheme — Visa and Mastercard have fraud reporting processes that trigger cardholder alerts and potential card blocking; your acquirer will initiate this
Remediation:
- Have the ATM inspected and cleaned by a qualified technician before returning to service
- Review and reinforce your inspection procedures — if a device was present for more than one inspection cycle, your inspection protocol needs improvement
- Consider anti-skimming hardware if not already deployed Anti-Skimming Solutions
If a logical/software attack (jackpotting) is suspected:
- Do not touch the ATM
- Call law enforcement immediately
- Preserve evidence per your acquirer and ATM vendor's guidance
- This is a high-severity incident requiring specialist forensic support
ATM Operator Security Checklist: Daily Inspection and Incident Response ATM Fraud Prevention: The Complete Guide
Documentation Guide: What to Record
Good documentation serves three purposes: supporting your bank dispute, supporting a law enforcement investigation, and protecting you from liability.
For all fraud victims — keep a log including:
| Item to Document | Why It Matters |
|---|---|
| Date and time fraud was discovered | Establishes reporting timeline |
| Date and time of fraudulent transactions | Helps investigators trace activity |
| Amounts and merchants/ATM locations | Required for dispute process |
| Names of bank representatives spoken to | Accountability for commitments made |
| Reference numbers for all cases | Allows follow-up |
| Steps taken, in order, with timestamps | Demonstrates you acted promptly |
| Screenshots of suspicious messages, accounts | Photographic evidence |
| Photos of suspicious terminal or ATM | Physical evidence |
Retain all documentation for a minimum of 12 months or until all disputes are fully resolved, whichever is longer.
Reporting Guide: Who to Contact
For Individual Consumers
| Country | Fraud Reporting Authority | Contact |
|---|---|---|
| UK | Action Fraud | actionfraud.police.uk / 0300 123 2040 |
| US | Federal Trade Commission | reportfraud.ftc.gov |
| US (online/cyber) | FBI Internet Crime Complaint Center | ic3.gov |
| EU | National financial supervisory authority + local police | Varies by member state |
| Australia | Australian Financial Crimes Exchange / ScamWatch | scamwatch.gov.au |
For Merchants and Operators
- Card scheme fraud lines: Your acquirer will provide Visa/Mastercard incident contact details
- Data protection authority: Mandatory notification under GDPR within 72 hours of becoming aware of a breach affecting personal data
- Local law enforcement: For evidence preservation and crime reference numbers
Common Myths About Fraud Response
| Myth | Reality |
|---|---|
| "My bank will sort it out automatically." | Banks investigate what you report. Prompt, specific reporting significantly improves outcomes. |
| "I should wait to see if the charge reverses itself." | Waiting reduces the chance of fund recovery and may affect your liability protection. Report immediately. |
| "Filing a police report won't achieve anything." | Police reports provide crime reference numbers, contribute to investigation intelligence, and may be required by your bank. |
| "My bank has already seen the fraud on their system — I don't need to call." | Banks may have monitoring systems, but they cannot act without your report in most cases. Always call. |
| "I can remove the skimmer myself to keep as evidence." | Never remove suspected skimming devices — this can compromise evidence and may be dangerous. Call law enforcement. |
| "If my bank disputes my claim, there's nothing I can do." | You can escalate to your national financial ombudsman or regulatory authority. Know your rights. |
Frequently Asked Questions
Q: How long does a bank fraud investigation take? A: Timelines vary. Initial provisional credit (a temporary credit while investigating) is often applied within 1–5 business days in the UK/EU. Full investigation and permanent resolution typically takes 15–45 days. Complex cases may take longer. Payment Fraud Incident Response: A Step-by-Step Guide
Q: Can my bank refuse to refund me? A: Yes — if they determine you were grossly negligent (e.g., you shared your PIN with the fraudster, or you authorised a transfer knowing it was suspicious). However, banks have obligations under consumer protection legislation, and you can escalate to the financial ombudsman if you believe a refusal is unfair.
Q: What if the fraud happened through someone I know? A: "Authorised" fraud by a known person (e.g., a family member) is treated differently from external fraud. Banks may investigate whether you genuinely authorised the transactions. Document what happened accurately.
Q: Do I need a lawyer? A: For most consumer fraud cases, you do not need a lawyer — bank dispute processes and the financial ombudsman are designed to be accessible. For significant fraud amounts or complex business disputes, legal advice may be valuable.
Q: I clicked a phishing link. What should I do even if I didn't enter any details? A: Change your banking and email passwords immediately from a clean device. Run a malware scan on the device you clicked from. Monitor your accounts closely. Even clicking a link can, in some cases, trigger a drive-by download — better to act preventively.
Q: As a merchant, what are my obligations if customer card data was compromised? A: Under PCI DSS, you are required to notify your acquirer of any suspected compromise. Under GDPR (for EEA merchants), you may have obligations to notify your data protection supervisory authority within 72 hours and affected individuals "without undue delay." Seek legal and acquirer guidance specific to your situation.
Quick Reference: Time-Sensitive Actions
| Timeframe | Priority Action |
|---|---|
| Within minutes | Freeze card/account; stop outgoing transfers |
| Within 1 hour | Call bank fraud line; report all fraudulent transactions |
| Within 24 hours | Change passwords; file fraud report with authorities; preserve evidence |
| Within 72 hours | Check credit report; place fraud alert; notify data protection authority (if merchant/operator) |
| Within 1 week | Follow up with bank on dispute status; contact all affected institutions |
| Ongoing | Monitor accounts; maintain documentation; follow up until resolved |
Additional Resources
- How to Dispute a Fraudulent Bank Charge: A Step-by-Step Guide — How to Dispute a Charge
- Payment Fraud Incident Response: A Step-by-Step Guide — Where and How to Report Fraud
- Payment Fraud Incident Response: A Step-by-Step Guide — What to Expect During Recovery
- Consumer Fraud Response Checklist: Card or Account Compromised — Consumer Response Checklist
- Merchant POS Compromise Checklist: Suspected Terminal Tampering — Merchant POS Compromise Checklist
- ATM Operator Security Checklist: Daily Inspection and Incident Response — ATM Operator Checklist
- ATM Fraud Prevention: The Complete Guide — ATM Fraud Prevention Guide
- POS Security for Merchants: The Complete Guide — POS Security Guide
CTA — For Operators and Security Professionals
A strong incident response starts with strong prevention.
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions. Request a Security Assessment →
Last Updated: February 2026
This article is for educational purposes. If you are experiencing active fraud, contact your bank and law enforcement immediately.
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.