Blog / Identity Theft

Credit card skimmers: All you need to know about skimming

Paying with a credit or debit card is so easy: Tap or swipe, and you're on your way. But that same convenience is exactly what criminals exploit. Credit card skimming is a sneaky, fast-growing scam that can compromise your personal and financial information without you even noticing. This guide explains how skimmers work, the most common scams you might encounter, and how to spot the warning signs before your data ends up in the wrong hands.

Author image

Ugnė Zieniūtė

July 9, 2025

10 min read

What is a credit card skimmer?

A credit card skimmer is a device that thieves attach to legitimate card readers at ATMs, gas pumps, self-checkouts, or handheld terminals. When you swipe or insert your card, the skimmer silently copies the data stored on the magnetic stripe (and, in newer "shimmer" variants, the chip) before the payment continues as normal. In seconds, it harvests your card number and expiry date.

Criminals then clone the data onto blank cards for in-store shopping or ATM withdrawals, use it for online "card-not-present" fraud, or sell the records in bulk on dark web marketplaces.

Skimming isn't confined to ATMs. Any moment you hand your card to a restaurant server, valet, or retail clerk opens a window for a handheld skimmer to grab the same information. Electronic benefit transfer (EBT) cards, which still rely on magnetic stripes, are a particular target –- low-income users often discover the loss only after funds disappear from their EBT cards.

How do credit card skimmers work?

Credit card skimmers are typically installed over or inside real card readers at ATMs, gas pumps, or retail terminals so that you don't notice anything unusual. The goal is to quietly capture your card's data during an otherwise normal transaction.

Here's how credit card skimming usually works:

  1. The skimmer intercepts your data. When you swipe or insert your card, the skimmer reads and stores the information encoded in the magnetic stripe. For contactless (NFC) payments, attackers may use scanners that exploit ISO 14443 communication. 
  2. The skimmer captures your PIN. To drain an account via ATM or debit, thieves need your PIN. They often pair the skimmer with a keypad overlay that records your keystrokes or hide a pinhole camera nearby to film you entering your code. In some cases, the fake keypad replaces the real one entirely.
  3. The skimmer stores the information or transfers it wirelessly. Older skimming setups store the stolen information locally, which means thieves must return to retrieve the device. Newer models use Bluetooth Low Energy (BLE) to transmit the data wirelessly, sometimes to a nearby phone or a laptop in a parked car. This reduces the risk of getting caught retrieving the device.
  4. Thieves clone your card or use it for fraud. Once criminals collect the data, they use it in one of two ways:
    • To create fake credit cards for in-person transactions or ATM withdrawals
    • To commit online fraud by entering the stolen details into ecommerce checkouts.

Remember that PINs are essential for cash withdrawals and debit transactions but not for credit-based purchases. Skimmers at gas pumps and retail checkouts often skip PIN collection and still make money by creating working credit clones.

The most common credit card skimming scams

Skimming isn't limited to one type of location or device. Criminals adapt their tools to suit the circumstances in which people use payment cards, often targeting places where there's little oversight or where the card briefly leaves your hands. Below are the most common skimming situations you're likely to encounter.

Handheld skimmers at retail stores

Gas stations have long been frequent targets for one reason: the pumps are rarely monitored closely, and many still rely on older card readers. Criminals often use universal keys, either stolen or purchased online, to open the pump's housing, install a skimming device in line with the card reader, and close it back up without leaving a trace. These skimmers are powered by the pump and can transmit stolen card data via Bluetooth. In many cases, they remain in place for weeks or even months, quietly collecting thousands of card numbers before they are discovered.

Skimmers on gas pumps

Gas stations are frequent targets for one reason: The pumps are rarely monitored closely, and many still rely on older card readers. Criminals use universal keys (often stolen or bought online) to open the pump's housing, install a skimming device in line with the card reader, and close it back up without leaving a trace.

These skimmers are powered by the pump and often transmit stolen card data via Bluetooth. They can remain in place for weeks or even months, collecting thousands of card numbers before they're discovered.

Skimming at ATMs

ATMs, especially those in poorly lit or low-traffic areas, are prime targets for skimming setups. Let’s take a look at two common variations:

  • Insert skimmers are wafer-thin devices slipped directly into the card slot to intercept the magnetic stripe.
  • Overlay skimmers fit over the card slot or keypad and are designed to blend in with the machine's existing hardware.

These credit card skimming devices are often paired with hidden cameras that record your PIN or with keypad overlays that log keystrokes directly. Once installed, these devices can collect enough information to clone your card and drain your account.

How to spot a credit card skimmer

Even a well-hidden skimmer leaves subtle clues. Before you swipe,  tap, or insert your card, give the machine a quick once-over. A 30-second inspection can save hours of calling or emailing to dispute the fraud later. Use the checklist below whenever you fuel up, withdraw cash, or pay at an unfamiliar terminal to spot a credit card skimmer.

  • Look for obvious signs of tampering. Skimmers are add-ons, so they rarely align perfectly with factory hardware. Gaps, misaligned graphics, fresh glue, or odd plastic textures may betray a skimmer attached to the card reader.
  • Nudge the card reader and keypad. A reader at an ATM or gas station should never move when it's wiggled.
  • Compare neighboring ATMs or gas pumps. Most stores buy identical hardware. Spot an odd one,   and you may have identified a hidden skimmer. Pay attention to the card reader color, LED layout, and logos.
  • Check the security seal. Gas pumps have security tape or a sticker over the cabinet panel. If the security seal looks ripped or broken, don’t use the card reader. Pay for gas inside and let the cashier know a skimmer may have been installed at the pump.
  • Run a Bluetooth scan. Many modern skimmers broadcast stolen data over Bluetooth Low Energy. Stand near the reader with your phone’s Bluetooth on and look for unknown devices. 
  • Choose chip or contactless. EMV chips are harder to copy. Go for chip or contactless cards where possible. If the terminal forces a swipe for a chip-enabled card, ask why or use another machine.

Countertop readers at bars or restaurants are tougher to vet, especially if your card leaves your sight. When possible:

  • Keep the card in view. Ask staff to run it in front of you.
  • Use the contactless payment option or a mobile wallet. NFC tokens generate a unique, one-time-use token for each transaction.
  • Turn on real-time alerts. Instant SMS or app notifications from your bank are the fastest way to spot unauthorized charges.

If any detail about a card reader feels off, don't use it.

What does a credit card skimmer look like?

Credit card skimming devices are built to blend in with whatever card reader they're targeting, so there's no one-size-fits-all design. That said, skimmers typically fall into a few recognizable types, each designed for a specific setting:

  • Handheld swipe skimmer: A battery-powered card reader small enough to fit in a cashier's pocket.
  • ATM PIN-pad overlay: A fake keypad that sits on top of the real one, usually slightly bulkier with a different texture or spacing.
  • Gas-pump overlay: A false card reader bezel that sits on top of the factory slot. It may protrude a few millimeters more than it should or have slightly off-color plastic.
  • Internal pump insert: A thin device placed inside the card reader, invisible unless the pump housing is opened.

What happens when my credit card is skimmed?  

When your credit or debit card is skimmed, the stolen card information can be used almost immediately or held and sold later. In many cases, victims don’t realize what’s happened until they see an unfamiliar charge or their bank flags suspicious activity.

Skimming may lead to:

  • Unauthorized charges — often small “test” purchases followed by larger ones.
  • ATM cash withdrawals if the PIN is compromised.
  • Counterfeit cards created with your card’s skimmed information.
  • Synthetic identity theft, where criminals combine your real card details with fake credentials to create new identities.
  • Account disruptions, which interrupt recurring payments and day-to-day purchases.

What to do if your card has been skimmed

If your card has been skimmed, act quickly and follow these steps:

  • Call the bank or card issuer immediately. Use the number on the back of your card to report any suspicious activity. Federal law caps liability at $50 for credit cards but only if you act promptly.
  • Freeze or replace the credit or debit card. Your card issuer will deactivate the compromised card and send you a replacement with a new account number.
  • Document the fraud. Download statements, note transaction IDs, and keep call logs.
  • File an FTC Identity Theft report (US) or your local equivalent if you suspect identity theft.
  • Report to law enforcement. If you know where or when the skimming happened or have photos of a suspicious device, file a report with your local law enforcement.
  • Watch all linked accounts for 12 months. Criminals sometimes hold on to stolen data before using it.

If the attack leads to full-blown identity fraud, you'll need to take additional steps. Here’s what you should do: File a police report, place a fraud alert, freeze your credit, and work with your bank to reverse unauthorized activity.

Keep in mind that fraudulent charges made with credit cards are usually easier to dispute and resolve than debit card fraud. With a credit card, you’re generally protected from having to pay any of the stolen amount. But with a debit card, the money is pulled directly from your account, so even if you recover it later, you may be left dealing with bounced payments or temporary cash shortages.

How to prevent credit card skimming 

Combine your inspection skills with a few smart habits to avoid falling victim to credit card skimming:

  • Go inside to pay. Fuel up inside the station, use bank-branch ATMs, and keep your credit or debit card in sight at restaurants or cafés. Visible POS terminals are far less likely to be tampered with.
  • Inspect the card reader before using it. The “tug test” and side-by-side comparison catch many overlays.
  • Use a card with a chip, tap the card, or use a mobile wallet. EMV chips and contactless tokens are harder to duplicate than a magnetic stripe. If a reader forces you to swipe, find another machine.
  • Shield your PIN. Cover the keypad with your hand and give the keys a gentle pull — overlays often pop off with light pressure.
  • Stick to official terminals. Official bank ATMs and retailer-operated checkouts are generally better maintained than freestanding machines in convenience stores or bars.
  • Never hand over your card for “cleaning.” Anyone offering to repair a worn magnetic stripe or chip is almost certainly running a scam to steal credit card information.
  • Verify unsolicited calls, texts, or emails. If you’re asked for card or EBT details, hang up or close the message and contact the agency or bank using a number you trust.
  • Monitor your accounts and set alerts. Real-time push or SMS notifications flag fraudulent charges the moment they happen.
  • Use a credit card skimmer detector or scanner. Tools such as deScammer or BlueSleuth sniff for rogue BLE beacons, and dip-style probes like Skim Scan feel for hidden inserts.
  • Use virtual or one-time card numbers for online and mobile payments.
  • Consider protective services like NordProtect to outsource round-the-clock credit monitoring.

How can NordProtect help you combat credit card skimming? 

The identity theft protection service NordProtect extends your personal vigilance with enterprise-grade tools. It runs dark web monitoring for your credit or debit card details and alerts you to any exposure. It also gives you the reassurance that if the worst happens, your identity theft recovery will be easier and cheaper.

Author image
Ugnė Zieniūtė

Ugnė is a content manager focused on cybersecurity topics such as identity theft, online privacy, and fraud prevention. She works to make digital safety easy to understand and act on.

The credit scores provided are based on the VantageScore 3.0® credit score by TransUnion® model. Lenders use a variety of credit scores and may utilize a different scoring model from VantageScore 3.0® credit score to assess your creditworthiness.

You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.

No single product can fully prevent identity theft or monitor every single transaction.

Some features may require authentication and a valid Social Security Number to activate. To access credit reports, scores, and/or credit monitoring services (“Credit Monitoring Services”), you must successfully pass your identity authentication with TransUnion®, and your VantageScore 3.0® credit score file must contain sufficient credit history information. If either of these requirements is not met, you will not be able to access our Credit Monitoring Services. It may take a few days for credit monitoring to start after a successful enrollment.

NordProtect's dark web monitoring service scans various sources where users' compromised personal information is suspected of being published or leaked, with new sources added frequently. However, there is no guarantee that NordProtect will locate and monitor every possible site or directory where consumers' compromised personal information is leaked or published. Accordingly, we may not be able to notify you of all your personal information that may have been compromised.

Identity and cyber protection benefits are available to customers residing in the U.S., including U.S. territories and the District of Columbia, with the exception of residents of New York and Washington. Benefits under the Master Policy are issued and covered by HSB Specialty Insurance Company. You can find further details and exclusions in the summary of benefits.

Our identity theft restoration service is part of a comprehensive identity theft recovery package that offers a reimbursement of up to $1 million for identity recovery expenses. To access the support of an identity restoration case manager, you must file a claim with HSB, which NordProtect has partnered with to provide the coverage. HSB is a global specialty insurance company and one of the largest cyber insurance writers in the U.S.