Relay fraud — a category of schemes that abuse the near-field communication (NFC) technology that enables tap-to-pay — is having a resurgence this Spring, according to Visa’s latest biannual threat report.
The report, which was released Thursday, details the extent of the damage that traditional payments fraud, such as digital card skimming, are inflicting on merchants and their banks, as well as some of the novel fraud methods criminals are wielding, like NFC relays.
Between July and December 2024, Visa’s Payment Ecosystem Risk and Control (PERC) team detected and blocked 134.3 million presumed-fraudulent transactions via pre-emptive, targeted declines, according to the report. These blocks represented 76% of the incidents the payment network detected.
Visa also said in the report it disrupted hundreds of millions of dollars in enumeration attacks — automated “guessing” of card numbers, CVVs and expirations. Without citing the absolute figure, Visa said suspected enumeration attacks were up 22% from the prior six-month period.
The threat report and Visa’s efforts to fight the financial crimes disclosed are part of keeping the company’s payments ecosystem clean, according to Visa’s chief risk officer, Paul Fabara — a potential selling point to acquiring and issuing banks.
“We don’t bear the losses of the transaction,” Fabara said about scam and fraud payments in an interview with American Banker. “But, we have a responsibility to have a safe ecosystem.”
Digital skimming and enumeration still matter
Visa’s report indicates that tried and true methods of committing payment fraud — enumeration, digital skimming, social engineering and others — remain considerable threats to the payments ecosystem.
Digital skimming is a primary example. This scheme involves an attacker injecting malicious JavaScript into e-commerce checkout pages to harvest card data and personally identifiable information (PII) as customers type it in. Stolen data is then sent to attacker-controlled servers.
Over the past six months Visa’s eCommerce Threat Disruption practice, which scans webpages of e-commerce merchants for this malware, identified a 7% increase in merchant websites infected with skimming code. North America accounted for 51% of those detections, with Europe the next-most-targeted region at 35%.
As for recommendations, Visa said that banks, merchants and other ecosystem entities should consider ensuring all the software programs they utilize are updated to the latest software version, especially by deploying security patches. This is especially important on merchant websites that import JavaScript libraries that attackers can infect with skimmers.
The card network also recommends enhancing customer authentication processes by requiring multi-factor authentication (MFA) and biometric verification during payment processes and to prevent unauthorized access to customer accounts, though these methods could be less effective against some of the more advanced schemes that attackers are using.
Rising NFC relay fraud
In Spring 2025, Visa PERC flagged an increase in relay fraud.
In a typical relay fraud attack, a victim receives a phishing text or call, purportedly from their bank. They are then coerced into installing a malicious “banking” app that embeds code related to NFCGate, an open-source tool for capturing, analyzing and modifying NFC traffic.
When the victim taps their physical card to their phone to supposedly verify identity, the malware relays the card’s NFC data to the fraudster’s device. The attacker then uses that data to make contactless purchases or ATM withdrawals elsewhere.
“This new threat stands out from previous ones not so much due to the sophistication of the malware itself, but rather in terms of the fraud mechanism that relies on a novel technique associated with the NFC,” Cleafy’s report reads.
While the specific SuperCard X malware is novel, it shares many similarities with previous NFC relay fraud schemes, including