New Tap to Pay scam strikes; here's how to guard against it

A new Tap to Pay scam has been discovered in the U.S., with some culprits already arrested in at least two states.

According to the Knox County Sheriff’s office, 11 Chinese nationals have been arrested in relation to this.

If you use Tap to Pay, you must take steps urgently to protect yourself from the fraudsters, including the new European users of the service.

How the fraud works

Authorities say that the fraudsters use mobile devices with mobile wallets created through online phishing scams.

They send phishing messages that spoof the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are able to bypass the network because they are sent with Apple iMessage service and through RCS.

Once the message recipient enters their card information on any of the sites, they will be sent a purported one-time passcode.

When they provide the code, the scammers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.

The culprits which are in China are said to rely on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

The phones are then sold in bulk to scammers on Telegram, each phone having 5-10 stolen wallets linked.

So far, they have used the wallets to buy tens of thousands of dollars worth of gift cards at local retailers.

How to protect yourself

To prevent falling victim to this novel scam, you should watch for any email in your email box claiming to be from the U.S. Postal Service or any other agency asking for car details.

Do not provide the card details that such messages are asking for, until you can verify that the email is coming from a genuine government agency and you need to respond.

If your credit or debit card is not compromised, you’ll be protected, so watch out for the information and avoid it.