Carding 2.0: The Rise of Mobile Wallet Fraud

Credit card fraud is evolving at an alarming pace. Cybercriminals, particularly from China, have found a new way to exploit stolen payment card data—by linking it to mobile wallets like Apple Pay and Google Pay. This emerging trend, known as carding, allows fraudsters to bypass traditional security measures, making it harder for financial institutions to detect and stop fraudulent transactions.

Instead of simply using stolen credit card numbers to make online purchases, criminals are now leveraging phishing attacks to gain access to victims’ card details and one-time passcodes (OTPs). With these credentials, they add stolen cards to mobile wallets, enabling seamless digital transactions.

This type of fraud is not only growing in the U.S., but is also spreading internationally. Spain has recently become a prime target, as cybercriminals exploit the country’s booming e-commerce industry.

How the Scam Works

Carding fraud typically begins with a phishing message sent via iMessage (for iPhone users) or RCS text (for Android users). The message appears to come from a trusted source, such as USPS, FedEx, or a toll road operator, claiming that the recipient has an unpaid fee. The goal is to create a sense of urgency, prompting the victim to act quickly without questioning the legitimacy of the request.

When the victim clicks the link in the message, they are taken to a fake payment page designed to look identical to an official site. This page asks for their credit or debit card details under the pretense of settling the supposed fee.

The real trick happens next: the fake website prompts the victim to enter a one-time passcode (OTP) that they receive via SMS or email. This passcode is supposedly for verification, but in reality, it is used to authorize the linking of their stolen card to a scammer’s mobile wallet. Once the card is successfully added to Apple Pay or Google Pay, the criminals can begin using it immediately, making purchases or selling the digital wallet on underground markets.

How Cybercriminals Cash Out

Once the stolen card information is linked to a mobile wallet, criminals have several ways to profit from it:

1. Selling Preloaded Devices: Fraudsters sell smartphones that are preloaded with stolen digital wallets. These devices allow buyers to make tap-to-pay transactions with someone else’s money, bypassing traditional card security measures. Criminals often market these devices in private Telegram groups, dark web forums, and other underground marketplaces.

2. "Ghost Tap" NFC Relay Fraud: A more advanced method involves using an NFC relay app known as "Ghost Tap." This technology allows scammers to remotely initiate tap-to-pay transactions from anywhere in the world. By relaying transaction data between a controlled device and a legitimate payment terminal, criminals make fraudulent purchases appear as normal transactions, often evading detection.

The Growing Scale of the Problem

Security researchers estimate that this form of digital wallet fraud accounts for approximately $15 billion in annual losses. The efficiency of the scam has also improved dramatically—what once took up to 90 days to complete now takes just one week from the initial card theft to the fraudulent transactions. This rapid turnaround makes it increasingly difficult for financial institutions and law enforcement agencies to detect and prevent fraud in time.

Recent Carding Problems in Spain

Spain has become one of the latest hotbeds for carding fraud, with cybercriminals increasingly targeting the country’s growing e-commerce industry. As online shopping gains popularity, both consumers and businesses are falling victim to sophisticated scams.

According to a Europol report, Spain is among the European countries experiencing significant growth in online fraud cases. In 2023 alone, over €1 billion was lost to credit card fraud across the continent, with Spain accounting for a significant share of these losses.

Carders in Spain typically follow a similar process to the mobile wallet scam but also engage in traditional carding tactics. They test stolen card details by making small online purchases to check if the card is still active. Once verified, they proceed to make larger, unauthorized transactions or sell the card details to other criminals.

Popular e-commerce platforms, such as Amazon and other retailers that offer home delivery services, have become primary targets. Cybercriminals exploit weak security measures on these platforms to execute fraudulent transactions.

How to Protect Yourself from Mobile Wallet Fraud

As mobile payment fraud grows more sophisticated, consumers must be more vigilant than ever. Here are some key steps to protect yourself:

• Be skeptical of unsolicited payment requests: If you receive a message claiming you owe a toll or shipping fee, do not click the link. Instead, visit the official website of the service provider to check for any outstanding balances.
• Verify URLs carefully: Phishing websites often look nearly identical to legitimate ones but may have slight variations in their web addresses. Always double-check the URL before entering any payment information.
• Never share one-time passcodes (OTPs): A legitimate company will never ask for an OTP to verify a payment or add a card to a mobile wallet. If you receive an unexpected OTP request, it is likely a scam.
• Monitor your bank statements: Regularly check your financial statements for any unauthorized transactions. If you notice anything suspicious, report it to your bank immediately.
• Monitor your credit card and bank accounts regularly for any unusual or unauthorized transactions.
• Enable multi-factor authentication (MFA) whenever possible, especially for online purchases and account logins. This adds an extra layer of security.
• Use prepaid or virtual credit cards for online transactions. These cards limit the risk of financial loss if details are compromised.
• Ensure websites have secure connections before making purchases. Look for "https" in the URL to verify legitimacy.
• Avoid shopping over public WiFi networks, which can expose your financial information to hackers.

Why Financial Institutions Must Evolve Their Security Measures

One of the main weaknesses exploited in these scams is the reliance on SMS-based OTPs. As long as financial institutions continue using SMS for authentication, cybercriminals will find ways to intercept or manipulate these codes.

To combat this growing threat, banks and payment providers should move away from SMS OTPs and instead implement:

• In-app authentication: Verifying transactions through an official banking or payment app provides an extra layer of security, making it harder for criminals to intercept codes.
• Biometric verification: Face ID or fingerprint authentication adds an additional hurdle for fraudsters trying to authorize mobile wallet transactions.
• Stronger fraud detection algorithms: Machine learning can help identify unusual spending patterns and flag potentially fraudulent transactions before they happen.

The rise of mobile wallet fraud marks a new chapter in the ongoing battle against cybercrime. From phishing scams to Ghost Tap technology, cybercriminals are constantly refining their tactics to exploit digital payment systems. The recent surge in carding fraud in Spain highlights the growing global reach of this issue.

As fraudsters continue to adapt, both consumers and financial institutions must take proactive steps to mitigate risk. By staying informed, practicing caution with unsolicited messages, and pushing for stronger security measures, we can work to reduce the impact of digital payment fraud worldwide.

But vigilance isn’t just important for individuals—it’s crucial for businesses too.

Are your employees safeguarding company credit cards? Are they following cybersecurity best practices? Do you have the right checks and balances in place to protect against fraudulent transactions?

Contact Proper Sky today to evaluate your company’s cyber health and receive personalized recommendations on how to better protect your business.