New NFC Phone Scam Survival Guide

A new type of phone call scam using Near-Field Communication (NFC) is sweeping across the US and Europe – including Spain – and your phone is firmly in the firing line. Hold your bank card close to your phone, and criminals can launch contactless attacks at point-of-sale terminals or even ATMs. Read on to find out what they do and how they do it so you don’t fall prey. 

Whether you’re tapping your bank app, paying for your lunch with your card, or scrolling through a WhatsApp message, criminals are finding frighteningly clever ways to rob you blind – and it all starts with a simple text.

A message from the police, your ‘bank,’ or from the ‘Spanish Inland Revenue’ (Hacienda)? It’s not what you think

It might seem like a routine security alert. A ping on your phone. A friendly message from your bank warning about a suspicious payment. You’re asked to call a number to resolve it.

But stop right there – this is the start of an elaborate and dangerous scam. And according to cyber experts, this one’s spreading fast.

These texts are often followed by a reassuring phone call with a reassuring on the other end of the line – posing as a helpful bank clerk, tech support engineer, Hacienda administrator, or even a police officer. They’ll calmly explain you’re at risk of fraud or under investigation. The fix? Just follow their instructions. Unfortunately, the only person committing fraud is the one on the line.

FBI: “Do not take or make these calls”

Make no mistake – every one of these calls is a scam. That’s not up for debate. The FBI has issued stark warnings in the US about this growing wave of impersonation fraud. ‘No tech support desk, bank, or law enforcement official will ever reach out to you for any of these reasons,’ says their advisory. If in doubt, find the organisation’s real contact details and reach out yourself. But never trust the number given in the message, or the call that follows. The Spanish tax office and law enforcement agencies have sent out similar messages in recent days following the wave of fraudulent Hacienda scams that follow a similar method. Spanish publication 20minutos recently reported fake bank employees ringing up unsuspecting customers, and banks like ING have already sent out emails to their customers warning them not to fall for this scam.

The new frontier: Contactless crime without contact

And now, just when we thought things couldn’t get worse, they have.

Cybersecurity firm Cleafy has flagged a chilling new twist to these scams. The latest attacks don’t just rely on charm and lies – they’re using Near-Field Communication (NFC) to go after your bank card as well.

Here’s how it works:

1. You receive a fake text claiming to be from your bank, warning of an outgoing payment.
2. You’re prompted to call a number to dispute it.
3. On the call, the scammer asks you to check your banking app, confirm your PIN… and here’s the twist – hold your bank card close to your phone.
4. This allows the attacker to read your card details using NFC.
5. Once they’ve got your data, they launch contactless attacks at point-of-sale terminals or even ATMs.

Let that sink in – they don’t need your card in their hand. They just need you on the phone.

Cleafy calls it “a significant new trend,” warning that it challenges traditional banks, payment institutions and card issuers alike. The combination of remote attacks and mobile NFC makes it dangerously scalable – and frighteningly effective.

No, it’s not just Google and Amazon delivery scams

While phishing texts about unpaid tolls or undelivered packages still clog up millions of inboxes, the impersonation scam is proving to be the real money-maker for cyber crooks.

This week, fake Google security emails made headlines – another attempt to lure victims into taking action. But experts agree the real risk is when you talk back.

‘These fraudsters do this for a living,’ warns Cleafy. ‘They are disturbingly good. No matter what excuse you give, they’ve heard it before.’

Trust your gut, not the message

You’ve probably heard the warnings before – don’t click on strange links. Don’t trust texts from unknown numbers. But now it’s even simpler: Don’t take the call. Don’t make the call.

If your bank, or the taxman, or whoever, really need to speak to you, they’ll never ask you to call a random number in a message. They’ll never ask for your PIN. And they’ll certainly never ask you to tap your card against your mobile phone.

Remember: when it comes to these scammers, the most powerful tool you have isn’t your antivirus software. It’s your common sense.

Stay sharp. Stay safe. And for goodness’ sake – don’t answer that call.

Read more news written for people living in Spain.

Get more original news and insights on technology and AI.