How to Protect Yourself From Ghost Tapping and NFC Payment Fraud

Tap-to-pay has become the default checkout method for millions of Americans. But a surge in NFC (Near Field Communication) fraud — particularly a technique called "ghost tapping" — is turning this convenience against consumers. NFC attacks reported by security researchers surged more than 35 times in the first half of 2025 compared to the previous period. Here's how these scams work and how to protect yourself.

What Is Ghost Tapping?

Ghost tapping is a type of fraud where unauthorized transactions are triggered through NFC tap-to-pay technology without the victim's knowledge. The term covers several related attack methods, all exploiting the wireless communication between your payment card or phone and a payment terminal.

The Better Business Bureau issued an alert in 2025 identifying ghost tapping as an increasingly common fraud method targeting unsuspecting shoppers.

How Ghost Tapping Attacks Work

Physical Proximity Attacks

In the simplest form, attackers use handheld NFC readers to initiate small transactions by getting close to your contactless card or phone. Common scenarios include:

• Crowded spaces: An attacker bumps into you on a train, at a concert, or in a busy store, positioning a hidden reader near your wallet or pocket
• Fake vendor stands: Fraudulent pop-up booths at festivals or markets with tap payment devices that charge higher amounts than displayed
• Charity scams: People soliciting "donations" with a payment terminal while actually charging larger amounts
• Rushed checkout pressure: Creating urgency so you don't notice the charged amount

Malware-Based NFC Relay Attacks

More sophisticated attacks use malware to remotely exploit NFC capabilities on your phone. Here's how the relay attack works:

1. A victim's phone is infected with NFC-capturing malware, often through a phishing link or fake app
2. The malware captures NFC payment data from the victim's phone
3. The captured data is relayed in real time to an accomplice who uses it at a physical point-of-sale terminal, potentially thousands of miles away
4. The transaction appears as a legitimate tap-to-pay purchase

How to Protect Yourself

1. Use Your Phone Instead of a Physical Card

Mobile wallets like Apple Pay and Google Pay are significantly more secure than physical contactless cards because:

• They require biometric authentication (fingerprint or face scan) before each transaction
• They use device-specific tokenized card numbers rather than your real card number
• Your phone's NFC is only active during the authentication process, not continuously broadcasting like a physical card

2. Disable NFC When Not in Use

If you're not actively making a payment, disable NFC on your phone:

• Android: Go to Settings → Connected devices → Connection preferences → NFC and toggle it off
• iPhone: Apple Pay NFC is only active when invoked via double-click of the side button or when held near a terminal with the wallet app open, so it's already limited. For extra caution, you can remove cards from the Wallet app when traveling

3. Use an RFID-Blocking Wallet

For physical contactless cards, an RFID-blocking wallet or card sleeve prevents unauthorized readers from communicating with your cards. These are inexpensive and widely available.

4. Set Up Transaction Notifications

Enable real-time transaction alerts through your bank's mobile app. This way you'll know immediately if any unexpected charges appear:

• Set alerts for all transactions, not just those above a threshold
• Pay attention to small charges ($1-5) — criminals often run test transactions before larger fraud
• Report unauthorized charges to your bank immediately

5. Protect Your Phone From NFC Malware

• Never click links in unexpected text messages or emails claiming to be from your bank or payment provider
• Only install apps from official app stores (Google Play Store, Apple App Store)
• Keep your phone's OS updated to patch NFC-related security vulnerabilities
• Don't download apps that request NFC permissions without a clear legitimate reason
• Be wary of QR codes that direct you to download apps or visit unfamiliar websites

6. Be Vigilant in High-Risk Situations

• Crowded events: Keep your wallet in a front pocket or inside a bag with RFID shielding
• Pop-up vendors: Verify the payment amount on the terminal screen before tapping
• Charity solicitations: Ask for a receipt and verify the organization before tapping to donate
• Foreign travel: NFC fraud is particularly prevalent in certain tourist areas. Consider using cash or chip-and-PIN instead of tap-to-pay

What to Do If You're a Victim

If you notice unauthorized contactless transactions:

1. Contact your bank immediately to report the fraud and freeze or cancel the affected card
2. File a dispute for all unauthorized transactions
3. Request a new card with a different number
4. File a report with local police and the FTC at reportfraud.ftc.gov
5. Report to the BBB at bbb.org/scamtracker
6. Check for malware on your phone by running a security scan and reviewing recently installed apps

The Connection Between NFC Fraud and Data Brokers

NFC fraud often works in tandem with personal information found on data broker sites. When criminals have your name, address, and phone number from people-search sites, it's easier to:

• Target you with convincing phishing messages to install NFC malware
• Impersonate your bank when calling about "suspicious" NFC transactions
• Use your personal details to bypass security questions when exploiting stolen card data

PrivacyOn reduces these risks by automatically removing your personal information from more than 100 data broker sites, making it harder for criminals to target you with personalized scams. Combined with dark web monitoring that alerts you when your financial data appears in breach databases, PrivacyOn provides comprehensive protection that goes beyond just securing your tap-to-pay transactions.

• Automated removal from 100+ data brokers
• Dark web monitoring for compromised financial data
• 24/7 monitoring with automatic re-submissions
• Family plans for up to 5 people starting at $8.33/month

Stay Vigilant

Tap-to-pay is convenient and, when used properly, can be more secure than traditional card payments. The key is awareness: use mobile wallets over physical cards, disable NFC when not needed, enable transaction alerts, and protect your phone from malware. As NFC fraud continues to evolve, staying informed about the latest techniques is your best defense.