Payment card security is constantly improving, but attackers keep finding new ways to steal money. In days gone by, having tricked the victim into handing over card credentials on a fake online store or through another scam, cybercriminals would make a physical duplicate card by writing the stolen data onto a magnetic stripe. Such cards could then be used in stores and even at ATMs without a hitch. The advent of chip cards and one-time passwords (OTPs) made life much harder for scammers, but they adapted. The shift to mobile payments using smartphones increased resilience against some types of scams — but also opened up new avenues for it. Now, having phished a card number, they try to link it to their own Apple Pay or Google Wallet account. That done, they use this account from a smartphone to pay for goods using the victim’s card — either in a regular store or at a fake outlet with an NFC-enabled payment terminal.
How card credentials are phished
Such cyberattacks entail preparation on an industrial scale. Attackers create networks of fake websites designed to phish for payment data. These might imitate delivery services, large online stores, and even portals for paying utility bills or traffic fines. The cybercriminals also buy up dozens of smartphones, create Apple or Google accounts on them, and install contactless payment apps.
Next comes the juicy bit. When a victim lands on a bait site, they’re asked to link their card or make a mandatory small payment. This requires entering their card details and confirming ownership of the card by entering an OTP. In fact, the card is not charged at this point.
What actually happens? The victim’s data is almost instantly transferred to the cybercriminals, who attempt to link the card to a mobile wallet on their smartphone. The OTP code is needed to authorize this operation. To speed up and simplify the process, the attackers use special software that takes the data supplied by the victim and generates an image of the card that replicates it perfectly. After that, it’s enough just to take a photo of this image from Apple Pay or Google Wallet. The exact process of linking a card to a mobile wallet depends on the specific country and bank, but usually, no data is required other than the number, expiration date, cardholder name, CVV/CVC, and OTP. All this can be phished in a single session and put to use immediately.
To make attacks even more effective, cybercriminals employ additional tricks. First, if the victim comes to their senses before tapping the Submit button, any data already entered into the forms is still passed to the criminals — even if it’s just a few characters or an incomplete entry. Second, the fake site may report that the payment failed and prompt the victim to try a different card. This way, the criminals might phish details for two or three cards in one go.
The cards aren’t charged right away, and many people, seeing nothing suspicious on their bank statement, forget all about the incident.
How money is stolen from cards
Cybercriminals might link dozens of cards to one smartphone without immediately trying to spend money from them. This smartphone, stuffed with card numbers, is then resold on the dark web. Often, weeks or even months go by between the phishing and the spending. But when that unpleasant day eventually comes, the criminals might decide to splash out on luxury items in a physical store simply by making a contactless payment from a phone full of phished card numbers. Alternatively, they might set up their own fake store on a legitimate e-commerce platform and charge money for non-existent goods. Some countries even allow ATM withdrawals using an NFC-enabled smartphone. In all of the above cases, no confirmation of the transaction via PIN or OTP is required, so money can be siphoned off until the victim blocks the card.
To speed up transferring mobile wallets to clandestine buyers, as well as to reduce the risk for those making payments in stores, attackers have begun to use an NFC relay technique dubbed Ghost Tap. They start by installing a legitimate app such as NFCGate on two smartphones — one with the mobile wallet and stolen cards, the other used directly for payments. This app transmits, in real time over the internet, the NFC data of the wallet from the first phone to the NFC antenna of the second, which the cybercriminals’ accomplice (known as a “mule”) taps on the payment terminal.
Most terminals in offline stores and many ATMs are unable to tell the relayed signal from an original one, allowing the mule to easily pay for goods (or gift cards, which make it easier to launder the stolen funds). And if the mule is detained in the store, there is nothing incriminating on the smartphone, only the legitimate NFCGate app. No stolen card numbers are there, for these are tucked away on the smartphone of the mastermind behind the operation, who can be anywhere, even in another country. This method allows scammers to quickly and safely cash out large sums because there can be multiple mules paying almost simultaneously with the same stolen card.
How to lose money by tapping your card on your phone
In late 2024, fraudsters came up with another NFC relay scheme and successfully tested it on users from Russia, and there’s nothing to stop the operation from being scaled up worldwide. In this scheme, victims aren’t even asked for their card credentials. Instead, the attackers socially engineer them into installing a supposedly handy app on their smartphone under the guise of a government, banking, or other service. Since many such banking and government apps in Russia were removed from official stores due to sanctions, unsuspecting users readily agree to install them. The victim is then prompted to hold their card to their smartphone and enter their PIN for “authorization” or “verification” purposes.
As you might have guessed, the installed app has nothing in common with its description. In the first wave of such attacks, what victims received was the same NFC relay, repackaged as a “handy app”. It read the card when held to the smartphone, and transmitted its data along with the PIN to the attackers, who used it to make purchases or withdraw cash from NFC-enabled ATMs. Anti-fraud systems of major Russian banks quickly learned to identify such payments due to mismatches in the victim’s and the payer’s geolocation, so in 2025 the scheme — but not the essence — changed.
Now, the victim receives an app for creating a duplicate card, and the relay is installed on the attackers’ side. Next, under the bogus pretext of the risk of theft, the victim is persuaded to deposit money into a “safe account” through an ATM, using their smartphone to authorize the payment. When the victim holds their phone to the ATM, the scammer relays their own card details to it, and the money ends up in their account. Such operations are hard to track for automatic anti-fraud systems since the transaction looks perfectly legitimate — someone walked up to an ATM and deposited cash onto a card. The anti-fraud system doesn’t know that the card belonged to someone else.
How to protect your cards from scammers
First of all, Google and Apple themselves, together with payment systems, should implement additional protective measures in the payment infrastructure. However, users can also take steps to protect themselves:
- Use virtual cards for online payments. Don’t keep large amounts of money on them, and only top up just before making an online purchase. If your card issuer allows it, disable offline payments and cash withdrawals from such cards.
- Get a new virtual card and block your old one at least once a year.
- For offline payments, link a different card to Apple Pay, Google Wallet, or a similar service. Never use this card online, and if possible, use a mobile wallet on your smartphone when paying in stores.
- Be very wary of apps asking you to hold your payment card to your smartphone, never mind enter your PIN. If it’s a long-trusted banking app, then okay; but if it’s something dodgy you only just installed from an obscure link outside an official app store, then stay clear.
- Use plastic cards at ATMs, not an NFC-enabled smartphone.
- Install a comprehensive security solution on all computers and smartphones to minimize the risk of landing on phishing sites and installing malicious apps.
- Enable the Safe Money component, available in all our security solutions, to protect financial transactions and online purchases.
- Activate the fastest possible transaction notifications (text and push) for all payment cards, and contact your bank or issuer immediately if you notice anything suspicious.
Want to learn more about how scammers can steal money from your cards? Read our posts:
Leave a Reply