Cybersecurity and experience
Data strategy and analytics
Open banking and open data
Payments
Dive into the biggest trends shaping our industry
See all news and insights
Blogs
Research and reports
Success stories
Webinars
Press

What is skimming in cybersecurity? 

Alarming credit card breaches have abundantly clarified the need for cybersecurity. In 2022, 441,882 personal records from these financial tools were misused in the US. Over 1.8 million incidences of identity theft and imposter scams were reported to the Federal Trade Commission. One common yet elusive high-profile threat that enables this fraud is skimming. Read more to learn how credit card skimming works, current techniques, and, most importantly, how to protect your business and consumer data. 

What is skimming in cybersecurity? 

Skimming in cybersecurity is a fast and interactive way to quickly obtain payment card data and personal information from ATMs and checkout scanners. Surveillance devices, unsolicited emails, and malicious javascript code used in cyber theft secretly capture and transmit cardholder data in real-time without the victim's awareness. However, the remedy for late detection and investigation is using innovative solutions like RiskRecon by Mastercard.  

There are two main types of skimming attacks:  

  • Physical skimming involves credit card skimmers attached to payment terminals, ATMs, gas pumps, etc. They target tangible cards and in-person transactions. 

  • Digital skimming masks URLs in spam/phishing emails or remotely infects e-commerce sites and apps with malware that covertly steals payment data online during checkout (Magecart attack). 

Why is it called electronic card skimming? 

Skimming gets its name, electronic card skimming (e-skimming), from using credential-stealing software installed onto a retailer's online store. When unsuspecting customers use the shopping cart to initiate a website payment transaction, hackers copy the debit or credit card information entered into the payment fields without detection.  

How is skimming harmful to your system? 

A skimming attack can lead to a serious data breach, sabotages financial security, and exposes the account holder's identity. The stolen card data is then used to ransack accounts with unauthorized, fraudulent transactions. But perpetrators don’t stop there - they can also easily impersonate or sell email addresses, SSNs, and other information on shady black market sites. Banking cybersecurity has become a major concern as fraudsters use skimmers to steal credit card information on a large scale. The FBI estimates that e-skimming scams cost cardholders and banks over $1 billion annually. No wonder it has blown up as a go-to attack for cybercriminals.  

Besides the risk of overdraft fees, maxed credit cards, and cloned accounts, here’s how cybersecurity skimming can negatively impact the parties involved: 

  • Frozen accounts 

  • Malware installation 

  • Altered or deleted data 

  • Disruptions and downtime 

  • Countless hours disputing charges and filling out paperwork 

  • Emotional distress of being violated 

  • Loss of customer trust due to reputational damage 

What kind of data are e-skimmers looking for? 

E-skimmers or online skimmers mainly look for payment information for fraudulent purchases and theft. Specifically, here’s what a threat actor targets: 

  • Credit card details - card numbers, expiration dates, CVV codes 

  • Personal Identifiable Information (PII) - name, email, address, phone number, SSN, and other identity information 

What is an example of a skimming device? 

An ATM skimmer is arguably the most common example of a skimming device. Also, dishonest merchants swap out authentic handheld point-of-sale (POS) terminals with tampered ones that read and store credit card information. Other ways skimmers cunningly disguise to blend in with their surroundings include: 

  • Fake PIN overlays that capture PINs 
  • Monitors that intercept and relay data from contactless payments, like QR code scanners and Apple Pay 

 

How does a card skimmer get my information? 

Credit card skimmers get information through elaborate deception and ingeniously discreet tactics involving compromised payment machines. Once installed and ready to relay information, it reads the magnetic stripe or chip for discretionary data and a cryptogram that validates transactions. Here is how they work: 

  • Installation and data capture: External skimming devices cling unseen to ATMs near the card slot or magnetic swipe reader, while interchangeable pad overlays or pinhole cameras record the customer’s PIN. Internally, gas pumps and POS systems hide rigged card readers that extract billing credentials. 

  • Transmission: Sometimes, the instant retrieval of debit or credit card numbers involves wireless transmission via Bluetooth to a repository or backup gadget in a different location.  

Can a card skimmer steal money out of my bank accounts? 

Yes.Card skimmers pose a serious threat to bank accounts and funds. All it takes is one instance of credit card cloning to empty an entire checking account. Hard-earned money can vanish in a matter of seconds when an authorized user goes on a shopping spree using a counterfeit card. While POS transactions and ATM withdrawals typically occur instantaneously, inaccurate medical records and other documents can easily be forged after skimming takes place. Obtaining medical services and prescription drugs through imposture carries a higher price in medical debt for the exploited. 

How do I protect against e-skimming? 

To combat the growing threat of e-skimming, take these precautionary measures against skimmers: 

  • Leverage RiskRecon’s machine learning-based risk assessment across complex business ecosystems 

  • Patch software, plugins, and operating systems regularly to the latest secure versions 

  • Limit card reader use in your business 

  • Protect against skimming by only collecting the minimum customer data required for the transaction 

  • Use HTTPS and SSL/TLS certificates to encrypt all data transmission during checkout and account login 

  • Adhere to Payment Card Industry Data Security Standards for securing payment information 

  • Thoroughly vet any third-party scripts and tools before integrating them into the site code 

  • Monitor site traffic, source code, and servers actively for unauthorized changes  

  • Backup site code and databases in case there’s a need to restore from a previous point of failure  

How can I prevent being hacked by an e-skimmer? 

As online shopping grows popular, a proactive approach to security and hack prevention is critical. Therefore, along with conducting penetration testing, internet retailers should urge their web store visitors to do the following to minimize the risk of being hacked by an e-skimmer: 

  • Dedicate only one card for shopping online 

  • Activate transaction alerts 

  • Set strong, unique passwords 

  • Connect to public WiFi networks using a trusted VPN 

  • Consider virtual cards 

  • Routinely review account statements for odd charges 

How can I recognize a card skimming attempt? 

Vigilance and caution are the most important factors in preventing a credit card skimming attempt, which can be tough to detect. The best way to identify an attack is to keep an eye on signs of tampering, damaged parts, or intrusion. Wobbly readers and misaligned slots are red flags - swindlers often try to cover their tracks with glue or tape. So run your finger over the card reader to ensure it has no sticky residue. Other tips when using debit or credit cards include: 

  • Inspect for keypad overlay or buttons that are not easy to push down 

  • Watch for an odd, long wait while your card is “processing” 

  • Ensure the cashier doesn’t swipe your credit card out of view 

Cybersecurity trends show that pressure on private data protection is on the rise. RiskRecon has developed a proprietary algorithm that automatically identifies system vulnerabilities and accurately assesses risk exposure. While considering using the tool, evaluate the following signs of threats on payment processing web pages: 

  • Abrupt login to a site you haven’t visited before 

  • Unsettling browser popups and ads 

  • Browser warnings about insecure site 

  • Spelling and grammar errors on fake merchant sites 

How can RiskRecon by Mastercard help me? 

RiskRecon provides the continuous monitoring and transparency needed to manage third-party cyber risk at scale efficiently. By directly analyzing the vulnerabilities of vendors’ internet-facing web apps or programs, we generate accurate, risk-prioritized findings to drive remediation. Our data-driven approach enables customers to quantify threats, compress remediation cycles, and build trusted business ecosystems. Sign up for a free 30-day trial to evaluate up to 50 vendors and receive your own RiskRecon report.