Consumer champion Which? has issued a stark scam warning to millions of bank customers

Britons are at risk of being scammed due to a little-known cancelled bank card "loophole", experts warn.

Consumer group Which? has raised alarm over automatic billing updater services, warning that these convenient features could inadvertently enable criminals to continue making fraudulent purchases even after a compromised card has been cancelled.

The services, designed to seamlessly transfer card details to a new card when one expires or is replaced, may create an unintended vulnerability for fraud victims.

When customers report fraudulent activity, their bank typically cancels the affected card and issues a replacement, which should theoretically cut off the criminal's access.

However, Which? has identified a potential loophole in this process that could allow scammers to maintain their spending ability through the automatic update mechanism.

The automatic update feature works by refreshing saved card details across online merchants and digital wallets whenever a replacement card is issued, ensuring subscriptions continue without interruption.

Which? has expressed concern that if a fraudster has stored a victim's card information with a major retailer or in a digital wallet, the new card details could automatically populate there as well, effectively restarting the criminal activity.

The consumer organisation has heard from individuals who reported that fraud followed them onto their replacement cards.

Mystery shopping research conducted by Which? revealed that certain banks do not permit customers to opt out of the automatic billing updater process.

The group also discovered that banks take varying approaches, with some fully removing replacement cards from the updater system when fraud triggers the cancellation.

Jenny Ross, Which? Money editor, said: "When you're issued with a new card, having the new number automatically updated in places you've saved it can be incredibly handy, allowing subscriptions to renew seamlessly and enabling you to spend online without manually updating.

"However, Which? has found that if you're a victim of fraud, if this update isn't turned off it could have unintended consequences, allowing criminals to keep on spending.

"Even more alarmingly, customers are most often powerless to opt out of this update, leaving them at the mercy of their individual bank's fraud policy."

The consumer group is urging financial institutions to give customers the choice to disable automatic billing updaters and to establish uniform policies for handling these services in fraud cases.

UK Finance, the banking and finance industry body, responded that account updater services help maintain smooth payment flows and prevent regular transactions from being blocked during card replacements, adding that fraud connected to these updates remains uncommon.

An HSBC UK spokesperson stated: "Billing updater services provide customers with smoother journeys and better outcomes. While customers are unable to opt out, our procedures prevent the type of repeat fraud described."

The bank explained it notifies Visa or Mastercard when cards are cancelled due to fraud and blocks merchants from receiving replacement details.

Lloyds Banking Group indicated it applies continuous payment authority blocks that carry over to newly issued cards when suspicious activity is detected.

Nationwide Building Society said it would refund customers and act swiftly to secure accounts when fraudulent recurring payments are identified.