ATM skimming is a type of payment card fraud. It’s a way of stealing PINs and other information off credit cards and debit cards by rigging machines with hidden recording devices.

In 2022, there were over 161,000 cards compromised due to skimming activity, according to data from FICO. That number increased nearly five times from the year before.

Bank ATMs and payment terminals at gas pumps and other merchants are the targets of this scam. Thieves then use the stolen information to produce fake cards and spend victims’ money or take cash straight from their bank accounts.

“If they are able to retrieve the card number itself, it’s common to use those in online marketplaces or to sell the card numbers in batches to other criminal groups who may attempt to use them for fraudulent purchases,” says Nathan Wenzler, chief security strategist at Tenable, a cybersecurity firm in Columbia, Maryland.

Here is what you need to know about ATM skimming and how to protect yourself.

Methods of ATM skimming

Thieves employ several techniques to steal data that’s embedded in the magnetic stripe on credit and debit cards:

  • A plastic overlay placed over the ATM keypad captures PINs as they are entered.
  • An overlay placed over the card insertion slot records the data on the magnetic stripe.
  • Tiny cameras placed on an ATM record keypad entries and your fingers as you type.
  • An overlay that covers the whole ATM faceplate is embedded with  cameras and card-slot and keypad overlays.

“Skimmers are getting harder and harder to detect, especially with the advent of 3D printers and other inexpensive fabrication devices,” warns Wenzler.

In some cases, skimming devices don’t even need to be physically connected to the card reader. Instead, as they collect consumers’ data they transmit the information to the thief via Bluetooth technology.

Even chip-enabled payment cards, which are more secure than magnetic stripe cards, are vulnerable to theft. By placing a super-thin shim between the chip and the chip reader inside the ATM, thieves can capture your PIN and other card information. These devices are called  “shimmers,” and as chip technology becomes more prevalent, they are starting to supplant skimmers as thieves’ choice tool.

How prevalent is ATM skimming?

You hear quite a lot about ATM skimming these days, especially at gas pumps. It’s a scam that costs consumers and U.S. financial institutions more than $1 billion each year.

As mentioned, over 161,000 cards were compromised by skimming in 2022. Furthermore, 2,730 separate financial institutions were affected by a customer’s card being compromised.

California was the most targeted state for skimming scams, accounting for 47 percent of all skimming cases. The northeastern U.S. was also a frequent target — New York, New Jersey, Pennsylvania, Maryland and Virginia collectively accounted for 29 percent of skimming cases.

“ATMs and gas pumps are certainly the most common targets,” Wenzler says, “but customers should be aware and vigilant of any card reader anywhere, whether that’s restaurants, retail stores, coffee shops or wherever else you may swipe your card.”

Also, wireless technology enables cyber-thieves to retrieve stolen PINs and other card data “without approaching the ATM ever again, making it very difficult to catch them in the act,” Wenzler says.

Ways to avoid ATM skimming

To avoid becoming a victim of ATM skimming and possibly having your bank account cleaned out, follow these tips:

  • Go with cardless ATM transactions. Using your smartphone and your bank’s mobile app, you can conduct ATM transactions from anywhere, without a physical debit card.
  • Use debit and credit cards with chip technology, which is more secure.
  • Run your debit card as a credit card transaction and don’t enter your PIN, or use a credit card to begin with.
  • Use a mobile payment system such as Google Pay, Apple Pay, Samsung Pay or PayPal.
  • Check your bank statements regularly for suspicious transactions; sign up for account alerts and notifications.

Besides using safer payment methods, there are some physical, common-sense ways to avoid becoming an ATM skimming victim:

  • Don’t use ATMs located in dark, out-of-the-way places, in bars and restaurants or in areas with lots of tourists. Go to your bank or inside a store to use an ATM.
  • If the ATM doesn’t immediately return your card after the transaction, waste no time in reporting it to the card issuer.
  • Look over the ATM for signs of skimmers or ask the store manager to do it for you. Don’t use ATMs that have damaged or loose parts or look as if they have been tampered with.
  • “Try wiggling the card reader area to see if it feels loose or if there is a ‘cover’ over it,” advises Wenzler. “That could be a sign of a skimmer having been placed on top of the actual card reader itself.”
  • Use a gas pump that is within view of the gas station attendant or pay inside.
  • Cover the PIN pad when you enter your PIN.

Beware of e-skimming

While some criminals skulk around banks and stores to attach skimmers to physical payment terminals, others steal your credit and debit card data without getting out of their pajamas.

“Cyber-criminals now practice the concept of digital skimming or e-skimming,” says Ameet Naik, security evangelist and director of product marketing at Cloudflare, a California-based cybersecurity company. “Instead of placing a physical device on the ATM, they inject a piece of malicious code into a website script that skims credit card numbers from checkout pages on e-commerce sites.”

When there is an online payment transaction, the business collects personal data from the buyer, explains Naik. This usually includes name, email address, phone number, password, payment card data and verification code. “This data is most vulnerable at the point of entry,” Naik says.

The store, payment processor or bank is often not aware that skimming has occurred, Naik says, because the information was taken from the consumer’s device, not a company server.

“The lack of visibility means that the attacks often go undetected for weeks or months, while hackers yield a rich bounty of credit card numbers to sell on the dark web,” he says.

Ways to avoid e-skimming:

  • Don’t enter your card number repeatedly on a website. “If your trusted merchant has an option to save the card number for future purchases, choose it so as to minimize the times you have to type in your information,” advises Naik.
  • Use alternative payment methods such as Apple Pay, Google Pay or PayPal so you don’t have to type in payment card information. “However, consumers must ensure they use strong passwords to secure these services and avoid account compromise,” Naik says.
  • Be on the lookout for fake checkout pages that impersonate an online merchant. “Be especially wary of payment transactions that appear to fail,” warns Naik. “If that happens, immediately contact the card issuer who can place a fraud alert on your account.
  • Monitor your credit reports and bank and credit card statements routinely for suspicious activity, and report it right away.

Bottom line

Whether you’re using a physical bank ATM, a point-of-sale terminal at a merchant or doing cardless ATM transactions, there is always a risk of fraud. Chip-enabled credit and debit cards are safer than magnetic stripe cards, but even those can be hacked.

“Frankly, until we can move away from using magnetic stripes for transactions, the technology that creates skimmers will continue to advance and improve, resulting in more attacks against more devices around the globe,” Wenzler says.

Fortunately, you can minimize your risk exposure by following the tips and advice outlined here and staying vigilant.

— Bankrate’s René Bennett contributed to an update of this story.