Despite the fact that I have dozens of credit cards, I deal with very little credit card fraud, all things considered. It’s also not something that I’m too paranoid about, given the great protection offered by most credit cards in the event of fraud.
It had been quite some time since I’ve dealt with credit card fraud, though I guess it was time for that clock to reset. I always find it interesting to see the methods used for credit card fraud, and this one is particularly strange, so I’m curious if any OMAAT readers have theories.
In this post:
Seven fraudulent Grab transactions on my credit card
While going through all of my credit card transactions this morning, I noticed something strange on my Citi Double Cash Card. It’s not a card that I’m currently using for spending (it’s “sock drawered,” for the time being), though I just noticed that I’ve had seven transactions on the card in recent weeks, all from Grab in Malaysia (or at least that’s what it appears to be, based on the currency).
For those not familiar, think of Grab as being the equivalent of Uber in Asia. The transactions ranged from $19.99 to $124.91, and it’s interesting how they’re spaced out so much.
When I look at the breakdown, the “Spend Category” shows as “Miscellaneous – Poi Funding Transactions” for all the purchases. I’m not sure if that’s just usually how Grab purchases post, or if that’s a hint of something? Because nearly $125 for a Grab ride in Malaysia is mighty expensive!
Some might wonder how I didn’t catch this sooner. It’s a fair question. I have the card set up on autopay, and since I’m not currently using the card much, I wasn’t paying much attention. However, I tend to review all of my transactions every several weeks, since that’s still within the time period where things can be disputed. It was while doing one of these “sweeps” today that I caught this.
What confuses me about this Grab credit card fraud
It’s always fascinating to see the methods used for credit card fraud, and I’m really struggling to make sense of this. Here are some details that make this interesting, as I see it:
- I actually did use Grab for the first time in early November 2025 (I can’t believe it had taken so long!), in Malaysia; however, I used a completely different card for my Grab purchases, and not the Citi Double Cash Card on which the fraud occurred
- None of the above transactions show in my Grab account, and let me emphasize that my Citi Double Cash Card isn’t saved to my Grab profile
- I have the Citi Double Cash Card in my possession, so it’s not that the card was stolen; however, I did have the Citi Double Cash Card in the backpack I was traveling with (along with around a dozen other cards — I didn’t have fraud on any of those other cards)
So does anyone have any theory as to what’s going on here? Is it just a complete coincidence that this fraud happened weeks after I used Grab for the first time, also in Malaysia? Did someone remove the card from my backpack while I was in Malaysia, and has been using it for transactions ever since (but only for Grab, and not any other cards that were in my backpack)? Is this even being used for Grab rides, or is this “Poi Funding Transactions” thing indicative of something else?
I’ll tell you one thing — credit card fraud is never boring, and the circumstances of how it happens always fascinate me. So if anyone has any thoughts, I’d be fascinated to hear them.
Bottom line
For the first time in quite a long time, I’ve dealt with credit card fraud. Specifically, my Citi Double Cash Card (which I don’t otherwise put spending on nowadays) has had seven transactions with rideshare app Grab in the past several weeks.
The odd thing is that this came just shortly after I used Grab for the first time, also in Malaysia. However, this isn’t the card that I used with Grab, and I also have the card in my possession, which makes this all very strange to me.
Does anyone have any theories as to what’s going on with this fraud?
Every time you key in a card number and cvv into certain website during payment, there will be a chance that it will be leaked. You may see your credit card number on some marketplace with your full details (name, address, zip code etc.) with 20+ buck. Also remember current modern 3DS 2.0 of a credit card will have a chance to trigger frictionless flow (no OTP prompt and transaction directly approved).
Recently flew to Rio last month in premium select and the seat next to me was empty when a man from first class asked if I would mind if he sat there while the baby slept in his seat. I said fine and went to sleep as it was an overnight flight. Well when I woke up a woman was next to me with a winter coat over her. I said who are you and...
Recently flew to Rio last month in premium select and the seat next to me was empty when a man from first class asked if I would mind if he sat there while the baby slept in his seat. I said fine and went to sleep as it was an overnight flight. Well when I woke up a woman was next to me with a winter coat over her. I said who are you and she claimed not to speak English. So i went to the flight attendant and asked her to investigate as I had a funny feeling about this change. She said it was OK since they were from first class and not economy. Anyway the woman moved to the seat one row forward. Now when I got to Brazil I was contacted by two of my credit card companies for a fraud alert. The cards were in my wallet while I slept and I can only assume the woman scanned my pocket while I slept and must have touched my pocket with the scanner and that's why I woke up. Word to the wise beware of people who change seats on overnight flights. If I didn't have another card I would have had a big problem as these cards were immediately terminated. Kudos to the different card companies for their quick alertness.
I highly recommend using one of the Mint.com replacements to keep track of purchases with all the CC's you have, that's how we catch fraud early
If I remember right, the Grab app allows a lot of non-rideshare purchases, so I'd expect it's some of those...
Most banking apps allow you to temporarily deactivate cards to prevent their misuse. Consider using this feature particularly if you have a lot of cards, making it difficult to monitor them all. Some apps even allow you to disable by transaction type so that you can for example disallow online transactions while allowing Chip & PIN transactions. Or maybe USA is still lagging in retail banking tech ???
People really need to educate themselves about credit card RFID.
By the way, did you know you can get sucked to death in an airplane toilet if you flush while sitting.
Not worth figuring our what happened. Dispute the charges, change your card number and move along. This is Citi's problem, not yours.
Finally, your cards are on auto pay? NEVER set anything to automatically take money from your bank account. EVER.
Every card I have is on autopsy. I regularly review the accounts for fraud and have notices set up. Thus, I strongly disagree on autopsy and would do it no other way.
You are no going to know how - the card could have been compromised a long time ago on a website or you were phished - or they guessed the number
Dispute the fraud - all you can do
Looks like a money grab...
If possible, I would use Google Wallet (called Google Pay before)/Apple Pay or Digital Card from American Express for security concern.
The interesting thing to me is that it doesn’t look like you were charged any foreign transaction fees.
Multiple thoughts on this, Ben. Why was CC. in your backpack? Why was it even taken on this trip? And most importantly, why was no alert set on your card?
Truth be told, these are rookie mistakes. The world has so devolved, that many people have way too many cards. You can be so laser focused on spends and earnings, that the basics are forgotten.
Hope this episode gives you the realization that credit card security is a 24 hour a day proposition.
Or ignore it, since these events are rare and the bank always makes one whole. Ben's "rookie mistakes" are my normal practice.
My MemberSince is 85.
Interesting story, and lots of good sleuthing, although I'm not sure Ben will ever find out exactly what happened.
I've suggested that Ben discuss in one of his posts his strategy for storing and carrying his credit cards, especially when traveling. Experience has taught me that you'll never know when you might need a specific card in hand, so I travel with them all in an RFID folder/wallet I got on Amazon. Still, I'd really...
Interesting story, and lots of good sleuthing, although I'm not sure Ben will ever find out exactly what happened.
I've suggested that Ben discuss in one of his posts his strategy for storing and carrying his credit cards, especially when traveling. Experience has taught me that you'll never know when you might need a specific card in hand, so I travel with them all in an RFID folder/wallet I got on Amazon. Still, I'd really like to hear from an "expert" about good strategies.
An rfid wallet does not protect you from theft.
Did you link a temporary phone number to your Grab account?
I visited the US a couple of years ago (I am from outside the US) and picked up a local SIM card. The phone number I was given appeared to have been recycled a few times, and I frequently received scam/promotional calls on it while I was travelling. Anyway, I downloaded Lyft, saved my temporary US number on it, and ordered a couple of...
Did you link a temporary phone number to your Grab account?
I visited the US a couple of years ago (I am from outside the US) and picked up a local SIM card. The phone number I was given appeared to have been recycled a few times, and I frequently received scam/promotional calls on it while I was travelling. Anyway, I downloaded Lyft, saved my temporary US number on it, and ordered a couple of rides with my credit card (which was saved on the app). Once the trip was over, I left the country, deactivated sim and thought that was it.
Almost a year later, I began receiving several unauthorised charges on my credit card for Lyft (Lyft is not available in my country). I couldn't access the Lyft app from my country to check/deactivate the account/remove my credit card, as I no longer have access to the same US phone number for authentication. Contacted both my bank and Lyft and eventually resolved it. As it turned out, the phone number I used had been recycled. The new person with the number was able to log in to my Lyft account with the recycled number and had a week of catching multiple free rides on my credit card.
it is always good practice to lock the credit cards that are not currently in active usage rotation, and keep them in the locked state. whether or not a card is being used, you should always set up automatic email alerts for each and every transactions that goes through any of your credit cards, so you are immediately notified for any amount of spend on any one of your cards. i am surprised a fellow credit card enthusiast like him doesn't already know or do this.
Don't be. I've been in the game even longer than Ben and I do not have alerts for trivial amounts, locked cards, or tech wallet. If a card issuer says I bought something and I didn't, I tell them and later the transaction is removed. It happens seldom enough that the preventive overhead isn't worth it. I prefer not to bother.
No card issuer has ever let me down on a fraud situation. In fact,...
Don't be. I've been in the game even longer than Ben and I do not have alerts for trivial amounts, locked cards, or tech wallet. If a card issuer says I bought something and I didn't, I tell them and later the transaction is removed. It happens seldom enough that the preventive overhead isn't worth it. I prefer not to bother.
No card issuer has ever let me down on a fraud situation. In fact, my biggest problems with card issuers is false alarms, causing inconvenience.
Ben, this is a topup to the GrabPay wallet in Malaysia. Given that this isn't you, it's fraud then. You can reach out to them + do a chargeback. Usually Grab is fast in dealing with fraud.
Totally off topic @ben check this cool new walkway design in DUB. https://x.com/dublinairport/status/2024193153503236494?s=46
I live in China and there are services that advertise on social media for "cheap" food delivery in Western countries. Scammers bulk buy stolen credit card numbers. You then send the scammer what you want to order, they charge a service fee (advertised as a few dollars) and then place the order for you using a stolen card.
I assume since each fraud transaction is less than a hundred dollars no one bothers going...
I live in China and there are services that advertise on social media for "cheap" food delivery in Western countries. Scammers bulk buy stolen credit card numbers. You then send the scammer what you want to order, they charge a service fee (advertised as a few dollars) and then place the order for you using a stolen card.
I assume since each fraud transaction is less than a hundred dollars no one bothers going after them and if one card gets shut down they just switch to another.
I would assume your number got stolen somewhere along the way (perhaps years ago) and was bulk sold to one of these scammers.
There's a lot of card skimming in Malaysia ( my husband is in banking cybersecurity in APAC) and Indonesia. Could have easily had your card skimmed if it wasn't in an RFID wallet. As others have said these transactions are effectively cash top-ups. Your bank should refund.... however, Grab also requires facial ID so in theory whoever used it could be identified too for using stolen card details.
I used to live in Malaysia and my husband and I had issues with fraud on our credit cards all the time. Some of them were legit theft (I'm looking at you AirAsia data breach) but the majority were impossible to figure out how it happened. Most of our cards were never used in Malaysia and we didn't even carry them with us. The fraudulent charges were never in MYR, most of them would show...
I used to live in Malaysia and my husband and I had issues with fraud on our credit cards all the time. Some of them were legit theft (I'm looking at you AirAsia data breach) but the majority were impossible to figure out how it happened. Most of our cards were never used in Malaysia and we didn't even carry them with us. The fraudulent charges were never in MYR, most of them would show up as charges in EUR.
I thought that credit card fraud had just become commonplace, but then I moved to the US and I've had no issues at all.
Cybersecurity expert living in Southeast Asia here.
The most plausible scenario based on the information you shared is that your credit card details were somehow stolen or leaked (for example through card skimming), and the perpetrators quickly wanted to cash out by purchasing items with your credit card such as gift cards through Grab, which can then we sold on online marketplaces (such as eBay in the US).
I have labeled each card that has a foreign transaction fee with a red or yellow label that says Foreign. That way it doesn't get taken anywhere except US.
I use the RFID sleeves for the couple of cards I do take including the ATM. Anything not being used regularly is locked, and only 1 is available for regular use. If that doesn't work, then I have to spend a few minutes unlocking another card.
Ben,
The transaction details you posted mirrors mine when i use my Citi card to fund my Grab e-wallet.
You will notice, the sums charged in MYR to have an incremental 1% to it, the fee that Grab charges for credit card reloads into e-Wallets, GrabPay in this instance. So in your example, RM90+1% = RM90.90.
The source of the Credit Card fraud probably has nothing to do with Grab You most likely used that Credit Card to purchase an AirAsia flight and that's where it was Hacked. AirAsia has had customer data breached a few times recently.
If this is possibly true, let your Credit Card fraud department know. They probably won't care, but who knows....
No way Ben Schlappig used a Citi Double Cash card to pay AirAsia. Come on Eric, we know he's slightly sleep-deprived but get serious
After travelling south east Asia for 2 months, across 4 countries without incident, within 48 hours arriving in Malaysia i had lost 2 cards. Coincident, i don’t think so - Something happening in Malaysia. First one was within 12 hours of using sole ATM at Thai border crossing. I was about 20th in line there, so doG knows how many cards are scammed a day at that location. 2nd scam was with 24 hours of...
After travelling south east Asia for 2 months, across 4 countries without incident, within 48 hours arriving in Malaysia i had lost 2 cards. Coincident, i don’t think so - Something happening in Malaysia. First one was within 12 hours of using sole ATM at Thai border crossing. I was about 20th in line there, so doG knows how many cards are scammed a day at that location. 2nd scam was with 24 hours of physically using my quarantined AM EX card, that was dragged out cause travel card comprised to check into next hotel. Only used that card at 1 hotel check in desk. So i have no idea where or when that was scanned. Story here is not the scamming, that is happening all the time, more and more. IMO story is the way CC companies handle the events. WISE had not number to call, all online, and was a 2 month battle to get refund out of visa. Very disappointing for my favourite card . AMEX had new digital card sent before end of phone call, and transactions reversed before end of day. Be vigilant people
Quite possibly in crowds someone using rfid reader "bumped" into you to read your cards. They could have gotten your card# and transactions on the citi card and just use that.
When traveling, I only take the physical cards I need, maybe 3-4 cards max. I rely on my digital wallet when I need to use other specific cards. The physical cards are always in a rfid reader proof wallet. I have a wallet dedicated...
Quite possibly in crowds someone using rfid reader "bumped" into you to read your cards. They could have gotten your card# and transactions on the citi card and just use that.
When traveling, I only take the physical cards I need, maybe 3-4 cards max. I rely on my digital wallet when I need to use other specific cards. The physical cards are always in a rfid reader proof wallet. I have a wallet dedicated to traveling. And I always keep 1 card separate in my passport wallet (also rfid proof) in case the wallet gets stolen. And those 2 wallets are always stored in 2 separate bags.
FWIW - all of my Grab charges in December coded as "Grab *A-12345578" (insert random confirmation number). I'm guessing yours has no relation to Grab and is just coding as a cover. Plus those totals are major food orders or incredibly expensive rides for that part of the world lol.
My guess is that your Citi Double Cash card was read by a RFID-scanning device while in your backpack. Along with other info they stole from you on your Malaysia trip, the criminals were able to use your card remotely. Grab probably happens to be the easiest way for them to cash out locally in Malaysia.
I've had a couple of bizarre fraud scenarios recently on amex cards. One involved a string of fraudulent amazon purchases (both with cash and redeeming MR) which was able to continue even after I reported the fraud and received a new card number twice. Only stopped when I had amex put merchant blocks on amazon charges (interestingly, freezing the card blocked cash purchases, but MR purchases still kept going through).
Another was a single $500...
I've had a couple of bizarre fraud scenarios recently on amex cards. One involved a string of fraudulent amazon purchases (both with cash and redeeming MR) which was able to continue even after I reported the fraud and received a new card number twice. Only stopped when I had amex put merchant blocks on amazon charges (interestingly, freezing the card blocked cash purchases, but MR purchases still kept going through).
Another was a single $500 charge on a different amex card in what looked to be a donation (!!) to a legit NYC charity.
Did you leave your backpack unattended anywhere- like your hotel room? It's possible a housekeeper snapped a photo of the card details. While there was no fraud on any of these other cards, this one makes the most sense to me. I had a similar situation happen years ago and that is the only logical conclusion I could come up with.
I do this whenever I go to countries where I don't feel familiar with, normally I order a sub card or use a card that I normally use, but then the moment I get back home, I report it lost and get a replacement with new number altogether. It's a pain to update wallets etc. But at least I get home with a clean slate.
Curious about why you would even have a card that charges an intl transaction fee in your bag when you travel overseas. I always leave my city doublecash card at home when I leave the country, since I won't be using it.
@ Craig -- To be honest, I probably shouldn't have had the card in my bag, even. However, lately I've had about a dozen cards just sitting in there (separate from my wallet), and I forgot they were even in there.
Perhaps a "side benefit" of having so many credit cards.
You can buy groceries, get food delivered, rent a driver and a car for a full day, etc on Grab - it's very likely the more substantial purchase was something like that as opposed to a single ride from point A to point B.
I don’t have the Grab app or a Grab account but I returned from a trip to SE Asia (that included Malaysia) and later found incremental charges on my Chase card from Grab. I was able to stop them and cancel the card, etc. before anything more happened. I assumed my Chase card info was intercepted somewhere on my trip and the Grab charges were just the start of a larger series of fraudulent activity.
Does Ford have any sketchy friends that came into the house???
In Miami? No way.
Really good example of why you shouldn't store credit card information into any app. Not sure if this is how they got your information. If they did it's pretty clear someone has unfettered access to Grabs secure area internally most likely.
Also I travel immensely internationally for work. Dozens of credit cards I only use one internationally or two. Limits yourself from damage should any occur. I 100% do not use a ATM.
@ BA -- Fair points, but I hadn't saved this card in the Grab app (or any other app that I can think of).
I recently used my ETrade ATM card in Germany. When I got home and checked my statement I had 3 debits from MILLARSSHOE 51 market street Market GB for $162 each. Then it stopped weeks before I notified Etrade. It's a shoe store website in the UK. Weird.
Also of note, the regular Etrade checking account no longer waives foreign transaction fees. They have a new "Max Rate" checking account that still does this. I...
I recently used my ETrade ATM card in Germany. When I got home and checked my statement I had 3 debits from MILLARSSHOE 51 market street Market GB for $162 each. Then it stopped weeks before I notified Etrade. It's a shoe store website in the UK. Weird.
Also of note, the regular Etrade checking account no longer waives foreign transaction fees. They have a new "Max Rate" checking account that still does this. I was not notified. Thanks Morgan Stanley for not letting me know of the change.
Actually, it's not as big a deal as it used to be since in many countries I don't even bother to get any local currency these days. I only took out cash in Germany last trip because somebody told me they only take Bargeld at the Christmas market stalls which was incorrect information.
I always set alerts on all my (20+) credit cards for the lowest amount possible and lock my sock drawer ones. Scammers tend to start with small transactions to see if you notice before making a large purchase. Granted, you're still not liable but it is a headache to deal with this.
Yup. Every single transaction on a CC gets an alert, either text or email (for whichever is more manageable for you.) Then, in real time, you get a sense of what is going on. While your method works to batch the review every few weeks, just seems alot more satisfying to catch the first fraudulent transaction and reissue the card.
Same, I have alerts for pretty much every single transaction
POI is Point of Interaction as opposed to POS Point of Sale. Typically POI designation is used for quasi-cash transactions, for example, when you top up a digital wallet or purchase a gift card, etc.
So somebody appears to have used it for topping up a Grab Wallet and using numbers that don't look suspicious in terms of round numbers.
Check where your card was and then last 10 or 20 transactions before these fraud...
POI is Point of Interaction as opposed to POS Point of Sale. Typically POI designation is used for quasi-cash transactions, for example, when you top up a digital wallet or purchase a gift card, etc.
So somebody appears to have used it for topping up a Grab Wallet and using numbers that don't look suspicious in terms of round numbers.
Check where your card was and then last 10 or 20 transactions before these fraud transactions started. But even that isnt reliable because the theft of card details may have happened somewhere else at a different time or hack into an entity where the card was registered even perhaps unrelated to Malaysia. And then that info sold to someone in Malaysia in the digital underground.
Asian countries depend on OTP or Card Pin code to validate or just go through the transaction with no verification fir US cards that don't have a pin unless flagged by the processor.
So where it was compromised may be separated from the usage by location and time.
@ GV -- Good insights, thanks. There hadn't been any transactions in many months, for what it's worth (in reference to the question about the "last 10 or 20 transactions before these fraud transactions started").
GV is correct. They're not using your account, they're using your card on some other account, and they're using it for GrabPay transactions (Google it up).
The transactions are (obviously) in MYR so GV's reference to the amount in USD not behind rounded does not apply.
I don't think it's related to Grab. These were online transactions according to your screen capture. I also doubt someone used your card by copying it out of your backpack. I assume someone bought it off the darkweb, where it was stolen in some profile you might have saved online. Thieves like to use small transactions like these to prove the card still works and stay off your radar (which worked in your case). Could...
I don't think it's related to Grab. These were online transactions according to your screen capture. I also doubt someone used your card by copying it out of your backpack. I assume someone bought it off the darkweb, where it was stolen in some profile you might have saved online. Thieves like to use small transactions like these to prove the card still works and stay off your radar (which worked in your case). Could have also been sniffed off any public wifi you might have used (although I'm sure you're smarter than doing that). The fact is you'll never know. This data is all out there in the darkweb
Right, doesn’t look like it’s related to Ben’s Grab account. Someone just got his card number and added it to a different Grab account, and is now using the Grabpay feature to spend.
Wonder if it could be someone who NFC/RFID’d the card then used it afterwards?
@ George Henan -- For what it's worth, I hadn't used this card for any sort of a transaction in many months.
This was my thought as well. If the card was in a pocket of the backpack and not in an rfid-safe place, anyone could have skimmed the CC info. That happened to me in India last year. Now I only keep credit cards in rfid-protected wallet or leave them home.
"Ghost tapping" might be it.
There are some videos on youtube showing people with remote charge terminals walking up to people's backpacks and wallets.
You cannot read the credit card CVV through NFC, so you cannot use whatever an NFC reader may see.
In the US/Canads it's really easy for numbers (including CVVs) to be stolen as people still hand off credit cards to perfect strangers at restaurants or to cashiers, who can pass them them under a camera and capture that data while processing it.
Do some research before believing clickbait, or your laziness may also cause you to vote for the wrong candidates.
Fwiw, people don’t hand off cards at restaurants or stores in Canada. All cards there chip + PIN so the waiter would bring a card machine to the table. The only places that still records card numbers are some hotels, for some reason. The US on the other hand…
Same for in EU. When we first moved to Malta, I handed the bill and card to waiter. He immediately gave me back card and said he will bring machine to me. Safer that way.
In Malta, however, some merchants, mostly restaurants, have real scam going. They give you bill and receipt without VAT included. Extra profit for merchant and nothing to govt. The govt. Is fighting back. They often have revenue agents outside, and...
Same for in EU. When we first moved to Malta, I handed the bill and card to waiter. He immediately gave me back card and said he will bring machine to me. Safer that way.
In Malta, however, some merchants, mostly restaurants, have real scam going. They give you bill and receipt without VAT included. Extra profit for merchant and nothing to govt. The govt. Is fighting back. They often have revenue agents outside, and make show the bill. If bill has no VAT on it, you are automatically fined €200 for not telling waiter include it. And the merchant gets an on the spot audit.