Now making headlines is a new, troubling type of cybercrime called “Ghost Tap,” which gives hackers the ability to exploit near-field communication (NFC) technology to steal money from mobile payment systems. 

Researchers recently uncovered the scheme, which allows criminals to quietly pull off fraudulent transactions from a distance. It’s another big headache for both financial institutions and everyday people trying to protect their money while using their mobile device.

Here’s how it works: Cybercriminals first get their hands on stolen credit card information. They usually do this through phishing emails, malicious software, or other sneaky tactics. Sometimes, they use malware disguised as legitimate financial apps to capture sensitive details like passwords and those one-time passcodes (OTPs) that banks send via text.

Once they’ve got credit card information, the attackers link it to digital wallets on mobile payment apps like Google Pay or Apple Pay. But instead of using the cards directly, they turn to a tool called NFCGate. This tool was originally created for honest, harmless research purposes, but in the wrong hands it becomes a way to intercept, decode, and fake NFC signals.

Enter the money mules

In a Ghost Tap attack, NFCGate is used to send stolen payment details through a server to so-called “money mules.” These mules, often scattered across different cities or even countries, use the stolen data to make fraudulent purchases in stores. They typically go after easy-to-liquidate items like gift cards and high-demand electronics.

Contrary to older fraud tactics, this especially sophisticated method doesn’t require hackers to be near a cash register or point-of-sale (PoS) terminal. By using NFCGate, they can send stolen card information to multiple devices; in other words, fraud can happen in several places.

This kind of attack is tough to catch with traditional fraud detection systems. The transactions look like they’re coming from legitimate devices tied to real payment accounts, so they’re often able to slip through the cracks. Things like unusually large purchases or sudden changes—typical red flags—don’t always apply.

The criminals also take extra steps to stay hidden. They’ll often put devices connected to the stolen payment data in airplane mode to block tracking, making it even harder to figure out where the fraud is coming from. This tactic lets them pull off unauthorized transactions in far-apart locations within minutes, which can confuse even the best monitoring systems.

Ghost Tap is a headache for banks because it combines advanced technology with the anonymity of decentralized networks. The fraudsters usually keep the transactions small, which helps them avoid setting off alarms. But when this strategy is scaled up, even small charges can add up to massive financial losses.

Meanwhile, the criminals behind the scheme stay safely in the shadows, leaving the mules—often unaware of the full operation—to take the fall if they’re caught. According to reports, the ability to spread these fraudulent activities across so many locations at once makes it nearly impossible for banks and payment platforms to spot the fraud quickly.

Ultimately, stopping Ghost Tap falls on financial institutions. However, regular folks can stay safe by monitoring bank accounts for suspicious activity, enabling extra security measures like two-factor authentication, and simply being cautious with online interactions. If something looks off, reporting it to the bank right away can limit the damage and possibly stop further fraud.

The rise of “Ghost Tap” signifies the escalating complexity of mobile-related cybercrime that is pushing financial institutions and individuals to strengthen defenses. While banks must innovate to counter these sophisticated attacks, individuals play a key role by staying attentive.