Shimming: What Is It and How Do You Protect Yourself?

What Is Shimming?

Credit and debit cards are one of the most popular forms of payment, and fraudsters take advantage of this through various schemes designed to gather card and other personal information to use to their benefit. While using cards online poses its own set of risks and safety measures (like ensuring you are purchasing only through a known seller), scammers often also utilize devices at in-person card readers to steal and store information that the person can then download and use themselves to commit fraud. When a scammer places a device on a card reader at point-of-sale terminals like ATMs and gas pumps to take data from the card’s microchip, this is known as shimming. Both credit and debit cards are susceptible to shimming.

The downside of shimming is that it’s not always obvious when a device is installed on a point-of-sale terminal. The device is small and thin and is placed right inside the machine’s reader slot – making it hard to detect. While they can be unnoticeable, it helps to know where they are most commonly in play: gas pumps, ATMs, vending machines, and parking meters. Additionally, there are steps to keep in mind to avoid a run-in with shimming.

Shimming vs. Skimming

You are likely already familiar with card skimming, which is essentially the little sibling to card shimming. Scammers are skimming when they use a device at a point-of-sale terminal to steal information from the card’s magnetic stripe and/or save the card PIN. This allows the thief to create a new, fake card using the information. Shimming is more advanced in that it deals with taking the information from the card’s microchip—a newer card feature used in addition to the magnetic stripes. Essentially, shimming is the new skimming. Shimming devices are more challenging to detect since they are so much smaller than skimming devices, but the result can still be the same: card fraud and the risk of bank information/access being exposed. According to Experian, experts “say using a chip-enabled card is a more secure option than using a magnetic-stripe card.”

How to Protect Yourself

Luckily, today’s digital world offers many payment method options. You may consider utilizing contactless payment methods, such as Apple Pay, Google Pay, and Samsung Pay, to avoid inserting a physical card into a machine. Alternatively, cash is always an option for trusted in-person transactions. If you do choose to use a card, be sure to check the machines for any signs of tampering and abnormalities, which could be a sign that a shimming (or skimming) device has been installed. When getting gas, opt for the tap-to-pay option if your card has it or choose to pay inside with a cashier. With ATMs, use one close to a building in clear view of other people, find one inside a physical location, or use a trusted credit union-owned machine as these are all the least likely to be targeted by scammers with these fraudulent devices (although it still can happen).

What to Do if You Fall Victim

If a scammer gets a hold of your information through shimming, take the following steps to report the fraudulent activity:

1. Contact your card issuer immediately and let them know you’ve been shimmed. Action as quickly as possible can limit the damage.
2. Consider setting up fraud alerts on your credit report through Experian, Equifax, and/or TransUnion for free. This requires any creditors to verify your identity before allowing new credit on your profile.
3. Check your financial accounts regularly and keep an eye on your credit report. If anything looks suspicious, contact your financial institution for assistance.
4. As always, if you are a victim of fraud, you should file a report with the Federal Trade Commission at IdentityTheft.gov.