In the ever-evolving landscape of cybercrime, fraudsters are now exploiting advanced mobile payment technologies to siphon off funds with unprecedented stealth and sophistication. What began as simple phishing schemes has matured into high-tech operations involving fake websites, real-time data transfer, and even the misuse of contactless payment platforms like Apple Pay and Google Wallet.
From Phishing to Mobile Wallet Fraud
Traditional payment card scams involved tricking users into submitting their card details via fake online stores or phishing portals. Cybercriminals would then clone these cards using magnetic stripes and make unauthorized purchases or ATM withdrawals. However, the rise of EMV chip cards and two-factor authentication significantly hindered such tactics.
To adapt, scammers have turned to mobile wallets. By creating fake websites that resemble well-known delivery services, bill payment portals, or shopping platforms, they deceive users into entering card information and one-time passwords (OTPs). This information is then instantly rerouted to the attackers, who link the stolen card to a digital wallet on a pre-configured smartphone.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
Cybersecurity analysts warn that the key danger is how fast this process unfolds, in many cases, the entire card-linking operation is completed before the victim even suspects foul play.
Industrial-Scale Fraud Infrastructure
Fraud networks operate at scale, often deploying dozens of smartphones preloaded with payment apps. Sophisticated software can generate convincing replicas of real cards from the stolen data, ready for use in physical stores via contactless payments. These devices—loaded with phished card credentials—are frequently sold on the dark web, enabling further abuse by other cybercriminals.
Worryingly, many transactions require no additional authentication. With just a tap, scammers or their accomplices—referred to as “mules”—can spend thousands using a stolen digital identity.
Enter the ‘Ghost Tap’ Technique
A newer and more elusive tactic is the use of NFC relay attacks, also known as “Ghost Tap.” Criminals employ apps like NFCGate on paired smartphones to wirelessly transmit payment credentials over the internet. One phone holds the stolen card data, while the second acts as the payment device in stores.
Because most payment terminals cannot differentiate between legitimate and relayed NFC signals, the scam works undetected. And even if a mule is apprehended, their device contains no direct evidence, as the sensitive data resides on another phone—often thousands of miles away.
The Rise of Card Duplication via Fake Apps
In a recent twist, scammers have taken advantage of app distribution issues in regions like Russia. Posing as government or banking apps, they convince users to install rogue applications outside official app stores. These apps then ask users to “verify” their cards by tapping them on the phone and entering their PIN. In reality, they’re handing over full access to their accounts.
Some variants even instruct victims to deposit money into a so-called “safe account” using their phones, while attackers relay their own card data to the ATM. The result? The victim unknowingly deposits money directly into a fraudster’s wallet.
ALSO READ: Call for Chapters: Contribute to the Book “Cyber Crime – From Theory to Practice”
What Can Be Done?
While the onus is partly on payment providers and tech giants to enhance security protocols, users can take several proactive steps to protect themselves:
- Use virtual cards for online shopping and avoid storing large balances on them.
- Change virtual cards annually and disable cash withdrawal or offline payment features where possible.
- Keep physical and mobile cards separate—use different cards for in-store and online payments.
- Avoid unknown apps asking you to scan your card or input PINs—especially if installed from unofficial sources.
- Stick to plastic at ATMs to avoid NFC skimming.
- Install reputable cybersecurity solutions on all devices.
- Enable instant transaction alerts and act immediately if anything looks suspicious.