PAYMENT FRAUD

Ghost-tapping: the NFC card-relay scam that puts your card in a stranger's phone

A phishing page steals your card and the one-time code your bank texts you, then loads your card into the scammer's Apple Pay or Google Wallet so mules can tap-to-pay for luxury goods on your money.

SafeBrowz Threat Research Security ResearchJune 17, 20269 min read

The 60-second read

Ghost-tapping is real, and the one-time code is the whole trick. A scam page collects your card number, then asks for the verification code your bank just texted you. That code does not "confirm a payment." It authorizes adding your card to a device wallet, and the device is the scammer's phone. Once your card sits in their Apple Pay or Google Wallet, money mules tap that phone at stores to buy electronics and luxury goods. The rule that stops it: a one-time code provisions a card into a wallet, so if anyone walks you through "adding your card to a wallet" and asks for the code, you are handing a stranger's phone the right to spend your money. Your bank never needs you to add your card to someone else's wallet.

What ghost-tapping is, and why it is spreading in 2026

Ghost-tapping is the cash-out stage of a card-fraud assembly line. The old way to use a stolen card was to clone a magstripe or punch the number into a checkout page, both of which trip fraud models fast. The new way is quieter: get the card provisioned into a phone's tap-to-pay wallet, then spend it in person like any normal contactless purchase. To the merchant and the bank, a tap from a phone wallet looks like a legitimate customer at the register. That is why criminals love it, and that is why the technique earned a nickname.

The name and the structure come from threat-intelligence reporting. In 2025, Recorded Future published a study of what it called the "Ghost-Tapping Chinese Criminal Ecosystem," attributing the technique to organized Chinese-speaking syndicates that run it as a service: one crew harvests cards through phishing, another provisions them into wallets, and money mules on the ground do the in-store tapping. It is industrialized, not improvised.

The supporting tooling is documented too. ESET researchers detailed NGate, Android malware that relays NFC traffic from a victim's real card to an attacker's device, and security vendors have tracked a related "Ghost Tap" method that abuses legitimate NFC-relay software to push contactless transactions through a mule's phone in real time. The damage shows up in national figures: Singapore authorities reported roughly 656 wallet-compromise cases tied to this fraud, with losses of about S$1.2 million. A scam that converts a stolen number into groceries-aisle luxury purchases at scale is exactly the kind of thing a syndicate builds a pipeline around.

How the scam actually runs, step by step

The mechanics are simple once you see them laid out. Strip away the branding and every version follows the same five moves.

The lure. A text, email, or ad claims there is a problem with your account: a blocked card, a failed delivery fee, a fraud alert to "confirm," a refund to claim. It carries a link.
The harvest. The link opens a page dressed up as your bank or a payment brand. It asks for your card number, expiry, and CVV, and usually your name and address too.
The provisioning trigger. Behind the scenes, the scammer immediately starts adding your card to a wallet on their own phone. Your bank, doing its job, sends you a one-time verification code by SMS to approve that wallet enrollment.
The code grab. The fake page now shows a new step: "Enter the code we just texted you to verify your card." That sentence is the heart of the scam. You think you are confirming you own the card. You are actually approving the addition of your card to the scammer's device wallet.
The cash-out. With your card now living in their Apple Pay or Google Wallet, money mules walk into stores and tap to pay for electronics, gift cards, and luxury goods until you or your bank kill the card.

The genuinely new hook here is move four. Older card-phishing pages just stole the number and tried to use it online. The wallet-provisioning step is what makes ghost-tapping durable: a card sitting in a device wallet keeps working at physical terminals even after the number alone would have been declined, and the in-person taps look ordinary to fraud systems.

What the fake "add your card to a wallet" pages look like

The phishing page is the part you can actually catch with your eyes, and it almost always lives on a free-hosting subdomain that anyone can spin up in minutes, dressed to look like a bank or wallet brand. The examples below are illustrative lookalikes - the real wallet brands only live on their own official domains:

apple-pay-verify.vercel.app
wallet-card-add.pages.dev
nfc-bank-secure.netlify.app

Notice the shape. A brand word ("apple-pay," "wallet," "bank") is glued to a free-hosting host like vercel.app, pages.dev, or netlify.app. Those platforms are perfectly legitimate for developers, but anyone can publish anything on a subdomain of them in minutes, so a brand name sitting in front of one is a red flag, not a reassurance. The real wallet brands do not ask you to "add your card" from a link in a text. Apple Pay setup happens inside the Wallet app on your own iPhone at apple.com, and Google Wallet enrollment happens inside the Google Wallet app, never through a web page you were sent. Google's wallet lives at pay.google.com. Click any red example above to run it through the live checker and see how it is flagged.

🛡 LIVE CHECK

Paste a suspicious "verify your card" link here to check it

Got a text or email asking you to confirm a card or "add it to a wallet"? Paste the link below. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

Red flags that give ghost-tapping away

You do not need to understand NFC to stop this. The tells are in the request itself.

A code arrives, and someone asks you to read it back. Any one-time code, on any channel, is for your device alone. The moment a person, page, or caller wants you to share it, the request is fraud, full stop.
The code's own text mentions a wallet. Read the actual SMS your bank sent. If it says something like "adding your card to Apple Pay" or "device wallet enrollment," and you did not just do that yourself on your own phone, someone else is doing it on theirs.
You were sent a link to "add your card to a wallet." Real wallet setup happens inside the Wallet or Google Wallet app on your phone, never from a link in a message.
The page lives on a free-hosting subdomain. A bank or wallet brand on vercel.app, pages.dev, netlify.app, web.app, or github.io is not the brand. Those hosts let anyone publish anything.
There is urgency. "Your card is blocked," "confirm within 10 minutes," "fraud detected, verify now." The countdown exists to stop you from reading the code's text or calling your bank.
It asks for card number plus CVV plus a code on the same flow. Your bank already has your card details. A page that collects all of them and then a one-time code is harvesting, not verifying.
An unexpected wallet-enrollment notification appears. Some banks push an app alert when a card is added to a new device. If you see one you did not initiate, that is a live ghost-tapping attempt.

Why the one-time code is the entire battle

People have been trained for years to treat a one-time code as a harmless confirmation, a digital nod that says "yes, it is me." Ghost-tapping weaponizes that habit. The code in this scam is not confirming a login or a purchase. It is the bank's gate for a specific, high-value action: binding your card to a device's secure element so that device can pay with it forever. When you read that code to a stranger or type it into their page, you are not proving you own the card. You are granting their phone the standing right to spend from it at any contactless terminal in the world.

That is why the single rule at the top of this article matters more than any individual red flag. The brand on the lure will change. The story will change. The free-hosting domain will change daily. What does not change is the physics of the attack: a one-time code is what provisions a card into a wallet. Internalize that, and the scam collapses, because you will refuse the one step it cannot do without you. Your bank never needs you to add your card to someone else's wallet, and it will never ask you to.

What SafeBrowz sees on the network

When the SafeBrowz engine looks at a ghost-tapping phishing page, the profile is consistent enough to read across all three detection layers.

First, the host is almost always free-hosting or a brand-new domain. A bank or wallet "verify" page served from a vercel.app, pages.dev, or netlify.app subdomain is a structural contradiction: real financial brands do not run customer card flows off developer-preview hosting. The brand keyword sitting in front of a free-host suffix is itself the signal, independent of anything on the page.

Second, the form is the giveaway. A page that asks for a full card number, CVV, and then a one-time code, all on a host that is not the brand's official domain, is a textbook payment-credential harvester. That sequence is what content-aware analysis is built to recognize, even on a lookalike no blocklist has seen yet.

Third, the domains are young and disposable. Ghost-tapping crews rotate hosts constantly to stay ahead of takedowns, so domain-age and reputation signals flag a large share before the page even finishes loading.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It flags wallet and bank brand keywords sitting on free-hosting suffixes and cheap-TLD lookalikes instantly.
Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus domain-age lookup (most ghost-tapping pages are less than 30 days old) and 30+ scam TLDs.
Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new "verify your card / add to wallet" page that no blocklist has seen, including the one-time-code harvest step.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any "verify your card" link and get a verdict in seconds.

What to do right now

If you are mid-flow on a page asking for a code, or you just realized you may have given one up, here is the whole correct response.

Stop and do not enter or read out the code. If you have not yet shared it, you have not lost anything. Close the page.
Read the actual bank SMS. If it mentions adding your card to a wallet or a new device, that confirms a provisioning attempt is in progress against your card.
If you already shared the code or your card details, call your bank now. Use the number on the back of your card, not any number from the message. Tell them a card may have been added to a wallet you do not control and ask them to block the card and remove any unknown wallet token.
Freeze or lock the card in your banking app immediately. Then request a replacement card with a new number, because the wallet token is bound to the old one.
Watch for contactless and in-store charges, not just online ones. Ghost-tapping spends at physical terminals, so review every transaction, including small "test" taps.
Report it. File with the FTC at reportfraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov. Include the link, the sender, and a screenshot.

If you handed over your full personal details along with the card, go to identitytheft.gov for a step-by-step recovery plan. Our full "I got scammed, what do I do now" walkthrough covers the first-hour playbook in detail.

How ghost-tapping fits the wider wave

Ghost-tapping did not appear in a vacuum. It is the contactless evolution of the same SMS-phishing machinery behind the unpaid-toll and fake-delivery texts that dominated the last two years. The lure stage is interchangeable: a toll, a parcel, a bank alert, a refund. What changed is the cash-out. Earlier crews dumped stolen numbers onto online checkouts. Ghost-tapping crews provision them into device wallets and spend in person, which is harder to trace and slower to decline. The pipeline that Recorded Future describes, with separate harvesting, provisioning, and mule layers, is the criminal version of specialization: each crew does one job well and hands off.

The defensive lesson is the same one that holds across every brand-impersonation scam. You cannot win by memorizing which brand the lure wears this week, because the brand is the cheapest, most disposable part. You win by recognizing the one structural step the attack cannot complete without you, and here that step is unmistakable: handing over the one-time code that adds your card to a wallet. Refuse that, and the most industrialized version of the scam still ends at your front door.

Frequently asked questions

What is ghost-tapping in plain terms?

Ghost-tapping is a card-fraud method where criminals load your stolen card into a phone's tap-to-pay wallet (Apple Pay or Google Wallet) on their own device, then use money mules to make in-person contactless purchases with it. The phishing step that makes it possible is tricking you into sharing the one-time code your bank texts to authorize adding a card to a wallet.

Why does the scam need the code my bank texted me?

Because that code is exactly what authorizes adding your card to a device wallet. When you read it out or type it into the scammer's page, you approve the enrollment of your card into their Apple Pay or Google Wallet. The code is not confirming that it is you; it is granting a specific phone permission to pay with your card.

Does my bank ever need me to add my card to someone else's wallet?

No, never. Real wallet setup happens inside the Wallet or Google Wallet app on your own phone, and you start it yourself. No legitimate bank, store, or support line will ever walk you through adding your card to a wallet or ask you to share a verification code to do it.

I gave them the code. What happens now and what do I do?

Your card may now be provisioned into the scammer's wallet and can be tapped at stores. Call your bank using the number on the back of your card, tell them a card was likely added to a wallet you do not control, and ask them to block the card and remove the wallet token. Then request a new card number, freeze the old one in your app, and watch for in-store charges. Report it at reportfraud.ftc.gov and ic3.gov.

How is ghost-tapping different from normal card skimming?

Skimming clones the magstripe or chip data to make a fake card. Ghost-tapping skips physical cloning entirely: it provisions your card into a phone wallet, so the criminal pays by tapping a normal-looking phone at the register. To the merchant and the fraud system, it looks like an ordinary contactless customer, which is why it evades many traditional fraud checks.

How do I check if a "verify your card" link is safe?

Do not enter anything first. Paste the link into the free SafeBrowz URL checker at safebrowz.com/url-check, which runs a 3-layer scan and flags wallet and bank lookalikes on free-hosting hosts. As a rule of thumb, any card flow served from a vercel.app, pages.dev, netlify.app, web.app, or github.io subdomain is not your bank.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge