WASHINGTON, D.C. — The Federal Bureau of Investigation (FBI) has issued a nationwide alert warning that NFC (Near-Field Communication) and contactless card cloning attacks have surged dramatically in 2025. Criminals are exploiting both hardware-based and software-based vulnerabilities in tap-to-pay systems, making contactless fraud one of the fastest-growing forms of financial crime in the United States.
This announcement follows a series of FBI Internet Crime Complaint Center (IC3) reports showing that stolen tap-to-pay credentials have more than tripled in the past 24 months. The agency notes that criminals are now using advanced wireless skimmers, AI-enhanced card testing scripts, and fraudulent merchant terminals to capture card information from close range.
These findings directly connect to CFRB’s education guide,
“Credit & Debit Card Fraud in 2025–2026: How Criminals Steal Your Card Data & How to Protect Yourself.”
🔥 Contactless Card Fraud Growing Faster Than Traditional Skimming
According to the FBI’s early-2025 Consumer Fraud Brief:
- NFC/contactless theft is up >300% since 2022
- Millennials (24–44) report nearly double the victim rate of older adults
- Criminals increasingly use portable wireless readers in crowded locations
- Tap-to-pay fraud now accounts for over 22% of card-present crime
The FBI warns that criminals no longer require physical skimmers. Many now operate wireless digital skimmers that:
- Read NFC signals when a card or phone is near
- Intercept partial encryption packets
- Capture wallet metadata
- Trigger unauthorized “microtransactions”
- Clone digital wallet tokens for testing
While NFC encryption is strong, criminals exploit:
- Buggy merchant terminals
- Fake tap-to-pay readers
- Exposed fallback protocols
- Compromised store kiosks
This makes tap-to-pay the newest frontier in card fraud.
🧲 How Criminals Steal Contactless Card Data in 2025
The FBI highlights several techniques:
✔ 1. Wireless Skimmer Pucks
Small round devices hidden under countertops or near payment terminals.
They capture partial NFC data when a customer taps.
✔ 2. Rogue Mobile Terminals
Criminals use off-the-shelf handheld POS devices disguised as:
- Delivery scanners
- Inventory devices
- Staff terminals
These devices can charge small amounts without user consent.
✔ 3. Transit & Event Crowd Scanning
Criminals walk near victims in:
- Airports
- Concerts
- Subways
- Shopping malls
Scanning for wireless wallet signals.
✔ 4. Fake Digital Wallet “Push Payment” Requests
Victims receive fraudulent pop-ups requesting:
- “Tap to verify identity”
- “Tap to reconnect payment method”
Criminals trigger these requests from compromised merchant apps.
✔ 5. Deepfake Merchant Terminals
Terminals cloned to appear legitimate while forwarding data to a rogue server.
🎯 Why Millennials Are the #1 Target
The FBI lists several reasons:
✔ High adoption of tap-to-pay
Millennials use contactless transactions 3× more than Boomers.
✔ Heavy smartphone wallet use
Apple Pay, Google Pay, and Samsung Wallet usage is highest among this group.
✔ Constant travel & public mobility
More time spent in airports, cafes, coworking spaces, concerts, gyms, and public transit.
✔ Frequent e-commerce and app payments
Higher exposure to fraudulent merchant apps.
✔ Digital lifestyle = high convenience habits
Scammers rely on the assumption that millennials tap quickly without inspecting devices.
The FBI calls millennials “the perfect demographic for NFC-based exploitation.”
🏦 Banks Confirm a Spike in Tap-to-Pay Fraud Claims
Several major U.S. banks — including Chase, Bank of America, Wells Fargo, and Capital One — report that:
- Tap-to-pay fraud claims increased over 150% in the past 12 months
- Many victims never removed their card from their wallet
- Fraud often begins with $1–$4 “micro-transactions”
- Criminals test stolen contactless cards using vending machines and unattended kiosks
- Some cloned tokens bypass standard fraud filters
Banks warn that because these transactions appear card-present, they are sometimes harder to dispute.
🛠 DOJ Warns Contactless Fraud Rings Are Now Operating Like Organized Cyber Groups
A recent DOJ cybercrime task force report revealed that:
- Contactless fraud rings operate across multiple states simultaneously
- Stolen data is shared through encrypted messaging channels
- AI bots test card tokens using automated scripts
- Teams specialize in installing wireless skimmers at popular retail chains
- Counterfeit terminals are ordered through overseas suppliers
The DOJ warns:
“Tap-to-pay fraud is evolving from isolated incidents to organized digital crime, often involving coordinated teams and imported technology.”
🧪 NFC Cloning: What Criminals Actually Get
CFRB’s analysis explains that criminals do not normally get full card numbers from contactless theft.
However, they can capture:
- Partial token data
- Card issuer metadata
- Wallet-specific identifiers
- Expiration date range
- Transaction counters
- Unique device signatures
- Certain fallback elements used in older readers
With the help of AI, criminals can:
- Test which portions are usable
- Reconstruct partial token streams
- Trigger fraudulent tap events
- Run microcharges to test card validity
- Sell the data on fraud markets
🔐 How to Protect Yourself From Contactless Card Fraud
Federal agencies recommend:
✔ Use a digital wallet instead of a physical card
Digital wallet tokens rotate and cannot be cloned easily.
✔ Keep “tap-to-pay” turned off when traveling or in crowds
Turn it on only when needed.
✔ Enable instant transaction alerts
Your bank should notify you of every tap event.
✔ Review microcharges
Watch for $1 or $2 transactions — early-warning signs.
✔ Use RFID-blocking wallets
These block unauthorized wireless reads.
✔ Inspect terminals before tapping
Avoid devices that look bulky, loose, or altered.
✔ Avoid tapping on kiosks with no security seals
Especially:
- Gas pumps
- Ticket machines
- Vending kiosks
- Outdoor payment stations
📌 Final Takeaway
The FBI warns that contactless card cloning and NFC-based attacks will continue to escalate in 2025, driven by organized crime groups and advanced wireless skimming technology.
Consumers who rely heavily on tap-to-pay systems must take additional precautions to reduce their exposure.
For complete safety guidance, see CFRB’s educational article:
Credit & Debit Card Fraud in 2025–2026: How Criminals Steal Your Card Data & How to Protect Yourself.