Some Britons have warned that fraudsters kept spending even after they got a new card

Millions of bank customers could remain vulnerable to fraud even after cancelling a compromised debit or credit card, according to fresh warnings.

A feature designed to make replacing expired or cancelled cards more convenient may, in some cases, allow criminals to continue making payments using updated card details.

Consumer group Which? has raised concerns about automatic billing updater services, which automatically transfer replacement card details to online retailers, subscription services and digital wallets.

When fraud is reported, banks typically cancel the affected card and issue a new one, which most customers would expect to end any unauthorised spending.

However, Which? warned that if a fraudster has previously saved a victim's card details with a major online merchant or digital wallet, the replacement card information could potentially be updated automatically in the same location.

The consumer watchdog said it has heard from customers who reported fraudulent transactions continuing on replacement cards and believes the process may create a potential loophole.

The service is designed to prevent disruption for legitimate customers by ensuring recurring payments and subscriptions continue without requiring manual updates whenever a new card is issued.

While convenient, Which? said the system could have unintended consequences if appropriate safeguards are not in place.

This would effectively hand criminals fresh payment credentials without any effort on their part, allowing the cycle of theft to begin anew.

The consumer group's mystery shopping investigation revealed inconsistent practices across the banking sector, with some institutions fully removing replacement cards from the automatic update process following fraud, while others maintain the feature regardless.

Which? also discovered that certain banks prevent customers from opting out of the automatic billing updater process entirely, leaving account holders with limited control over their own security.

Jenny Ross, Which? Money editor, said: "When you're issued with a new card, having the new number automatically updated in places you've saved it can be incredibly handy, allowing subscriptions to renew seamlessly and enabling you to spend online without manually updating.

"However, Which? has found that if you're a victim of fraud, if this update isn't turned off it could have unintended consequences, allowing criminals to keep on spending.

"Even more alarmingly, customers are most often powerless to opt out of this update, leaving them at the mercy of their individual bank's fraud policy."

The consumer group is urging banks to offer customers the ability to disable automatic billing updaters and establish uniform procedures for handling fraud cases.

UK Finance, the banking industry body, responded by stating that account updater services maintain smooth payment flows and prevent regular transactions from failing when cards are replaced, adding that fraud connected to these updates remains uncommon.

An HSBC UK spokesperson said: "Billing updater services provide customers with smoother journeys and better outcomes. While customers are unable to opt out, our procedures prevent the type of repeat fraud described.

"When a customer's card details are used by fraudsters, we inform Visa or Mastercard it's been cancelled and block merchants from receiving replacement card details."

Lloyds Banking Group confirmed it applies continuous payment authority blocks that carry over to newly issued cards when suspicious activity is detected.

Nationwide stated it would refund customers and act swiftly to protect accounts, blocking specific recurring transactions where necessary.

Starling noted that its automatic billing updater process does not apply to cards cancelled by customers or due to fraud.

Visa confirmed its account updater service is offered and managed by individual card-issuing banks, which bear responsibility for handling the service for each cardholder, "which includes stopping VAU or stopping it for a specific merchant in an instance where fraud has been detected".

A Mastercard spokesperson said: "Our automated billing updater service is designed with consumers in mind, helping reduce the inconvenience of missed or delayed payments by keeping card details up to date with retailers and service providers. If a card is lost or stolen, these updates are stopped if the cardholder's bank marks the card as closed in ABU."

Which? advises fraud victims to ask their bank whether it has severed the connection between their card and any accounts controlled by criminals, monitor their statements closely, and report any unrecognised transactions immediately.