Five scammers were arrested last month in California, accused of "shimming" at ATM machines and experts are warning consumers to be vigilant against this new threat.
‘Shimming' is an update on skimming, a common scam in which thieves attach a device to credit card readers at places like gas stations. The device reads and copies information from the magnetic swipe, allowing scammers to clone the credit card for later use or sell the card number on the dark web.
The emergence of chip-enabled credit cards was supposed to help eliminate vulnerability to identity theft and fraud because those cards could not be "skimmed." But fraudsters are persistent, and they've found a way to lift information from chip cards using this new technique called "shimming," which first occurred in places like Mexico and Arizona several years ago.
How Shimming Works
With this new technique, scammers insert a paper-thin device, or "shim," enabled with a microchip and flash storage directly into the dip-and-wait slot on card readers that accepts chip-enabled cards.
The shim then copies and saves the information from your credit card or debit card. While the information from the chip can't be used to clone another chip card, it can be employed to create a version of the card featuring a magnetic strip —and plenty of retailers, especially online, still accept such cards.
Unlike skimming devices which can often be bulky, shimming devices are small and unobtrusive. They can easily be inserted into card readers at in-store terminals, according to PCMag. And what's worse, scammers can collect the data by inserting a special card into card reader—so it just looks like the scammer is paying for something or using the ATM.
How to Protect Yourself from Shimming
While it's up to businesses to inspect their card readers daily to make sure they haven't been tampered with, there are some things you can do to make yourself less susceptible to shimming. If you have a contactless tap-and-go feature on your credit or debit cards, take advantage of it.
You'll never insert your card into a reader that is enabled with a shimmer that way. The same goes for mobile payments apps like Apple Pay or Google Pay—they are both safer than inserting your card into a reader.
When you're using an ATM, be sure to cover the keypad when you are entering your PIN. Better yet, try to use the ATM machines inside banks rather than stand-alone terminals that are more vulnerable to scammers. And if you can avoid the ATM altogether by going to a teller or just getting cash back from a purchase, those are better options.
If you do insert your card into a reader and experience any resistance, stop the transaction immediately and alert your bank and the store.
"If you insert the card and it's very tight that could be a sign report it to the merchant," said Bryan Oglesby of the Better Business Bureau.
What to Do If You Get Shimmed?
If your credit card or debit card number is stolen in a scam, contact your card issuer to cancel and get a new card (and number) immediately. Keep an eye on your online account for any fraudulent charges and notify your bank or financial institution right away if you spot something that isn't yours.
It's also a good idea to regularly check your credit report for any new inquiries, high balances, or new accounts you don't recognize.