Contactless payments were built for speed, simplicity, and convenience, but in the shadows of that innovation a new breed of digital ghouls has emerged
Around the world, banks and payment processors are reporting an explosion of mysterious tap-to-pay transactions happening nowhere near real cardholders. The European Association for Secure Transactions (EAST), for instance, has tracked a 1,500% surge in these relay-based attacks over the past year, with incidents stretching from Santiago to Singapore.
Security teams investigating these anomalies keep finding the same fingerprints: relayed near-field communication (NFC) signals, cloned tokens and fraudulent mobile wallets. In these attacks, criminals intercept and relay communication between a payment card or mobile device and a legitimate payment terminal, tricking systems into thinking the contactless device is present when it may be a great distance away. So seamless they look like legitimate transactions until it’s too late, Ghost Tap and PhantomCard attacks have become two of the fastest-growing relay threats in digital payments.
In short, convenience has outpaced security, and fraudsters are springing into action, exploiting contactless technology through a wicked combination of social engineering, tap-to-pay gadgets, custom phones and menacing malware.
This isn’t just petty theft. It’s the evolution of financial fraud: invisible, intelligent, and spreading fast. Scary stuff!
What’s really going on
In an NFC relay attack, a fraudster standing near you might use a hidden device to capture your card’s wireless signal, while an accomplice at a distant payment terminal “relays” that signal in real-time to make a purchase even though your card or phone is far away. The system is tricked into thinking the card is physically present at the terminal, allowing the fraudulent transaction to go through in real time.
In the case of Ghost Tap attacks, a malicious NFC data relay technique, or digital applications such as NFCGate, are used to perform POS cash-outs. Attackers remotely spoof a legitimate tap at a POS terminal using relayed signals from a victim’s card or mobile wallet that never leaves their pocket. Each transaction is kept intentionally small and routine to avoid triggering velocity or amount thresholds, while the use of globally distributed accomplices eliminates a single geolocation fingerprint. The result: A cryptographically valid payment without the card ever being touched.
PhantomCard is a new type of NFC-driven Android malware emerging in markets around the globe, such as Brazil. Malware is distributed through social engineering and phishing campaigns, often disguised as a legitimate card protection app. Once the app is installed and opened, cloned or emulated cards are created using stolen banking card information that is transmitted to an attacker-controlled NFC relay server and used in ATM or POS environments. They slip through networks undetected, behaving just like real cards until the funds disappear.
Why it’s happening now
The rapid adoption of mobile wallets and contactless technology has created fertile ground for these attacks. According to EAST, terminal-related fraud in Europe jumped 25% in early 2025, driven largely by NFC data relay and Ghost Tap incidents. Urban hubs like New York and Toronto have proven to be easy hunting grounds, with Apple Pay and Samsung Pay frequently targeted. In addition to Brazil and Latin America, South Africa and UAE have experienced significant attacks related to Ghost Tap and PhantomCard withdrawals, while Japan, Singapore and Australia also have been victim to NFC-related attacks on mobile wallets.
Fraud experts at Threat Fabric and BleepingComputer report that attackers are using stolen card credentials and one-time passwords to create fake wallets, then cashing out through mule networks across regions. Attack variations could include:
- Fake or tampered merchant terminals set up by fraudsters to route transactions remotely
- Stolen token replay, leveraging tokenized card data from mobile wallets for rapid purchase of easily resellable goods at multiple stores
- Manipulation of ATM or POS software such as Track2NFC to force offline approvals
Meanwhile, analysts are flagging “proximity mismatches” — when a transaction occurs in one city while the cardholder’s device pings from another — as one of the strongest early signals. These small inconsistencies are invisible to static fraud rules but glaring under behavioral analytics.
The real-world damage
Making these attacks even more challenging to detect and prevent, banks and payment processors are facing a new operational nightmare: hundreds of micro-transactions, often under $20, processed across multiple countries in a matter of minutes. Each one looks normal on its own, but together they’re a coordinated digital heist.
The results?
- Operational overload: Fraud teams spend days combing through scattered, low-value “ghost” transactions.
- Customer distrust: Every mysterious tap chips away at public confidence in digital payments.
- Regulatory pressure: Global regulators are tightening rules around tokenized payments and mobile-wallet authentication.
When every transaction looks legitimate, the cost of catching ghosts adds up fast.
How to bust the ghosts
Fighting Ghost Tap and PhantomCard fraud requires more than traditional rules or limits. It takes visibility into every data point and the ability to connect behavioral, device, and geolocation patterns in real time.
Here’s what leading banks and payment processors are focusing on:
- Metadata inspection: This means tracking POS entry modes and unexpected EMV data patterns, especially when a card has no tap-to-pay history.
- Location and velocity checks: If a card “taps” in Tokyo while the device is active in Toronto, something wicked may be afoot.
- Wallet and token monitoring: In a classic Ghost Tap maneuver, fraudsters often add stolen tokens and initiate immediate purchases.
- Pattern correlation: Look for clusters of low-value taps across unrelated merchants or geographies. It’s rarely random.
- Collaboration: Cross-industry intelligence sharing helps connect dots faster. Relay networks leave traces that one institution alone may not see.
INETCO BullzAI: Your digital exorcist
INETCO BullzAI is the platform banks and payment processors trust to bring real-time data visibility and precision fraud blocking into the fight.
- Field-level transaction decoding: INETCO BullzAI catches anomalies invisible to legacy systems by analyzing every transaction field across protocols such as ISO8583 and ISO20022. Real-time inspection of metadata allows you to instantly detect anomalies in POS Entry mode, POS condition code and EMV related data, which are then correlated with differences in device fingerprints, IP addresses, transaction behavior and geo-location velocity to validate against the known proximity of a card holder and their device.
- User and entity behavior analysis: Adaptive machine-learning models learn how each card, device and terminal should behave and automatically update after every transaction. When a transaction defies those patterns — a spike in low-value, high-frequency transactions, for instance, is classic Ghost Tap behavior — INETCO BullzAI flags and blocks or rate-limits them instantly.
- AI-driven blocking: Rather than blanket-blocking networks, INETCO BullzAI relies on rules-based alerts and AI-driven risk scoring to halt fraudulent transactions with precision before authorization completes.
- Adaptive learning: As attackers evolve their methods, INETCO BullzAI evolves right alongside them, ensuring banks and payment processors stay one step ahead to identify new and evolving threats in real time.
As financial institutions race toward frictionless payments, fraudsters are turning that convenience into their playground. But the same technology that enables contactless speed can also deliver contactless security, as long as it’s paired with the right intelligence.
With INETCO BullzAI, banks can see the unseen, block the untouchable, and finally turn the tables on the ghosts haunting their payment systems.
Discover how the INETCO BullzAI transaction firewall can help you block Ghost Tap and PhantomCard fraud before it impacts your customers. Watch the 3-minute video.