The customer was having trouble paying for the new phones she’d taken up to the counter. She was holding two phones, one to talk to someone on the other line, and one with multiple credit and debit cards loaded on the mobile wallet. When one card didn’t work, she tried a different card loaded on her phone, repeating this process over and over, but it wouldn’t go through.
Undeterred she selected yet another card on her phone, and success! The sale was complete.
Welcome to the world of “ghost tapping”, the latest scam that has broken the barrier between online shopping and the real world.
In this real-world case, the shop did not process the sale as it seemed a bit out of the ordinary. They instead issued a warning to all other stores via internal comms channels to be on the lookout. These kinds of transaction attempts however are becoming more commonplace, and it’s down to a new twist on the message scams we’ve all seen such as delayed courier packages or overdue tolls.
The cards the customer was trying weren’t hers. In fact, she probably has no idea whose cards they are. She may have half a dozen or more cards loaded on these devices and has been sent into the shop by someone offering “easy money for remote working” or similar. If she’s arrested, she will probably have little information as to who it is who hired her. In effect she’s a mule.
So how does it work?
The method is frighteningly simple. The victim clicks on a link in a message about late tolls or similar. They are presented with a “pay now” option that looks legitimate (because it probably is). They’re taken to a payment screen that lets them know they’ll receive a code to their device to authorise the payment: a well-known security feature utilised to reassure them it’s a real transaction.
But the code they receive isn’t to approve the payment, it’s to approve adding their card to a different mobile phone, and by entering the code they receive, they’re giving the scammer full access to that credit card.
The customer will see the “toll” payment go through and think great, that’s OK. Even if they realise it’s a scam they might think they’ve only lost a few dollars. They probably don’t realise that someone else now has access to their debit or credit card.
Those card details are loaded onto a device, given to a mule who is sent into a store to buy new phones (still in their packaging) which will then be sent out of country and sold to unsuspecting customers. Even if the store realises this sale is fraudulent and adds the phones to New Zealand’s block list, overseas networks may not be aware of the listing and accept them as legitimate devices on their networks.
This scam isn’t just limited to buying mobile phones– we’ve already seen cases of this kind of crime being attempted for other high-value items such as jewellery, designer accessories and so on. They’re much harder to track or block so once they’re out of the store that’s usually that. They’re gone.
Customers love the convenience of having credit and debit cards loaded on their mobile devices. It makes purchasing products and services so much easier and feels much more secure. You have a pin to access your phone, or perhaps a thumbprint or facial recognition. That makes it much more secure, right? It does, but that also lulls many into a false sense of security.
Before you give a third-party access to your account information you must be absolutely sure they are who they say they are, and that you’re agreeing to the thing you’re agreeing to. Entering your security code may feel like you’re doing the right thing but with ghost tapping, it’s the worst move you can make.
Protecting yourself from scams
Scammers may contact you by email, text, or phone, posing as legitimate businesses. They often imitate businesses you trust and use regularly, such as your bank, internet or telecommunications provider.
Being online is part of our daily lives as we work, bank, shop and stay connected with friends and family. Connectivity is making our lives easier, but there are risks. Don’t wait until you become the victim of cybercrime – protect yourself today.
Think before you click:
- Avoid clicking links in texts where possible
- Scammers want to rush you, stop and take a moment to check the sender address.
- If in doubt, contact the company directly and get them to check the person is really who they say they are.
Protect your personal information:
- Use a password manager to create long, strong and unique passwords
- Enable two-factor authentication and keep your software updated
Report suspicious activity:
- Report SMS messages to the DIA via 7726 for free
- Report phone scams to your telecommunications provider
- Report website scams to National Cyber Security Centre (NCSC)
If you have been targeted by a scam:
- Stop all contact with the scammer
- Do not make any more payments
- Contact the bank or service you sent money through
November 16-22 is New Zealand Fraud Awareness Week.
We’re encouraging all New Zealander’s to STOP, CHECK, REPORT.
- Take a moment to pause before clicking, sharing, or making any payments.
- If something feels off, trust your instincts. If you’re unsure, don’t share your money or personal information – pause and check first.
- Speak up to protect others. Report scams to your bank or payment provider if you’ve lost money, or report them to an agency for investigation.
Find out more about how to spot scams and where to report them on the Consumer Protection website.
