The way in which money moves in the 2020s is very different from how it was as recently as a decade ago. The ease with which this tap-and-pay style of shopping has swept across the U.S., and the wider world, has undoubtedly made life easier for both vendors and the consumer themselves. In a society that demands convenience in everything we do, the emergence of a contactless form of payment was one that we were quick to adopt.
But, just as with any positive innovation in modern society, a seedy underbelly exists in the contactless world. Several scammers see the digital nature of this form of payment as an opportunity to exploit less technologically-inclined consumers. Arguably the most alarming of any of the methods used to scam innocent people out of their money are skimmer and shimmer devices.
In this comprehensive guide, we’re going to provide you with an insight into how credit card skimmers and shimmers work, the signs to watch for, how to protect yourself against them, and what to do if you become the victim of an attack.
In This Guide
An Introduction to Skimmers and Shimmers
First, let’s look at exactly what skimmers and shimmers are and how scammers use these devices to target unsuspecting victims. By better understanding what they are, you’ll be best positioned to be able to identify and protect against them.
What Is a Credit Card Skimmer?
Skimmers are tiny machines that are placed inside card readers (usually ATMs, owing to their size), which are able to harvest the data from any debit or credit cards that are inserted. After the machine has been allowed to run for a while, the scammer will remove it – in the process, gaining access to all the personal data that it has stripped.
Opening an ATM tends to be very difficult, so scammers will often place the skimmer itself over the legitimate card reader. In extreme circumstances, they’ll even hide a small camera on the device in order to capture people entering their PIN. In lieu of a camera, other scammers may place a fake PIN pad over the real one to store the numerical code.
It’s ironic that in an age of digital and contactless payments, something as archaic as a fake electronic device is a powerful-enough tool to catch so many people unaware.
What Is a Credit Card Shimmer?
A shimmer is in essence the evolved form of a skimmer. They are tiny devices that operate in much the same way – stealing data when a card is inserted into a reader – but focus their attack on a different section of the credit card.
Shimmers read the EMV (Europay, Mastercard, Visa) chip that is attached to your card which can then be cloned and uploaded to a blank card. This, in essence, sees your original payment device cloned and then used by the scammer.
What Is the Difference Between a Skimmer and a Shimmer?
In reality, skimmers and shimmers are as similar as their names suggest. There’s very little difference between the 2, but the easiest way to understand it is that a shimmer is effectively an evolved version of a skimmer.
Skimmers were designed to read and crack the card verification value (CVV) technology that is used by magstripe cards. These magstripe cards use static data that never changes. This makes it a lot easier for a scammer to target and then use the payment information contained in these cards.
CVV3-enabled chip cards are a lot harder to pin down. They use constantly evolving data, which can’t be copied as it will almost instantly become outdated. With more credit card suppliers turning to this form of tech, scammers had to become craftier. Shimmers were invented to capture both the EMV chip and magstripe data of a card.
But if the EMV data constantly changes, how do scammers manage to clone cards?
Well, the nature of shimmers means that they’re able to scan both static and non-static data. This can be uploaded to a blank card which when used to make a contactless payment will initially show a chip reader error. The criminal is then asked to insert the card, using the magstripe. Because the static magstripe is still accurate, the payment goes through without alerting the EMV verification methods to a potentially fraudulent transaction.
Credit Card Scam Statistics
The global contactless payments market is now worth $1.168 billion, and is expected to grow to a whopping $5,424 billion by 2030 – representing a compound annual growth of 20.6%. And while that’s encouraging news, it also means the opportunity for fraudsters to target consumers is also on the rise.
As many as 65% of people have experienced some kind of credit card fraud at one point in their lives, Security.org found in its 2023 Credit Card Annual Fraud Report.
That figure alone gives a staggering insight into the prevalence and seriousness of this ongoing issue. The number equates to as many as 151 million Americans being targeted at one time or another.
And just between 2021 and 2022 alone, there was a significant step up in the amount of credit card crime being committed. As many as 44% of those surveyed said they’d experienced at least 2 instances of fraudulent charges – up from 35% in 2021.
The median fraudulent charge amount has also risen in that time, shooting up by 27% to an average of $79 per attempt. Shockingly, as many as 12% of people said they had fraudulent charges from the same merchant in that time.
On an annual basis, it’s believed as many as 7% to 10% of Americans are the victim of identity theft every year.
And when it came to the generations which were most targeted, the general trend was that the older you are, the more at risk you become.
The figures showed:
33.1% * Millennials
37.6% * Generation X
42.6% * Baby Boomers
* targeted by fraud
Worryingly, the amount of money being lost to fake businesses is rising at a blistering rate. Between 2020 and 2022, the total lost to imposter companies more than tripled, with the numbers highlighting how increasingly popular this scam is:
$196 million * 2020
$453 million * 2021
$660 million * 2022
* lost to fake businesses
Across the board, as many as 2.4 million fraud reports were lodged in 2022 alone, with an estimated $8.8 billion lost in total.
Thankfully, the response time for reports of fraud is becoming increasingly speedy. With the ability to set up fraud reports on mobile and other smart devices, more people are being alerted to potential attacks within hours, or even minutes, of it happening.
Data shows 21% of all victims became aware of fraud within minutes, with the total figures being:
21% (of victims) Within Minutes
38% Within Hours
31% Within Days
10% Within 1 Credit Card Statement Period (Or Longer)
The numbers might be a little scary, but there are always steps you can take to protect yourself. Read on to better understand how you stay safe when using your credit card.
Protecting Yourself Against Contactless Credit Card Scams
Now that you have a slightly more detailed understanding of the potential dangers, it’s time to arm yourself with the knowledge of how to identify, prevent, or even recover from an attack. Read on to discover what you can do to increase your chances of staying safe from contactless credit card scams.
How To Spot a
Credit Card Skimmer or Shimmer
Possibly the only benefit of an attack of this nature is that they’re sometimes possible to spot ahead of time – as long as you know what to watch for. Look for any of the following as a sign that your card might be about to be targeted as part of a scam:
The Card Reader Looks Tampered With
While it might sound a little rudimentary, sometimes spotting a skimming device is as simple as inspecting the card reader or ATM machine. Jiggle the card reader to see if it’s loose, and eyeball it closely to see if anything looks off. It could be that the arrows on the machine don’t align properly, or it’s oddly raised in certain places.
Odd Timings With the Return of Your Card
If you feel like your card is taking a long time to be returned to you (or it doesn’t get returned at all) it may have been targeted. If this happens, immediately contact your credit union or card supplier, and let them know you believe you may have been targeted. They’ll be able to put a hold on any transactions on that card.
A Broken Security Seal
Security seals are sticky labels that are placed over card readers at most gas stations. If the seal is broken, a scammer could have accessed the machine and placed a skimmer or shimmer device inside.
How To Avoid Getting Your Credit Card Targeted
Thankfully, there are steps you can take to prevent yourself from becoming a victim. Keep all of the following in mind to significantly reduce the chances of a scammer stealing your money:
Try To Use Bank ATMs
As much as 60% of skimming at ATMs is said to happen on privately-owned machines. And while that doesn’t guarantee you’ll be safe using a bank’s ATM, it does significantly increase the chances. Privately-owned ATMs are usually found in bars, restaurants, and grocery stores – where a machine may be less routinely visible.
Look at the Other Machines Nearby
If there’s a collection of machines nearby, it’s a smart idea to inspect if the one you’re using stands out in any way. If you spot anything that’s not universal on all the machines (especially if it’s on the card reader element), think about using a different one.
Cover Your PIN When Entering It
If you’re worried about the possibility of a camera recording your PIN when you enter it, use your other hand to cover the numbers. This is a good habit to get into as it’ll keep your PIN safe even if there aren’t devices present.
Only Use a Card Reader in Well-lit Areas
Using a machine that is hidden away in a dark or out-of-sight area will also increase your chances of being targeted. These ATMs are easier to tamper with as they’re not always visible to their owners. Use machines in affluent areas, such as on main streets, or inside a bank.
Inspect the Keypad
As we’ve discussed, scammers sometimes use devices that they’ve placed over the keypad you’d use to enter your PIN. If the keypad seems loose in any way, it’s best not to use the machine.
Use Mobile Payments Whenever Possible
If you choose to use a digital wallet instead of your card, your money will be a lot safer. This type of payment system tokenizes your details, which makes it both considerably harder to intercept and fairly meaningless in the unlikely event thieves are able to.
Think About Alternative Ways To Pay
You don’t have to pay with your physical card. If you feel really unsure about the machine you’re using, find other ways to complete a transaction. That can be by making a secure online payment on an app or even going old school and paying by cash.
How Merchants Can Protect Against Shimming and Skimming
While the consumer is ultimately responsible for their own financial wellbeing, merchants can also play a part in keeping them safe. If you run a business where skimming or shimming is a realistic possibility, make sure to take these steps:
Try To Avoid Taking Payment Through Magstripes
It’s not possible for a credit card transaction to be made illegally through contactless methods alone. A magstripe needs to be present in order for a shimmer to be effective. As such, vendors should go to additional lengths in the event that magstripe payment is the only possibility. That means performing identity checks against the card by asking someone to show some form of ID.
Use Anti-fraud Tools
There are a number of tools that have been created to help protect against the potential of fraud. Some of the most popular, and effective, include things like address verification, CVV validation, and 3DS technology. Check out a comprehensive breakdown of what kind of tools are best for dealing with the issue of fraud.
Only Use Contactless Card Readers
Readers which solely rely on contactless forms of payment are effectively impervious to shimmers and skimmers. The Wi-Fi and online sources they use to register payments make them all but impossible for scammers to target them.
Offer Incentives To Pay With Mobile Wallets
Understandably, some customers might not want to use digital wallets in lieu of using their actual card. This is common for consumers who aren’t as tech-savvy. As such, offering incentives in the form of promotions, loyalty bonuses, or even slight discounts might encourage them to swap over.
What To Do if Your Card Is Skimmed
In the unlikely event that you do become the victim of a scam, there are actions you can take to recover your losses and report the crime to the correct authorities. Follow these steps to mitigate the impact as much as possible:
Let Your Card Issuer Know
The first and most important thing you should do when you’re aware of any fraudulent activity is to tell your card issuer. They’ll be able to put an immediate hold on your card while also working to try and help you get your money back as quickly as possible. Issuers such as Visa and Mastercard have “zero liability” policies that ensure you won’t be held responsible in the event someone steals your identity.
Contact the Credit Bureaus
If you notice a string of financial payments that were fraudulent across your accounts, reach out to the 3 major credit bureaus – Equifax, Experian, and TransUnion. Request a credit freeze so that the criminals can’t open up any lines of credit in your name. It’s also worth reporting any instances of identity theft to the Federal Trade Commission, as well as the police.
Change All Passwords and PINs
If you notice any signs of odd activity, check all of your accounts, and change the PINs and passwords you use for them immediately. This could help to prevent any further damage being done or money from being stolen. While thieves may not have access to this data, it’s a case of being safe rather than sorry.
Monitor Card Statements and Credit Reports
Even if you take all the right steps once the initial fraud is caught, thieves might still be able to use your identity if they gained access to login details you weren’t able to change. As such, it’s very wise to continuously check your card statements and credit reports for a long time after the first attack.
Check Online Accounts and Bill Payments
It’s common in the modern world to store your card details on shopping accounts for easy online payments. The same is true when making a payment on certain utilities. Unfortunately, you’ll have to manually assess every account you have and remove any cards which were found to be compromised by a skimming or shimming attack.
Other Types of Credit Card Scams
Skimming and shimming aren’t the only types of credit card scams to watch out for. Here are a host of other ways that con artists try to get your money, as well as what you can do to avoid becoming a victim.
The Overcharge Scam
How It Works
As the name suggests, this scam involves someone being messaged to say that they’ve been charged too much on a recent purchase and that they’re owed a refund. They’ll usually pick an account for something that they know a lot of people pay for (such as Netflix or Spotify). They’ll ask for sensitive financial information to “provide a refund” when in reality this information will be used to strip you of funds.
How To Spot It
Always be wary of any kind of cold call of this nature, and take special care if you’re being told that the payment needs to be immediate. Also, be sure to examine any emails closely. Look for odd characters in the address, as well as logos or other images that don’t load properly.
How To React
The best approach to these kinds of advances is to ignore them. Get in contact with your credit card company to see if the overcharge is legitimate or not. Make sure not to click on any links that you don’t trust.
Arrest Phone Call Scam
How It Works
While it might sound a little extreme, some scammers may go to the extent of threatening serious legal repercussions for the mispayment of a totally fake debt. They’ll often pose as official governing bodies, like the IRS, and demand you pay them back within a set timeframe to guarantee you avoid jail time.
How To Spot It
No government body will ever make extreme threats like this over the phone. There are legitimate channels that they have to go through in order to acquire any money that you may owe. In almost every circumstance, this will be a formal letter, followed by an in-person meeting, if necessary.
How To React
Again, it’s best to just hang up the phone and ignore any messages like this. It’s important to remember that you can’t be immediately arrested for a missed payment and that it almost certainly won’t be done over the phone.
How It Works
One of the oldest internet scams out there, phishing sees con artists sending out an email or text that contains fraudulent instructions. This usually asks the recipient to click on a link, which takes them through to a fake payment or sign-in page. They’ll unwittingly give the scammer their details by filling in a fake form.
How To Spot It
Phishing scams usually ask you questions that you wouldn’t normally need to answer. For example, they might ask for an answer to one of your security questions. Another key indicator that you’re being targeted is the fact that they’ll often rush you to provide these details.
How To React
Make sure to never provide information when receiving an unsolicited email, text, or phone call. Always reach out directly to the organization in question (using legitimate numbers you find online and not any provided in the potentially fraudulent email).
How It Works
Unfortunately, some scammers like to prey on the good nature of others. When a global, national, or even local disaster happens, a con artist might reach out and claim to be collecting donations for the victims. They’ll ask for credit card information in order to help “support those in need.” In reality, the money goes right into their pocket.
How To Spot It
Some charities will reach out in this manner, but they very rarely ask for financial information over the phone. Likewise, if an email sent to you has a direct link to a payment method, it’s fair to assume you might be being scammed.
How To React
Never agree to anything via the phone or email. Do your own research into the charitable organization they’re supposedly from, and donate through the methods found on their official website. That’s the only way to guarantee your money is going to the people you intend it to.
Interest Rate Reduction Scams
How It Works
This increasingly common scam starts off with someone reaching out to let you know that they have connections which can help to lower the interest you have to pay on loans. It’s an enticing deal, so some people all-too-easily offer up sensitive financial information when talking to scammers who have no ability at all to save you money.
How To Spot It
Legitimate third-party debt relief companies might be able to offer this service in some capacity – but they will almost never cold call you to do so. It’s also prohibited for them to charge any kind of fee prior to actually achieving their aim of lowering your interest rate repayments.
How To React
The safest course of action here is to again ignore what you’re being offered. If you really want to reduce how much you have to pay, think about calling the credit card issuer yourself and negotiating with them to see if you can get a better deal.
Protecting your money should always be a top priority. This guide will hopefully serve as a useful tool in helping you achieve that aim. For more information about what you can do to stay safe, as well as other snippets of financial advice, be sure to check out these handy secondary reading materials.