Who This Guide Is For
This guide is written for you – anyone who owns a debit or credit card. You use your card to pay for groceries, book flights, shop online, and withdraw cash. You are not a cybersecurity expert. You have probably never heard of Tally.so, and you definitely do not know that criminals can use it to build forms that steal your card details in seconds.
You are busy. When a message arrives claiming that your account needs “authentication” or that your “card has been locked”, your first instinct is to fix the problem quickly. You do not stop to ask whether the form is legitimate. You upload the photo of your card. You submit your verification data. You click “Authenticate”. And then you wait for a confirmation that never comes.
The screenshot you see on this page is part of an active, highly dangerous bank phishing operation. The attackers used a legitimate online form builder – Tally.so – to create a form called “BroadCard”. Tally is a trusted platform used by businesses and individuals to create surveys, registration forms, and payment pages. Because the domain tally.so
Analysis Memo: This malicious interface was intercepted, verified, and locked down firsthand by the
Antiphishing.bizsecurity team during our daily link moderation procedures. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.
The form asks for three things: a photo of the front of your card, a photo of the back of your card, and your secret authorization characters. That is everything a criminal needs to clone your card, use it at an ATM, add it to Apple Pay or Google Pay, or sell the complete card data on the dark web. The button is labelled “Authenticate” – a technical‑sounding word designed to make you think you are performing a legitimate security check. You are not. You are handing over the keys to your bank account.
This guide will explain exactly how this form‑based card skimming works, share real stories of people who lost thousands to similar schemes, and give you the simple, unforgettable rules that will keep your card safe.
The Anatomy of the Attack: How a Simple Online Form Becomes a Card Cloning Factory
The attack documented in the screenshot is brutally simple. It does not require hacking a bank or breaking through firewalls. It only requires you to trust a link and upload a photo.
Step One: The Lure – A Message That Creates Panic or Opportunity
The first contact can take many forms. A text message: “Your card has been temporarily locked due to unusual activity. Verify your identity within 24 hours.” An email: “We need to update your card security settings. Click here to complete authentication.” A social media direct message: “Congratulations! You have been selected for a cashback reward. Please verify your card information.”
The message contains a link. The link goes to a Tally.so form. Because Tally is a legitimate platform, the link does not trigger any security warnings. You open the form. It looks professional. It might have a bank logo (copied from the real bank’s website). It might use official‑sounding language.
Step Two: The Form That Asks for Everything Your Bank Told You Never to Share
The form in the screenshot is stark and direct. It asks for:
- A photo of the front of your card (showing the card number, expiry date, and your name)
- A photo of the back of your card (showing the CVV security code and, often, your signature)
- Your Four-digit numeric string
This is the complete set of data needed to clone a physical card. With a photo of the front, the attacker can read the card number, expiry date, and cardholder name. With a photo of the back, the attacker obtains the CVV – the three‑digit code used for online transactions. With the secret authorization characters, the attacker can withdraw cash from any ATM that accepts your card type.
Some forms also ask for your billing address, phone number, and date of birth. The Tally form in the screenshot does not include those fields, but the criminals may ask for them in a second step. Every additional piece of information makes identity theft easier.
Step Three: The Extraction – What Happens After You Click “Authenticate”
When you click the “Authenticate” button, the data you entered – including the image files you uploaded – is sent directly to the Tally account of the person who created the form. That person is the criminal. They now have high‑resolution photos of both sides of your card, plus your security credentials.
From there, the criminals can:
- Use a magnetic stripe encoder to write your card data onto a blank white card (a process called “cloning”).
- Add your card details to a digital wallet like Apple Pay, Google Pay, or Samsung Pay, using the card number and CVV, and then tap to pay in any store.
- Sell your complete card information – including your security credentials – on dark web marketplaces to other criminals.
- Attempt to withdraw cash immediately from an ATM using the cloned card and the code you provided.
In many cases, the criminals do not act immediately. They wait days or weeks, then use your card for a single large transaction or a series of small ATM withdrawals that fly under the bank’s fraud detection radar. By the time you notice the missing money, the trail is cold.
Real Stories of Loss and Narrow Escape
The Australian Woman Who Lost €3,000 After Uploading Her Card to a “Verification” Form
A woman in Sydney received an SMS that appeared to come from her bank. The message claimed that her card had been used for a suspicious transaction and that she needed to “verify her identity” by clicking a link. The link led to a form that looked almost identical to the one in the screenshot. She uploaded photos of her card and hand over her security credentials.
Two days later, she checked her account and found multiple withdrawals totalling €3,000 from an ATM in a different state. Her bank initially refused to refund the money, stating that the transactions had been authorised with the correct code. She spent six months fighting the case, providing evidence that she had never visited that ATM. The bank eventually refunded 50% of the amount as a “goodwill gesture”. The rest was gone.
The British Pensioner Who Lost £1,800 to a “Council Tax Refund” Form
A 72‑year‑old pensioner in Manchester received an email claiming to be from her local council. The email stated that she was eligible for a council tax refund of £450 and that she needed to “verify her bank card” to receive the payment. The link led to a Tally form that asked for her card number, expiry date, and security credentials. She filled it in.
Within hours, her account was drained of £1,800. Her daughter told a local newspaper: “My mother is not stupid. She has used online banking for years. But the email looked so official, and the form was so simple, that she never doubted it. She did not know that a form could be a trap.”
The German Freelancer Who Caught the Scam Before Submitting
A freelance graphic designer in Berlin received a message on WhatsApp from an unknown number. The message claimed to be from “BroadCard Support” and said that his “card had been flagged for suspicious activity”. The message included a link to a Tally form. The form asked for photos of his card and his security credentials.
The designer did not click immediately. He first opened his banking app on his phone – not through the link – and checked his recent transactions. There were no suspicious activities. He then called the official customer service number printed on the back of his card. The bank confirmed that no such verification was required. He reported the WhatsApp number and the Tally link to the bank’s fraud department.
His simple habit – checking through official channels before uploading anything – saved his entire savings.
The Young Professional Who Saved Her Account by Asking “Why Would a Bank Need My Security Credentials?”
A young professional in the United States received a text message from a number she did not recognise. The text warned that her debit card had been deactivated and that she needed to “reactivate” it by completing a form. The link led to a Tally form that asked for her card number, expiration date, and security credentials. She started filling it out but stopped at the four‑digit field. She asked herself: “Why would a bank need my code? They never ask for it.”
She closed the form, called her bank using the number on her card, and was told that no deactivation had occurred. Her refusal to enter her code – and her decision to verify independently – kept her account safe.
Expert Advice: Three Rules to Keep Your Card Safe from Form‑Based Skimming
The following rules are not optional. They are the difference between staying safe and becoming another statistic.
Rule One: Never, Ever Upload a Photo of Your Card to an Online Form
No legitimate bank, government agency, or company will ever ask you to upload a photo of your credit or debit card for “verification”, “authentication”, or “security purposes”. If a form asks for a photo of the front and back of your card, you are looking at a scam. Close the browser tab immediately.
Legitimate services that need your card details – for a purchase, a subscription, or a refund – will ask you to type the card number, expiry date, and CVV into a secure payment gateway, not to upload a photograph. And they will never, ever ask for your Four-digit security key.
Rule Two: Your Four‑Digit Code Is for Your Eyes and the ATM Only. Never Type It Anywhere Else.
Your secret authorization characters is the master key to your cash. It is designed to be entered only into a physical ATM keypad or a secure point‑of‑sale terminal. No online form, no customer service agent, no email, and no text message will ever ask for your four-digit numeric password. If anyone asks for it, they are a criminal.
Memorise this sentence: “The only place I will ever submit my secret authorization codes is into an ATM or a shop’s card machine.” Repeat it until it becomes automatic.
Rule Three: If a Message Contains a Link to a Form, Do Not Click. Go Directly to the Official Source.
If you receive a message claiming that your card has been locked, deactivated, or flagged for suspicious activity, do not click any links. Instead, open a new browser tab. Type your bank’s official website address manually. Log into your account. If there is a real problem with your card, you will see a notification inside your account dashboard. If you see nothing, the message was a scam. Delete it and move on.
This one habit – typing the official address yourself – would have prevented every victim story in this article.
What to Do If You Have Already Fallen for This Scam
If you realise that you have uploaded photos of your card, hand over your security credentials, or provided any sensitive information on a suspicious form, do not panic. But do not wait, either. Time is the enemy. Act immediately.
First, contact your bank or card issuer immediately using the phone number on the back of your physical card. Do not use any number from the suspicious message. Tell them that your card details and your security credentials may have been compromised. Ask them to block the card and issue a new one. If any fraudulent charges have already appeared, report them immediately and request a chargeback.
Second, review your recent transactions carefully. Look for small test charges – often $0.00 or $1.00 – as well as larger withdrawals. Criminals sometimes test a stolen card with a tiny transaction before making a big ATM withdrawal.
Third, change your online banking password. If you used the same email address and password combination on any other websites, change those passwords immediately.
Fourth, file a police report. Many victims delay reporting because they feel embarrassed or ashamed. Do not let that stop you. These criminal networks defraud thousands of people every year. There is nothing shameful about being targeted by a sophisticated attack. The shame belongs to the criminals.
Fifth, report the Tally form to Tally.so. The platform has a reporting mechanism for abusive content. Your report could help remove the form and protect other users.
A Final Word
The Tally.so “BroadCard” form is a perfect example of how criminals deceptive tactic trusted platforms to steal your most sensitive financial data. They do not need to compromise a bank. They do not need to break into a database. They only need you to trust a link and upload a photo.
But the scam has a fatal weakness: it relies entirely on you not knowing the basic rules of card security. You now know those rules. No legitimate organisation will ever ask for a photo of your card. No legitimate organisation will ever ask for your four-digit passkey. And if a message contains a link to a form, you will not click it – you will go directly to the official source.
Share this guide with everyone you know who uses a bank card. The more people understand this simple form‑based skimming technique, the harder it becomes for criminals to profit.
This fraudulent Tally form was identified and reported by the Antiphishing.biz security team. The malicious form has been fully defanged within their infrastructure to protect the public. If you found this guide helpful, share it widely.