Ghost Tapping Explained: How to Protect Yourself from Digital Pickpocketing

Spring is here, and with it come fairs, festivals, and soon, summer vacations — all those present opportunities to see and do new things. There's one new thing that's not so pleasant, and you may not even know it's happened for days or weeks afterward.

Public gatherings are the perfect settings for a growing cybercrime called ghost tapping. This form of thievery steals your debit or credit card information while you shop or browse. Shlomi Beer, co-founder and CEO of ImpersonAlly, calls this crime “pickpocketing in the digital era.”

This digital pickpocketing occurs when a thief approaches or bumps into you with a device that remotely captures your card information. However, it can also occur when fraudulent vendors use altered payment terminals to overcharge or make additional unauthorized transactions on your card.

Perpetrators use portable card readers or smartphones with payment apps to access tap-to-pay debit or credit cards, or mobile wallets. Proximity is the key: four inches or less. Within that distance, a crook can initiate a transaction or relay your information to a cohort in less than three seconds.

Often, a criminal will bump you slightly as they access the transaction, Robert Siciliano, CEO of ProtectNow, LLC. told SafeWise.

“It's not a very difficult process,” Siciliano said. “It is essentially when a criminal uses a card reader to tap your pocket, wallet, purse, and so forth from a small distance. It happens pretty instantly without you ever taking your card out of your wallet or your bag or handing it to anyone.

“They literally need to like bump into you, you know, they'd have to be right on top of you,” Siciliano explained. “This is one of those ’excuse me’ moments that you think, well, we're just in a crowded space, and somebody happened to bump into me, but it's actually just like an old pickpocket bumping into you and slipping their hand in your pocket and pulling your wallet out.”

The earliest accounts of ghost tapping originated among criminal groups in Singapore and the Czech Republic, using Near Field Communication (NFC) devices.

“What’s changed recently is how easy it is to get those apps,” Beer noted. “They’re being passed around in Telegram groups, fake app stores, and include instructions, videos, the whole playbook. So it’s not just highly technical actors anymore.”

One vendor selling altered terminals has made “at least $355,000 in illegal transactions from November 2024 through August 2025,” according to cyber security company Group-IB.

“It doesn’t necessarily need to be an organized operation,” Siciliano said, “due to the fact that one person, solo, at a concert, could make several thousand dollars without having to split up their booty. But, organized crime being involved, can rack up six figures in a very short period of time.”

The success of ghost tapping groups requires precise coordination, according to Hasnain Bajwa, Senior Vice President of risk solutions at Seon, a fraud prevention platform.

“This is one of those things where it sounds really dangerous and problematic,” Bajwa told SafeWise. “It really requires some level of sophistication, because when you’re doing the attack, you have to have a relay setup on an Android device for the person causing the triggering event.”

Teams of ghost tappers usually consist of individuals who access your credit cards and relay the information to an accomplice who makes unauthorized transactions.

“The most common scenario is that someone has set up an app on a phone that allows the credentials to be fished from the victims,” Bajwa said. “So essentially, you’re getting the contact card information, and then the relay goes to a (digital) wallet farm where they’re just doing transactions.”

Another tactic the bad guys use is setting up fake accounts, according to Siciliano.

“What they (criminals) do is they set up a merchant account, and the merchant account isn’t flagged for those (smaller) $25, $50, $75 charges,” Siciliano said. “At that point, it’s a volume business. Getting 20 people at 40 bucks a day gives them a little leeway. But, over time, as those charges are being disputed, that (fake) merchant and their status and the chargebacks are called into question.”

That is when the thieves up the ante.

“Then, they start hitting the cards up at $500, $600, $800 a pop, because they know it’s just a matter of days or weeks before they’re shut down,” Siciliano said.

Credit China reported in January 2025 that two victims lost at least $13,000 to ghost tappers, according to Group-IB. 

A Better Business Bureau (BBB) ghost tapping alert highlights another variety of the scam.

This form of the crime involves a fraudster posing as a merchant at a flea market or fair and charging your card more than the purchase amount using an altered card terminal. Often, these crooks employ distraction or try to rush payments. 

An even more brazen method involves the criminal posing as a charity representative. The BBB’s Scam Tracker details how one such scammer operates:

“An individual is going door to door in [location redacted] claiming to be selling chocolate on behalf of [redacted] to support special needs students,” according to one report. “He says that he can only accept tap-to-pay to get people to pay with a card. He then charges large amounts to the card without the cardholder being able to see the amount. He got my mother for $537 ... Another victim for $1100 ... He changes neighborhoods frequently to avoid getting caught.” 

The first group arrest in the United States occurred last year, according to a March 2025 announcement by Knox County, Tennessee, Sheriff’s Office. The department reported  11 arrests.

“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” the sheriff’s department reported. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”

It's difficult to determine exactly how rapidly ghost tapping is rising, according to Bajwa, because law enforcement agencies have not established a specific category to distinguish it from other cybercrimes. However, some news outlets report the crime has “surged 150 percent during the past year.” 

SafeWise’s 2026 State of Safety Survey found that 27% of respondents experienced cybercrime last year. Based on government and consumer groups, ghost tapping was a significant part of those crimes.

Vigilance is the key to combating ghost tapping, according to Siciliano.

“Nine out of 10 consumers aren’t really paying attention to their card charges,” says Siciliano.  “People who aren’t paying attention to their charges are just blissfully ignorant that this is happening to them, and they’re paying for the lifestyle of an identity thief, which is so unnecessary.”

The good news is that blocking or reversing ghost-tapping transactions is simple, inexpensive, or free.

“If a person is concerned about going into crowded spaces and is worried there is going to be some sort of proximity attack, obviously, they could use a Faraday card case or something that prevents them from being scanned,” advises Bajwa.

Faraday cases are often called RFID (radio-frequency identification) sleeves or wallets. They're typically metal-lined pouches that block electromagnetic signals from passing between your credit/debit cards and a scanning device.

RFID sleeves and wallets can be purchased online or at major retailers for under $10. Some financial institutions may offer free RFID wallets. 

Siciliano guards against ghost tapping by setting up notifications with his bank and credit card companies.

“I have push notifications, which means I get an email, a text message, and/or a pop-up with every single charge in real time,” says Siciliano. “ I’m constantly getting notifications, and I pay attention to those notifications, because it’s my financial life.”

You can set a notification on a financial institution’s website or by calling their customer service department, according to Siciliano. 

Another strategy is to regularly review bank and credit card transactions daily.

You need to challenge debit card charges within two business days of the transaction to limit a loss to a maximum of $50, according to the Federal Trade Commission. 

You generally need to report credit card fraud within 60 days of the statement under the Fair Credit Billing Act.

Bajwa advises using common sense when dealing with vendor transactions, whether in person or online.

“People should avoid tapping their card or visiting a site that asks you to tap your card unless it is in conjunction with something you really trust,” he said.

“I always say, don’t worry about these things,” said Siciliano, ”but definitely do something about it. Pay close attention to your statements and refute any unauthorized charges in real time.”