Scammers Are Tapping into Contactless Payments
Summary:
Making a payment with the tap of a credit card or phone is fast, convenient, and generally safe. But fraudsters have begun exploiting contactless payment methods to steal funds from unsuspecting victims. Here’s how tap-to-pay scams work, and how to best avoid them.
Tap-to-pay credit cards and digital wallets are being targeted in public places

Never let it be said that fraudsters don’t adapt with the times. Not long ago, one of their go-to moves was to secretly install skimming devices on ATMs, credit card readers, and gas pumps. When victims would insert or swipe their magnetized card, the card’s data would be illegally captured by these devices for the purpose of making unauthorized purchases or siphoning funds using the victim’s card number.
Partly in response to this security issue, retailers and financial institutions began switching to contactless payment, in which customers could simply tap a chip-enabled payment card against a digital reader or hold their phone to the reader and pay via a digital wallet such as Apple Pay or Samsung Pay. The process is driven by a form of radio-frequency identification (RFID) called near field communication. This technology allows the payment reader and the card or phone to safely communicate when the two are in extremely close proximity.
For several years now, contactless payment has been a fast, easy way for consumers to conduct transactions without fear of being scammed. Or at least it was, until fraudsters began finding new ways to take advantage.
How the tap-to-pay scam works
The Better Business Bureau (BBB) has issued a consumer alert regarding tap-to-pay scams—sometimes referred to as “ghost tapping”—in which fraudsters steal funds from contactless payment cards or digital wallets without the victim’s knowledge. While the BBB notes that the scam is especially prevalent in crowded settings such as flea markets, street fairs, transit centers, and outdoor food or music festivals, it can happen in any public place.
There are several versions of the scheme. In one scenario, a fraudster pretending to be a legitimate vendor sets up shop at a crowded venue, accepts only contactless payment, and massively overcharges without the victim’s consent. In another, the scammer claims to represent a charity and asks for a small donation, but actually charges a much higher amount to the victim’s card. In both scenarios, the fraudster attempts to rush the payment process so that the victim can’t get a good look at either the merchant’s name or the transaction amount.
Then there’s the rarer circumstance of the bump-and-run, in which the scammer distracts or brushes against the victim in public while using a hidden reader with near field communication technology to extract funds from the person’s chip-enabled card or their phone’s digital wallet. Once the fraudster has gathered the payment information, they often start making small withdrawals from the victim’s account, to avoid triggering fraud detection alerts. If the charges go undetected, they may attempt larger withdrawals.
Among the signs that you’ve been targeted in a tap-to-pay scam:
- The vendor or charity representative asks that you tap for payment but does not give you an opportunity to see the amount or get a receipt.
- You notice unusual charges to your account after you’ve been in a crowded public setting.
- You begin seeing small “test” charges to your account, which you don’t recognize.
How to best prevent tap-to-pay scams
The BBB advises consumers to stay vigilant against this scheme, particularly when in busy, crowded venues. Protective measures include:
- Before tapping, be sure to look carefully at the other party’s name and the transaction amount on the terminal screen, and confirm that you’ll get a printed receipt. (Even if the receipt turns out to be fraudulent, you’ll have evidence if you need to dispute a charge.) If the merchant makes an excuse for why they can’t accommodate any of this, walk away.
- Keep a watchful eye for suspicious charges on your financial accounts. Consider setting up transaction alerts through your bank or credit card provider, so that you can instantly see the details of every charge.
- If you use a digital wallet on your phone, secure your device by adding biometric authentication such as facial recognition or fingerprint scanning.
What to do if you’ve become victimized
If you spot suspicious charges to your account, report the incident to your bank or credit card provider as soon as possible. By reporting credit card fraud within 60 days, you’ll limit your maximum liability to $50 as per U.S. federal law. (Many major credit cards offer zero-liability protection against fraud for incidents that are reported immediately.) If you suspect the fraud is active and ongoing, also consider freezing or canceling the affected card.
Finally, you can help others avoid becoming targeted by reporting scams to the FTC as well as the BBB Scam Tracker.
About IDX
We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.