Can a scammer steal money from my card using tap-to-pay?
Contactless skimming is theoretically possible but extremely difficult in practice; the far greater risk is scammers obtaining your card details through other means and using them in online transactions.
Last reviewed: 10 June 2026
Explanation
Tap-to-pay (NFC contactless) cards transmit a one-time encrypted token to the reader — they do not broadcast your card number in plain text. To read the signal, an attacker would need a device very close to your card (within a few centimetres), and even then the token they capture is designed to be valid only for the merchant's reader it was generated for, making replay attacks against other merchants technically complex.
Most contactless transactions are also limited to small amounts without a PIN, and banks monitor tap-to-pay patterns for anomalies. Real-world contactless theft cases are rare relative to the volume of transactions processed globally each day.
By contrast, card-not-present fraud — where a scammer uses your card number, expiry, and CVV to make online purchases — is far more common and does not require physical proximity to you. Those details are typically obtained through phishing, data breaches at merchants, or card-skimming devices attached to ATMs and point-of-sale terminals.
If you are concerned, carrying your cards in an RFID-blocking sleeve provides peace of mind, though most security experts regard it as a low-priority measure compared to checking statements regularly, using virtual card numbers for online shopping, and enabling transaction alerts.
Common red flags
- Someone brushes close to you in a crowd and lingers near your bag or pocket
- An unusual or bulky attachment is visible on an ATM card slot or retail terminal
- Small unexplained charges appear on your statement
- Your bank sends an alert for a contactless transaction you didn't make
- You receive a card reader in the mail you didn't order
What to do now
- Enable real-time transaction alerts with your bank so you spot unauthorised charges instantly
- Review your statement at least weekly and dispute any charges you don't recognise
- Use virtual card numbers (offered by many banks and services) for online purchases
- If suspicious charges appear, cancel your card and request a replacement immediately
- Use an RFID-blocking sleeve if it gives you peace of mind, but do not rely on it as your only protection
- Cover your PIN when entering it at any terminal to guard against shoulder surfing
Frequently asked questions
Should I buy an RFID-blocking wallet?
It doesn't hurt, but it addresses a low-likelihood threat. More impactful steps are enabling transaction alerts and reviewing your statement regularly.
My tap-to-pay limit is small — can scammers still cause real damage?
Multiple small transactions can add up. More importantly, contactless skimming is not the primary fraud vector; online card-not-present fraud with your full card details is a bigger risk.