Is Tapping Your Card Actually Safe? What NFC Fraud Really Looks Like in 2026
There's a persistent fear about contactless payments that goes something like this: someone brushes past you in a crowded subway car with a hidden card reader in their bag, and seconds later, your card has been silently charged. It makes for a good cautionary tale. It's also almost never how contactless fraud actually happens.
The real risks are less cinematic, but they're genuinely worth understanding — because contactless fraud is rising fast, and the methods behind it have gotten a lot more sophisticated than "reader in a crowd."
Why the "Reader in Your Pocket" Fear Is Mostly Overblown
NFC, the technology behind tap-to-pay, only works at extremely short range — a couple of centimeters in practice, not the meter-plus range needed to skim a card through a bag while walking past someone. Payment terminals also require a live, authenticated connection to a card network to process a charge; a rogue reader in someone's backpack has no path to actually move money out of your account, even if it briefly reads your card's basic data. Most banks also cap how much a single contactless tap can process without a PIN — commonly somewhere in the €50 to £100 range across Europe, with U.S. issuers typically setting their own limits between $100 and $250 per tap. Pulling off a walk-by skim that actually results in stolen money, in practice, is far harder than the myth suggests.
That doesn't mean contactless payments are risk-free. It means the real risk sits somewhere else entirely.
Where the Actual Money Is Getting Stolen
Losing the physical card is still the simplest path to fraud. A lost or stolen contactless card can be tapped for purchases under the no-PIN limit without any technical trickery at all — no malware, no hacking, just someone using a card that isn't theirs before you get the chance to freeze it. This is exactly why banks urge people to lock or cancel a card immediately, rather than waiting to see if it turns up.
Social engineering has become the more advanced version of the same idea, and it's genuinely growing fast. Kaspersky reported that NFC-based attacks aimed at draining victims' accounts through Android phones jumped 188% globally in the first four months of 2026 compared to the same period a year earlier — and while the trend started heavily concentrated in Russia, researchers have tracked the same techniques spreading into Latin America and Europe.
Here's how the scam typically plays out. A fraudster calls or messages a target pretending to be from their bank, warning about suspicious activity and offering to "verify" their card for safety. The victim is talked into installing an app — usually disguised as a banking security tool, a system update, or even a familiar consumer app — and then instructed to tap their physical card against their own phone. What looks like an identity check is actually the malicious app capturing the card's payment data live and relaying it, in real time, to a device the attacker controls elsewhere. There's a mirror-image version of this trick, too: instead of relaying a real card's data, the scammer convinces the victim to add stolen card details to their own phone's wallet and unknowingly hands that infected device over to be used, in person, for fraudulent taps at real stores.
The most organized version of this fraud has scaled into something closer to an actual criminal industry. Researchers at Group-IB have been tracking an operation they call Ghost Tap (also known as TX-NFC): a fraud-as-a-service network, believed to be based in Chinese-language cybercrime circles, that packages up stolen card data, loads it onto a network of Android phones, and relays it through NFC to "money mules" who physically walk into stores around the world and make purchases — all without the card or its actual owner ever leaving their home country. Group-IB documented over $355,000 in fraudulent transactions from a single point-of-sale vendor alone between late 2024 and mid-2025, and researchers say the true scale across all the criminal groups using this method is almost certainly far higher. A related strain of relay malware, first spotted in the Czech Republic and Italy under names like SuperCard X and RatOn, has since turned up in fraud cases as far apart as Brazil and Russia — a sign of just how quickly these toolkits get copied and resold once they prove they work.
The common thread across all of these isn't a flaw in the NFC chip itself. It's that attackers have realized it's far easier to trick a person into cooperating than to break the underlying technology.
Card or Phone: Which One Is Actually Safer?
This is where the comparison tends to surprise people. A physical contactless card, on its own, has essentially no way to verify that the person tapping it is actually its owner. Lose it, and whoever picks it up can use it right away, up to the no-PIN limit, for as many taps as it takes before you notice and cancel it.
A phone-based wallet — Apple Pay, Google Pay, Samsung Pay, and similar — works differently by design. Adding a card requires unlocking the phone in the first place, and every single payment then requires a face scan, fingerprint, or passcode at the moment of the tap. That's precisely why mobile wallets are typically allowed to process contactless payments with no fixed cap at all, even where physical cards are capped — the biometric check standing in for the PIN each and every time makes a lost or stolen phone dramatically harder to exploit for payments than a lost card.
The catch is that this protection only holds if the phone itself hasn't already been compromised by malware, which is exactly the loophole the relay-attack schemes above are built to exploit. A well-secured phone is safer than a card. A phone with a malicious app quietly running in the background is arguably worse, because it can be manipulated remotely without ever leaving the victim's hand.
What Actually Helps
A short list of habits closes most of the real gaps described above, and none of it is complicated:
Turn on transaction notifications for every card and wallet you use, so a fraudulent charge shows up on your phone within seconds instead of days later on a statement. Set spending limits or per-tap caps through your banking app wherever your bank allows it. Never install an app, and never tap your card to your phone, because someone who contacted you first told you to — a legitimate bank will never ask a customer to do that as a "verification" step. Keep your phone's operating system and banking apps updated, since patched phones are considerably harder for this kind of malware to infect. And if a card is lost, stolen, or even just briefly out of your sight somewhere you didn't expect, freeze or cancel it immediately through your bank's app rather than waiting to see if anything unusual shows up.
If you do spot a suspicious transaction, the sequence that actually limits the damage is: freeze the card immediately through your banking app, contact your bank's fraud team directly using the number on the back of the card (not a number given to you by whoever contacted you), and formally dispute the charge — most card networks offer fraud protection that reimburses unauthorized transactions, provided you report them promptly.
The Bigger Picture
None of this means contactless payments are secretly dangerous — they remain, by most measures, one of the safer and more convenient ways to pay day to day, and the No-PIN limits built into the system exist precisely to cap how much damage a single lost card or intercepted tap can do. What's changed is where the real threat sits. It was never really about a hidden reader brushing past you on a train. It's about a phone call that sounds official, an app that looks legitimate, and a moment of trust that a well-run scam is specifically engineered to earn. The technology holds up. The habit worth building is treating any unsolicited request to "verify your card" — by phone, text, or app — as a red flag first and a real request second.