Do you think ghostly things just come out for Halloween? Think again. Long after the spooky holiday ended, the Better Business Bureau (BBB) has warned of a new scam — ghost-tapping — aimed at people using tap-to-pay mobile apps and even some credit and debit cards at a retailer’s point of sale. 

The scam targets tap-to-pay cards and mobile wallets like PayPal and Venmo apps on smartphone devices that support tap-to-pay functionality and mobile payments. Scammers take advantage of Near Field Communication (NFC) that facilitates tap-to-pay by letting devices in proximity to “speak” to each other and exchange data. 

By tapping payment information is sent to a payment terminal.  

Reports of the scam have come rolling in to the BBB. “One person reported this experience to BBB Scam Tracker, ‘An individual is going door to door in [location redacted] claiming to be selling chocolate on behalf of [redacted] to support special needs students,’” the bureau relayed. “He says that he can only accept tap-to-pay to get people to pay with a card. He then charges large amounts to the card without the cardholder being able to see the amount. He got my mother for $537… Another victim for $1100… He changes neighborhoods frequently to avoid getting caught.’” 

That’s textbook, according to the BBB, which said the miscreants also try to hoodwink unsuspecting individuals in public places by perhaps bumping into them while they are tapping; pretending to be a vendor at a festival or an event in which they set up fake booths and solicit tap payments; asking for a small donation but placing a larger charge on a credit card; or rushing targets through the process so they’re less likely to tap without verifying details. 

The agency said that consumers should be vigilant, particularly if they receive bank alerts about a small or unusual test charge, a request to tap without offering up a receipt, or suspicious charges after attending a festival or some other crowded event or area. 

“Physical cards respond the moment they’re close to a reader, which makes this scam possible in crowded spaces,” says Krishna Vishnubhotla, vice president of product strategy at Zimperium. “Phones are harder to exploit because wallets require authentication, but attackers look for brief moments when a device is unlocked. The same speed-and-proximity tactics often lead to broader mobile compromise through theft or tricking a user.” 

Shane Barney, CISO at Keeper Security, agrees. “Keep in mind that modern smartphones are far more secure than physical cards,” he says. “Mobile wallets such as Apple Pay and Google Wallet are built on strong security controls, including device-level biometrics; tokenization instead of storing card numbers; and hardware security modules.” 

“A locked phone with Face ID, Touch ID, or a PIN stops NFC payments because wallets won’t release tokens. It’s far safer than a physical card,” says Vishnubhotla, warning, though, “if the device is unlocked or already compromised, an attacker can still attempt fraudulent activity. A compromised device exposes far more than payments.” 

He explains that a typical ghost tapping attempt involves three steps: 

Proximity: An attacker gets extremely close to the victim — often by bumping into them or standing pressed against them — with a handheld NFC reader. 

Triggering a Transaction: If a payment card is loose in a pocket or bag and not shielded, the reader may attempt to initiate a small tap-to-pay transaction. 

Processing the Charge: In some cases, victims may not notice the charge, particularly if the attacker keeps the amount low. 

“Pure ‘drive-by’ NFC theft is much harder to execute than people assume, and the data available from EMV cards is limited,” Barney says. 

That doesn’t stop criminals, though. They persist — and sometimes succeed — because “the barrier to entry is low — NFC readers are widely available online, and unsuspecting victims may not notice a single small fraudulent charge,” he says. 

But they can be stopped. To thwart the scammers, the BBB recommends: 

• Using RFID protection like an RFID-blocking wallet or sleeve.  

• Always confirm payment details like merchant name and amount on a terminal screen before tapping a card or phone. 

• Setting up transaction alerts if their bank allows real-time notifications for every charge. 

• Keeping an eye on accounts by doing daily checks to spot fraud faster. 

• Limiting tap-to-pay in high-risk areas and instead, swipe or insert a card.