Many forms of cyberthreat surge every year around the holidays, with the massive shopping rush exacerbating risk in both online and in-person purchases. The prevalence of large crowds, heavy retail traffic, and mobile payment options makes many individuals more inclined toward quick transactions and less vigilant about potential risks. An alert from the Better Business Bureau warns about contactless payment fraud and details how to identify and avoid tap-to-pay scams this holiday season.
What “Ghost Tapping” Actually Is
The term “ghost tapping” refers to a cyberattack where unauthorized charges are triggered via Near Field Communication (NFC) tap-to-pay transactions without the victim’s realization. Mobile wallets—including Apple Pay, Google Wallet, PayPal, and Venmo tap-to-pay—are vulnerable to cyberattacks due to the convenience and lack of security measures implemented to protect these transactions. This is not necessarily a flaw in NFC itself, but a layered combination of social engineering and proximity-based technology.
How NFC Payments Work—and What Criminals Exploit
NFC payments work through short-range radio communications between devices—such as your phone and a card reading machine. This technology is designed for the convenience of quick transactions, not security and vigilance. Legitimate NFC terminals require close physical proximity of the devices, which scammers artificially recreate in order to carry out their attacks.
The BBB warning outlines common attack scenarios exploiting NFC technology:
- Attackers bumping into their targets in crowded spaces to inconspicuously charge tap-enabled cards or mobile wallets.
- Fraudulent actors setting up fake vendor stands with tap payment options at pop-ups, festivals, and holiday markets.
- Charity scams asking for a small donation for a seemingly good cause and charging a significantly higher amount.
- Scammers taking advantage of social pressure and rushed checkout tactics to encourage targets to tap without scrutinizing details like the name of the business or transaction total.
Expert Commentary and Wider Industry Context
Industry experts have provided insight into these attacks and how consumers can protect against them. “Consumers can significantly reduce their risk by adopting a few simple habits,” says Shane Barney, Chief Information Security Officer at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. The recommended steps include prioritizing payment security, using biometrically authenticated mobile wallets and RFID-blocking physical wallets, and storing cards in internal pockets to reduce the chances of threat actors getting close enough to trigger transactions.
The rise in ghost tapping attacks is connected to a number of wider industry trends. It arises alongside the increasing popularity of QR-code fraud, contactless skimmers, fake POS devices, and payment manipulation attacks based on social engineering. The growth of advanced transaction technologies like contactless payment is outpacing consumer understanding of the associated risks, as many assume security by default in newly introduced functionalities.
Why Ghost Tapping Works on Human Behavior
Ghost tapping attacks are largely effective because of how they leverage human psychology to increase success and payouts. The use of these tactics in the holiday season is a strategy that takes advantage of the circumstances surrounding the attack. Individuals are often in large, dense crowds, distracted and stressed by the holidays, and in the habit of rushing transactions with tap-and-go payments.
These attacks highlight the continued popularity of attacks exploiting human behavior rather than requiring advanced hacking or other cyber skills. “Encryption isn’t broken,” says Krishna Vishnubhotla, Vice President, Product Strategy at Zimperium, a Dallas, Texas provider of mobile security solutions. “It relies on proximity, distraction, and automatic card response.” Scammers don’t need to rely on technical sophistication to carry out these attacks; rather, they bank on speed and inattentiveness, enabling their attacks to go through.
How Consumers Can Protect Themselves
There is a range of measures that individuals can implement in order to protect themselves against these attacks. It is crucial to always confirm the name of the merchant and the purchase total in a transaction before tapping to pay. It is also highly recommended to avoid tapping unknown and handheld devices and decline taps in motion. Using passcodes or biometrics where applicable rather than “express transit” modes is another layer of protection, along with setting up transaction alerts to enable real-time notifications. A wallet with RFID-blocking capabilities can add friction to help in protecting against ghost tapping as well.
These steps are important for the prevention of ghost tapping attacks, but prevention is not the only available protection. If you do find yourself the victim of ghost tapping, there are also steps to take to remediate the incident. The BBB recommends immediately reporting the transaction to your bank or card issuer, freezing or cancelling the affected card, and reporting scams to the BBB’s own Scam Tracker.
The Bigger Picture: Security in an NFC-Driven Future
Regardless of the risks, contactless pay is here to stay, continuing to be a widely adopted technological convenience. Ghost tapping is not a threat isolated in a vacuum, but a symptom of increasing consumer reliance on frictionless payment systems. It is important for individuals and organizations to take steps to secure NFC transactions. Convenience doesn’t have to mean blindly trusting transaction processes, especially in the busiest shopping season of the year.
