Consider the Risks Before You Tap to Pay: Exploring the Ghost Tapping Scam

Could the same technology that makes tap-to-pay so convenient also be working against you? That’s the question behind ghost tapping, an emerging contactless payment scam worth understanding.

Executives and financial decision-makers constantly balance operational efficiency with robust risk management. As organizations modernize their expense processes, adding corporate credit cards to digital wallets has become an increasingly popular and convenient standard practice. However, this same convenience introduces substantial vulnerabilities into your daily operations. While mobile wallets streamline transactions, they also provide a sophisticated avenue for financial compromise.

According to a 2025 alert published by the Better Business Bureau (BBB), a nonprofit organization that tracks bad advertisements and customer complaints across North America, the “ghost tapping” scam has emerged as an increasingly common method for threat actors to steal from unsuspecting customers. Whether your employees load personal credit cards or corporate purchasing cards onto their mobile devices, maintaining thorough cybersecurity awareness is critical. Leaders should understand this threat and arm their teams with the knowledge required to decrease the likelihood of a successful attack.

What is Ghost Tapping?

Ghost tapping is a highly targeted form of contactless payment fraud that specifically compromises tap-to-pay cards and mobile wallets. To understand the risk, we should examine the underlying technology. Tap-to-pay functionality relies on Near Field Communication (NFC), a technology protocol that allows devices to exchange encrypted financial data at a close range. Specifically, NFC requires a distance of four centimeters or less to successfully transmit payment information (that’s roughly equal to the length of a paperclip).

Unlike traditional skimming, which requires a victim to physically insert or swipe a card into a compromised payment terminal, the ghost tapping scam exploits the wireless transmission of data. Threat actors use hidden, unauthorized payment terminals or customized wireless devices to initiate a transaction with your tap-enabled card or mobile phone without ever making physical contact. This proximity-based exploit transforms public spaces into high-risk environments for individuals carrying unprotected contactless cards or activated digital wallets.

Common Scenarios Where Ghost Tapping Occurs

Ghost tapping scams can play out in one of two ways:

1. You knowingly tap your device on a fraudulent payment terminal, or
2. A scammer in close proximity to you uses a concealed wireless device to capture your card data without your knowledge.

Criminals execute tap-to-pay scams by exploiting environments where people are distracted, hurried, or surrounded by large crowds. For business leaders, frequent travel and industry engagements present primary exposure points. When attending business dinners, industry conferences, or navigating busy airports, your attention is naturally divided. Fraudsters capitalize on this distraction. A criminal standing in your personal space in a crowded area can use a concealed wireless device to steal money from your wallet or mobile phone without ever touching you or your belongings.

Fraudulent vendors present another substantial risk. You could unsuspectingly use a contactless payment method at a vendor that appears legitimate but is entirely fraudulent. This frequently occurs at concerts, trade shows, or other large public events where fraudsters set up fake vendor booths and request tap payments for fabricated goods or services.

Additionally, remember to stay vigilant against charity scams. A fraudster may approach you and appear to represent a legitimate, recognizable charity, requesting a small, immediate tap-to-pay donation. By the time the transaction registers, the individual has secured the funds and moved on.

Regardless of the situation, the core defense mechanism is patience. Don’t rush the payment process. Always double-check the business name and the exact transaction amount displayed on the screen before authorizing any contactless payment.

How to Identify Red Flags of Contactless Payment Fraud

Whether you are traveling for corporate engagements or navigating public spaces, identifying the warning signs of a ghost tapping scam provides a vital layer of defense. Threat actors build their strategies around human behavior. Specifically, scammers rely on victims failing to regularly check their bank statements, or at most, reviewing them only once at the close of the month during routine expense reconciliations.

To counter this delayed detection, establish proactive financial monitoring. Implement real-time bank alerts for all transactions, encompassing both corporate accounts and personal cards. This allows you to monitor any unusual or suspicious charges immediately, especially after completing a business trip or spending time in crowded environments like festivals, transit hubs, or open markets.

During an active transaction, the most significant red flag is a vendor processing your tap-to-pay transaction without offering you a receipt. Legitimate businesses maintain clear transaction records. If a vendor makes an excuse for failing to provide a receipt, such as claiming the terminal is out of paper or the system is offline, they are likely executing a fraudulent transaction.

Managing Contactless Payment

Effective risk management requires implementing proactive cybersecurity measures before an incident occurs. Organizations and individuals can protect themselves from these sophisticated scams by adopting standard operational safeguards.

1. Use RFID protection: Before an international trip, it’s commonplace to get RFID-blocking sleeves for your credit cards or an RFID-blocking wallet or purse, but what about on your home turf? Deploying these protections on an everyday basis is equally critical to prevent wireless skimming in your daily environments. RFID-blocking materials disrupt the radio frequencies necessary for NFC transactions, rendering hidden card readers useless against your stored cards.
2. Independently verify all payment details: Before tapping your card or mobile device, examine the information displayed on the contactless payment terminal. Confirm that the merchant name and the requested amount match the goods or services you intend to purchase. Threat actors often obscure the transaction total or route the payment to an unrelated corporate entity.
3. Always get receipts: When in doubt, request a receipt. A receipt is immediate proof of purchase, providing the necessary written documentation required to dispute a fraudulent charge with your financial institution or credit card issuer.

Steps to Take if You Suspect Fraud

If you discover unauthorized transactions and suspect you are the victim of a ghost tapping scam, don’t panic. Swift, decisive action limits financial exposure and initiates the recovery process. Take the following steps to freeze your assets and report the incident:

1. Notify your internal team: If the scam involved a corporate card, notify your cybersecurity team and finance department immediately so they can monitor for broader organizational exposure.
2. Freeze and cancel the card: Access your mobile banking application or call your provider directly to freeze the affected card, preventing any further unauthorized transactions.
3. Report to the issuer: Formally report the fraudulent transaction to your bank or card issuer to initiate the dispute process.
4. File an official complaint: Submit a consumer complaint regarding the fraudulent vendor to your local attorney general’s office.
5. Document the fraud: Report the specific details of the incident to the BBB Scam Tracker to assist in warning others and tracking the threat actor’s methods.

The most effective method for combating contactless fraud is preventing it entirely. By expanding your cybersecurity awareness, using protective technologies, and remaining vigilant regarding your transaction data, you can safeguard your own financial resources and your organization’s against emerging wireless threats.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.