A fast-growing form of payment fraud is costing banks and retailers dearly, and most shoppers have never heard of it. Sophisticated criminal networks, which investigators say are often run out of or linked to China, are exploiting mobile "tap-to-pay" wallets to make unauthorized purchases at scale. CNBC, drawing on law-enforcement and industry sources, estimates the schemes generate roughly $1 billion a year. Boursel describes these as criminal networks, not a nationality; the point is how the fraud works and why it is hard to catch.
How the scam works
The fraud unfolds in stages. It usually starts with phishing, a text or email designed to look official, warning of an unpaid toll or a delivery problem, that lures victims into entering their card details and the one-time security code their bank sends. Once criminals have those, they do something new: they load the stolen card into a mobile wallet like Apple Pay or Google Pay on a phone they control. To the payment system, that phone now looks like a legitimate way to spend the victim's money.
The next step uses the "tap" technology built into modern phones and cards, the short-range wireless signal that lets you pay by holding a device near a terminal. Using relay tools that security researchers have nicknamed "ghost tap," fraudsters can route a stolen card's payment through to a checkout terminal even when the real card and its owner are nowhere nearby, as documented by threat-intelligence firms such as Recorded Future. A network of low-level "money mules" then makes the actual purchases, often gift cards or easily resold goods, sometimes coached in real time through an earpiece. The merchandise is resold for cash.
Why it is so hard to stop
The weak point is the moment a card is first added to a phone wallet, a step called provisioning. As payment analysts have noted, the digital signals from a careful, privacy-minded real customer, using a new phone, logging in from an unfamiliar place, can look almost identical to those of a fraudster doing the same thing. Once a stolen card slips through that step, the wallet generates a legitimate-looking digital token, and subsequent purchases sail through as if genuine. That can leave a gap of days before anyone notices, by which point the money is gone and the goods resold.
The fraud is also hard to see at the checkout counter. Unlike shoplifting, there is no one stuffing merchandise into a bag; a "customer" simply taps a phone and pays, exactly like everyone else. The theft has already happened, invisibly, in the data.
What banks and retailers are doing
The industry is adapting. Card networks and banks are adding friction where it hurts the fraud most: limits on how many contactless taps can run before a PIN is required, caps on rapid consecutive transactions, and app settings that let customers switch contactless payments off entirely. Payment networks are also leaning on AI-driven fraud detection that pools data across merchants, banks and card systems to flag suspicious provisioning and spending patterns faster.
Law enforcement is pursuing the rings directly. US Homeland Security investigators have run operations targeting the gift-card and organized-retail-crime side of the trade, with dozens of arrests tied to these networks, according to CNBC.
Why it matters
For banks and retailers, this is a rising cost of doing business that ultimately feeds into fees and prices everyone pays, and a test of how well the convenience of tap-to-pay can be secured. For consumers, the practical takeaways are simple: treat unexpected texts asking for card details or codes with suspicion, since banks do not ask that way, and use the controls your banking app offers. The broader lesson is that as payments have moved onto phones, fraud has followed, becoming quieter, faster and more industrialized. Boursel does not offer investment advice.



