Android users face a new scam: Hackers can withdraw money from ATMs without a card.
A new scam called NGate is causing concern among cybersecurity experts as it allows criminals to withdraw money from ATMs without a physical card.
Cybercriminals are becoming increasingly sophisticated, finding ways to withdraw money from victims' credit or debit cards without physically accessing the cards. Instead, they target Android phones, devices that users trust for everyday payment transactions.
This scam is called NGate, named after Near Field Communication (NFC) technology, which allows users to tap their card or phone against a payment terminal to make a payment. Exploiting this very mechanism, fraudsters steal card data and use it to withdraw cash from ATMs.

Although Android is equipped with multiple layers of security to protect users from scams, NGate doesn't attack through technical vulnerabilities but relies on psychological manipulation. If users lower their guard and follow the instructions, all the protective barriers can be neutralized.
How the NGate scam works
The scam typically begins with a fake text message or email impersonating the bank. The notification usually sounds urgent, such as a security breach warning, unusual account activity, or a request for urgent verification to avoid account suspension.
The message will contain a link to download the app, but the noteworthy point is that this link does not lead to Google Play or any official app store. This is an important warning sign that many users overlook due to anxiety.
After the victim downloads and installs the app, the scammer often continues to call directly, posing as a bank employee, and also sends confirmation messages to create the illusion of a "proper" process. The combination of messages, calls, and an app interface bearing the bank's logo leads many to believe they are dealing with a legitimate organization.
Next, the app prompts the user to verify payment information. The victim is instructed to place their credit or debit card on the back of the phone and enter a PIN, similar to the tap action for contactless payment. At this moment, the card data is transmitted via NFC and sent directly to the fraudster waiting near an ATM.
With that information, criminals can withdraw cash almost immediately, while the victim remains completely unaware until money is deducted from their account.
The scary thing about NGate is that it looks so legitimate. From the bank logo and the language used to the multi-step verification process, everything makes users believe they are going through a normal security procedure.
Unlike traditional scams that request information via forms or fake links, NGate exploits NFC, a technology considered safe and familiar. This makes victims even less suspicious.
How to protect yourself from NGate scams.
Understanding Android's security features is a crucial first step in mitigating risk. The operating system has integrated numerous phishing detection tools, including the ability to scan suspicious calls and messages to alert you to financial fraud.
However, the key factor still lies in the user's caution:
Never click on app download links sent via SMS or email, especially when they involve finances.
- Only install apps from Google Play or official app stores.
- If you receive an urgent notification from the "bank," please call the official hotline number provided on the bank's website yourself; do not use the phone number in the text message.
- Never provide your card information, PIN, or perform any card tapping actions as requested by third parties.
- If you receive a call from someone claiming to be a bank employee, you should hang up and call back through the official channel to verify their identity.
NGate serves as a stark reminder that even convenient technologies like NFC can become tools for cybercriminals if users are not vigilant. By calmly verifying information and adhering to basic security principles, you can avoid becoming a victim of one of the most sophisticated ATM scams today.


