Cart 0

Ghost Tap: The NFC Scam Draining Australian Bank Accounts

Contactless payment fraud has reached a new level of sophistication. A technique called Ghost Tap allows criminals to make purchases using your credit or debit card in real time — while you're sitting at a café in Melbourne and they're walking through a shopping centre in London. No card skimmer. No physical theft. No warning.

This isn't a theoretical threat. In January 2026, cybersecurity firm Group-IB published a major investigation identifying 54+ active malware variants enabling Ghost Tap attacks globally. Claims tied to Ghost Tap have surged more than 150% over the past year, according to GuidePoint Security. In Europe, the European Association for Secure Transactions (EAST) tracked a 1,500% increase in NFC relay attacks in 12 months.

Australia is one of the world's most tap-and-go reliant nations. We lead the world in contactless payment adoption — the Reserve Bank of Australia has reported that contactless payments now account for the vast majority of in-person card transactions. That makes Australian consumers a natural target as this attack spreads from Europe and Southeast Asia.

This guide explains exactly how Ghost Tap works, why it's spreading, and what you can do to protect yourself today.

What Is Ghost Tap?

Ghost Tap is a form of NFC (Near Field Communication) relay fraud. NFC is the technology that powers tap-and-go payments — when you hold your card or phone near a terminal, a short-range wireless signal transfers your payment data to complete the transaction.

Ghost Tap exploits that signal. Criminals intercept or capture your NFC payment data and relay it over the internet to a device controlled by an accomplice — who can then make purchases at a physical terminal anywhere in the world, in real time.

The key insight: because the payment signal is relayed live, the transaction appears cryptographically valid to the payment terminal. It looks like a legitimate tap-to-pay, which is why it bypasses most traditional fraud detection.

Ghost Tap was first documented by cybersecurity researchers at ThreatFabric in late 2024. Since then it has evolved rapidly and is now being sold commercially by criminal groups as a subscription service.

How the Attack Works

There are two main variants of Ghost Tap. Understanding the difference matters because each requires a different defence.

Variant 1: The Malware Route

This is the more sophisticated version. Here is the exact sequence of events:

  1. You receive a text or call appearing to be from your bank, advising of suspicious activity on your account.
  2. You're directed to install an app — a link in the SMS leads to a page where you download what appears to be your bank's security or verification app.
  3. The app prompts you to verify your identity by holding your physical card against the back of your phone.
  4. A hidden "Reader" component in the malware silently captures the NFC data from your card — the same data that flows to a terminal when you tap to pay.
  5. That data is transmitted via a command-and-control (C2) server to a criminal's device anywhere in the world.
  6. The criminal runs a "Tapper" app on their device that emulates your card. They walk into a store, hold their phone to the terminal, and complete a purchase — as if your card were physically present.

You are still sitting at home. Your card is still in your wallet. The transaction is already done.

In more advanced operations, criminals skip direct victim interaction altogether. They load compromised card details — obtained from data breaches of banks or telecoms — directly into mobile wallets on burner phones. Networks of paid mules then disperse across retail locations in multiple countries, making purchases simultaneously.

Variant 2: Passive Proximity Scanning

This variant requires no malware on your device and targets physical contactless cards only — not Apple Pay or Google Pay on your phone. Both phone-based payment platforms require biometric authentication (Face ID, Touch ID, fingerprint) before completing a transaction, so a passive scan of your phone yields nothing usable.

A criminal conceals a compact NFC reader inside a bag, jacket pocket, or handheld device. In a crowded place — an airport, a shopping centre, public transport — they move close enough to you for the reader to passively activate your physical contactless card.

The captured signal is relayed in real time to an accomplice running a Tapper app elsewhere. Because NFC typically operates at a range of a few centimetres, this requires close physical proximity, but crowded environments provide exactly that opportunity.

The technical tool powering both variants is a repurposed version of NFCGate — an open-source research framework originally developed by researchers at the Technical University of Darmstadt in Germany. It was designed to study NFC communications. Criminal groups have since commercialised it into polished, subscription-based fraud kits.

The Criminal Industry Behind It

Ghost Tap is not a niche hacker activity. It is a commercial operation.

Group-IB's January 2026 investigation revealed a structured underground market primarily operating within Chinese-speaking criminal communities on Telegram. Key findings:

  • Three major vendors — TX-NFC, X-NFC, and NFU Pay — openly compete for customers with customer support teams and tailored regional builds.
  • TX-NFC alone has more than 21,000 active Telegram subscribers.
  • Subscriptions are priced from $45 USD for a single day up to $1,000+ for three months of access.
  • Between November 2024 and August 2025, at least USD $355,000 in fraudulent transactions were traced to a single POS terminal vendor advertising on Telegram — and that is just what researchers could verify from one operation.
  • Proof-of-purchase receipts are routinely shared in channels to attract new customers.

Recorded Future's Insikt Group identified established Southeast Asia-based criminal syndicates — groups already running romance scams, investment fraud, and crypto theft since 2020 — incorporating Ghost Tap into their operations as an additional revenue stream.

The criminal infrastructure relies on Telegram-based escrow marketplaces. The largest, Huione Guarantee, announced it shut down operations on 13 May 2025 — but researchers observed criminals immediately migrating to Xinbi Guarantee and Tudou Guarantee, which now serve as one-stop shops for recruiting Ghost Tap operators, mules, resellers, and money launderers.

In Singapore, 656 cases were reported between October and December 2024 alone, resulting in losses of over SGD $1.2 million — predominantly involving Apple Pay-linked cards. Singapore is a comparable market to Australia in terms of contactless payment adoption, and its experience is a credible preview of what is coming here.

Why Australia Is Exposed

Several factors make Australian consumers particularly vulnerable to Ghost Tap:

We are world leaders in contactless payment. The RBA has consistently reported Australia among the highest globally for tap-and-go adoption. Our familiarity with the convenience of contactless payment also means we are more likely to comply with "bank security" prompts without suspicion.

Apple Pay and Google Pay penetration is high. The data-breach provisioning variant of Ghost Tap — where criminals load stolen card credentials directly into their own mobile wallets — specifically exploits the gap between stolen card data and contactless payment infrastructure. Australia's high rate of mobile wallet adoption makes this pathway more lucrative for criminal operations targeting the region.

The SMS phishing ecosystem targets Australians heavily. The Australian Communications and Media Authority (ACMA) has flagged mobile number fraud and telco-based scams as priority enforcement areas. Australia is already a high-volume target for the smishing campaigns that deliver Ghost Tap malware.

There is almost no Australian consumer awareness of this attack. At the time of writing, there is virtually no coverage of Ghost Tap in the Australian mainstream or security press targeted at everyday consumers. That gap is both a vulnerability and — for those who know about it — an opportunity to act before it becomes widespread.

Why Your Bank Won't Always Catch It

A reasonable assumption is that your bank's fraud detection will flag something unusual before serious damage is done. For Ghost Tap, that assumption is worth examining carefully.

The transaction looks legitimate. This is the core problem. When a Ghost Tap relay is in operation, the payment terminal receives a cryptographically valid NFC signal — the same signal that would be produced by your card being physically present. The terminal and the payment network have no technical way to distinguish a relayed signal from a genuine one. From the bank's perspective, it logs as a normal contactless transaction.

Fraud detection looks for anomalies. Ghost Tap is designed to avoid them. Traditional bank fraud systems flag things like: a card used simultaneously in two locations, an unusually large transaction, a purchase in a geography inconsistent with the cardholder's history, or a sudden change in spending pattern. Ghost Tap criminal operations are structured to avoid every one of these signals:

  • Transactions are kept deliberately small — typically under $100 — to stay below per-transaction limits that require PIN verification and below the threshold that triggers automatic fraud alerts.
  • Multiple mules make purchases across different terminals, different suburbs, sometimes different countries, so no single point of anomaly stands out.
  • The criminal infrastructure is professionalised: vendors like TX-NFC offer "tailored regional builds" precisely to help operators blend into normal transaction patterns for a given market.

Cumulative losses are what hurt. Because each individual transaction is small, a victim may lose $300–$800 across 6–12 transactions before the bank's velocity-based detection catches up — if it catches up at all before the victim notices manually.

Banks are improving, but not infallible. Australian banks increasingly use behavioural analytics — device fingerprinting, location correlation, spending velocity — that can catch relay fraud in some cases. Some Ghost Tap campaigns have been disrupted by bank fraud teams identifying unusual patterns in mule networks. But Group-IB's January 2026 investigation confirmed that at least $355,000 in fraudulent transactions cleared successfully across one vendor's network over nine months — meaning a significant volume is getting through.

The practical takeaway: do not rely on your bank as your first line of defence. Real-time transaction alerts and weekly statement checks are your early warning system. Your bank is the recovery mechanism, not the prevention.

How to Protect Yourself: 8 Practical Steps

1. Put Your Physical Cards in an RF/NFC Blocking Wallet — and Keep Them There

This tip applies specifically to physical contactless cards — your Visa, Mastercard, or debit card. It does not apply to Apple Pay or Google Pay on your phone, which require biometric authentication before a transaction can complete and are not vulnerable to passive proximity scanning.

For your physical cards, an RF blocking wallet is the most effective defence against the passive proximity scanning variant. When your card sits inside a properly shielded wallet or card sleeve, the NFC chip is completely isolated. There is nothing for a hidden reader to detect, capture, or relay.

The key word is properly shielded. Many wallets carry an "RFID blocking" label without any independent testing to back it up. What matters is that the material blocks 13.56 MHz — the specific frequency used by all contactless payment cards in Australia. Cheap foil-lined products often have gaps at seams or closures that break the shielding and defeat the purpose entirely. Look for wallets that specify tested shielding at this frequency, not just a generic "RFID blocking" claim.

Practical tip: Keep all physical cards in the shielded wallet by default. Only take a card out when you're actively paying at a terminal you trust. In crowded places — shopping centres, concerts, the train — your cards should always be inside the wallet.

2. Turn NFC Off on Your Android Phone When You're Not Paying

NFC on Android is a one-tap toggle. Get into the habit of keeping it off, and switching it on only when you're about to tap to pay.

How to do it on Android:

  • Pull down from the top of your screen to open Quick Settings
  • Look for the NFC tile (it may be in the second row — swipe down again to expand)
  • Tap it to toggle off. The icon will go grey when disabled.
  • On Samsung: Settings → Connections → NFC and Contactless Payments → toggle off
  • On Google Pixel: Settings → Connected Devices → Connection Preferences → NFC → toggle off

If NFC isn't in your Quick Settings panel, you can add it: tap the pencil/edit icon in Quick Settings and drag the NFC tile into the active panel.

What about iPhone? Apple Pay requires Face ID or Touch ID to authorise every transaction — a passive proximity scan cannot complete a purchase on an iPhone without your biometric. Your main exposure on iOS is the malware/social engineering variant (Tip 3), not passive scanning.

3. Never Install a Banking App From a Text Message or Phone Call

This is the delivery mechanism for the malware variant. The entire Ghost Tap malware chain starts with a convincing SMS or phone call that impersonates your bank.

What the message looks like:

  • "Unusual activity detected on your account. Install the ANZ Security Verify app to confirm your identity: [link]"
  • "Your CommBank account has been locked. Download our verification app to restore access: [link]"
  • A phone call from someone claiming to be from your bank's fraud team, asking you to install an app while they stay on the line.

The rule is absolute: your bank will never ask you to install an app via an SMS link. Not ever. Not for any reason.

If you receive a message or call like this:

  1. Do not click the link.
  2. Hang up if it's a call.
  3. Open your banking app directly (from your phone's app drawer, not any link) or call your bank using the number printed on the back of your card.
  4. Report the SMS to Scamwatch: forward it to 0429 999 888 (ReportScam SMS service).

Download banking apps only from the official Apple App Store or Google Play Store, and verify the developer name matches your bank exactly before installing.

4. Turn On Real-Time Transaction Alerts — Right Now

Ghost Tap fraud typically starts small. Criminals run test transactions under $50 to confirm the relay is working before attempting larger purchases. Real-time alerts catch this before it escalates.

How to set this up with Australian banks (navigation paths are approximate — app layouts change with updates, so check your bank's help section if these don't match exactly):

  • CommBank: App → Profile & Settings → Notifications → Card Transactions → enable "All card transactions"
  • ANZ: App → Settings → Notifications → toggle on transaction alerts
  • Westpac: App → Settings → Notifications → Card Alerts → enable for all purchases
  • NAB: App → Settings → Manage Alerts → turn on spending notifications
  • ING: App → Settings → Push Notifications → enable transaction notifications
  • Macquarie: App → Notifications → enable card transaction alerts

If your bank's app doesn't offer this, call them and request SMS alerts for every transaction. Most Australian banks will enable this on request.

Set a low threshold. Some banks let you set alerts only above a certain dollar amount — set it to $0 so you catch every transaction.

5. Lock or Freeze Individual Cards When Not in Use

Most Australian banking apps now let you instantly freeze and unfreeze specific cards — not your whole account, just a single card. If you're not planning to use a card for a period, freezing it takes 5 seconds and completely eliminates the risk for that card.

(Navigation paths are approximate — check your bank's help section if these don't match your current app version)

  • CommBank: App → Cards → select card → Lock card
  • ANZ: App → Cards → Card Controls → Temporarily block
  • Westpac: App → Cards → Lock / Unlock card
  • NAB: App → Cards → Temporarily block card

This is especially useful for secondary cards, rarely-used credit cards, or any card you're not taking out that day.

6. Know What a Legitimate Bank Interaction Looks Like

Ghost Tap attacks rely on social engineering — making a fraudulent contact seem legitimate. Train yourself to recognise the red flags:

If they say this… It's a scam.
"Install this app from the link we've sent" Banks never do this
"Tap your card against your phone to verify" Banks never do this
"Stay on the line while you install the app" Banks never do this
"We need your card PIN to confirm your identity" Banks never do this
"Your account will be closed if you don't act now" Classic pressure tactic

What legitimate bank contact actually looks like:

  • Your bank's app sends you a push notification to approve or deny a transaction
  • They send you a secure message inside the banking app itself
  • They call from a number you can verify via the bank's official website — and they will never mind if you hang up and call back
  • They will never ask you to act under time pressure

If you're ever uncertain whether a contact is real, hang up and call the number on the back of your card. That number is always legitimate.

7. Check Your Statements Weekly — Not Monthly

Most people review their bank statements at the end of the month. Ghost Tap criminals count on this. Small fraudulent transactions ($20–$50) can slip past a monthly reviewer who assumes minor amounts are legitimate purchases they've forgotten about.

Set a calendar reminder to check your transaction history every Monday morning. It takes two minutes. Look for any transaction you don't recognise, however small.

If you spot something unfamiliar:

  1. Check your receipts and memory — sometimes it's a legitimate purchase you've forgotten
  2. If genuinely unfamiliar, call your bank's fraud line immediately
  3. Request a chargeback — Australian consumer protection law (through the ePayments Code) gives you strong rights to recover unauthorised contactless transactions

8. Be Particularly Alert in These Environments

Ghost Tap's passive scanning variant relies on physical proximity in crowded spaces. The following locations are highest risk based on reported incident patterns:

  • International airports — high dwell time, distracted travellers, crowded queues
  • Major shopping centre food courts — high density, easy for a criminal to loiter
  • Public transport — trains, buses, trams where people stand in close proximity
  • Large events — concerts, sporting events, festivals
  • Hotel lobbies — particularly in cities with high tourist traffic

In these environments: cards stay in the shielded wallet, NFC on Android stays off, and your phone stays in your pocket or bag rather than your hand.

What to Do If You've Been Hit

Act fast. The ePayments Code requires Australian banks to investigate and resolve unauthorised transaction claims, but speed improves your outcome.

Step 1 — Freeze your card immediately
Use your banking app to freeze the card in question. Do not wait to call — freeze it first, then call.

Step 2 — Call your bank's fraud line
Use the number on the back of your card or your bank's official website. Tell them you have an unauthorised contactless transaction and suspect NFC relay fraud. Ask for a dispute to be lodged and a replacement card issued.

  • CommBank fraud: 13 2221
  • ANZ fraud: 13 13 14
  • Westpac fraud: 132 032
  • NAB fraud: 13 22 65
  • ING fraud: 133 464

Step 3 — Report to Scamwatch
Go to scamwatch.gov.au and submit a report. This feeds into the ACCC's national fraud tracking — your report may help identify a pattern that protects others.

Step 4 — Report to IDCARE if personal data was involved
If you installed a malicious app or provided any personal information, contact IDCARE at idcare.org or call 1800 595 160. They are Australia's national identity and cyber support service and can help you assess what else may have been compromised.

Step 5 — Factory reset if you installed an app from a link
If you downloaded and installed an app via an SMS link, assume the device is compromised. Back up photos and essential data to cloud storage, then perform a full factory reset. Reinstall your banking apps fresh from the App Store or Play Store only.

Frequently Asked Questions

Can someone steal my card details just by walking past me?
For physical contactless cards — technically yes, within a few centimetres of range. NFC operates at very short distances, which is why crowded environments (queues, public transport, food courts) are the specific risk setting, not open streets. For Apple Pay and Google Pay on your phone, no — both require biometric authentication (Face ID, Touch ID, fingerprint) before a transaction can complete, so passive scanning of your phone yields nothing usable.

Does Ghost Tap work overseas, or only in Australia?
The attack is specifically designed to work across borders. The criminal capturing your card signal can be standing next to you in Sydney while their accomplice completes a purchase at a terminal in Bangkok, London, or anywhere with a contactless payment terminal. This cross-border structure is also why it's difficult for any single law enforcement agency to address — the crime spans multiple jurisdictions simultaneously.

Am I covered by my bank if this happens to me?
Under Australia's ePayments Code — administered by ASIC and subscribed to by most major Australian banks — you are generally not liable for unauthorised transactions where you have not contributed to the loss. "Contributing to the loss" means things like sharing your PIN, failing to report a lost card, or acting with extreme carelessness. A Ghost Tap attack where you did nothing wrong should qualify for reimbursement. However, you need to report it promptly, and your bank will investigate. Keep records of when you noticed the transaction and when you reported it. Source: ASIC, ePayments Code (last updated June 2022).

Does the contactless transaction limit protect me?
Partially. Australian banks set per-transaction limits above which a PIN is required — typically in the range of $100–$200 per tap, though this varies by bank and card. Ghost Tap criminals are well aware of these limits and deliberately structure transactions to stay below them. A single session of six $80 transactions is $480 in losses, with no individual tap triggering the PIN requirement. The limit reduces the ceiling on any single fraudulent tap but does not prevent the pattern of multiple small transactions that characterises this fraud.

Is the malware variant Android-only?
The malware campaigns documented by Group-IB (January 2026) and CERT Polska (November 2025) specifically target Android devices. Android allows installation of apps from outside the official Play Store (sideloading via APK files), which is the delivery mechanism for the Ghost Tap reader malware. Apple's iOS does not allow sideloading — all apps must come through the App Store and pass Apple's review. This makes the malware delivery variant significantly harder to execute on iPhone. iPhone users' main exposure is the passive proximity scanning of physical cards, not malware infection.

What if I don't have a contactless card — am I safe?
If your physical cards are chip-and-PIN only with no contactless capability, the passive proximity scanning variant cannot target them. However, most cards issued by Australian banks in recent years have contactless enabled by default. Check the back of your card for the contactless symbol (four curved lines). If present, the card is NFC-enabled. You can contact your bank to request a non-contactless replacement card if you prefer to eliminate this risk entirely, though this will mean chip-and-PIN or swipe for all transactions.

The Bottom Line

Ghost Tap is not a future risk. It is an active, commercialised, subscription-based fraud operation that has already caused millions in losses globally. Australia's world-leading adoption of contactless payment makes us a natural next target as these syndicates expand their mule networks and regional reach.

The good news is that the defences are straightforward and available right now:

  • A quality RF blocking wallet eliminates the passive card scanning risk
  • Keeping NFC off on Android when you're not paying removes the phone-based relay risk
  • Knowing never to install an app from an SMS link eliminates the malware delivery risk
  • Real-time transaction alerts and regular statement checks catch anything that gets through

None of these require technical expertise — just awareness that this threat exists and a decision to act on it before it arrives in your postcode.

Sources and Further Reading

Last updated: March 2026.

Share this post

← Older Post Newer Post →