Digital Transactions Authoritative, insightful and timely information for payments professionals
Instances of card skimming were up in the United States in 2022, with more than 161,000 impacted cards identified, a five-fold increase over 2021, and a more than three-fold increase in the total number of cards compromised, according to FICO (formerly Fair Isaac Co.). In addition, 3,000 unique financial institutions were affected by a compromise, a 79% jump from a year earlier. On average, 185 cards were compromised per skimming event.
FICO defines a unique financial institution as any retail, commercial, or savings bank or credit union that is assigned a specific member number within its system and includes associated bank identification numbers for that institution’s issued cards.
The increase in skimming is attributed to a more than four-fold increase in the number of points of compromise, a trend that shows criminals are placing skimming devices in as many locations as possible.
Card skimming occurs when criminals install devices on ATMs, point-of-sale terminals or in-pump card readers to capture card data or record cardholders’ PINs. The FBI estimates card skimming costs financial institutions and consumers more than $1 billion annually.
“One reason we are seeing an increase [in skimming] is related to the adage about criminals opting for a path of least resistance,” Debbie Cobb, senior director of product management for FICO, tells Digital Transactions News by email. “We saw card-not-present fraud skyrocket as chip cards became prevalent. With banks focusing [fraud-prevention] efforts on that channel, criminals have sought other channels that may have less fraud monitoring or protections in place.”
Another reason for the explosion in skimming events is the success rate criminals enjoy with the tactic. “Skimming has been delivering a high payoff for criminals, as seen in the large number of cards obtained in a single compromise, which in turn fuels criminals to further their skimming efforts, resulting in the exponential growth we are seeing,” Cobb adds.
One trend that jumps out from the numbers is that 75% of the sites where a skimming event occurred had not been compromised previously. FICO is able to identify sites that have been compromised using a specific terminal ID and years of historical transaction data from more than 10,000 financial institutions in the United States that use its Card Alert Service.
Many of the sites compromised for the first time housed non-bank ATM terminals inside a convenience store. Overall, non-bank ATMs were favored targets of skimmers, representing 80% of the points of compromise.
As is often the case with criminal activity, there are geographic hotbeds of activity. California saw the most skimming events, with 47% of total events taking place in that state last year. A group of five states along the eastern seaboard—New York, New Jersey, Pennsylvania, Maryland, and Virginia—accounted for 29% of skimming events.
When it comes to the duration of the fraud, 87% lasted two weeks or less and 64% lasted a week or less. Given these short timeframes, finding and disabling skimming devices can be extremely difficult, Cobb says. In addition, many, if not most, consumers will not know their card information has been compromised until fraudulent charges start to show up.
Factors that make California attractive for skimming is that the state has a high population density and large metropolitan areas with a lot of traffic. These factors increase criminals’ opportunity to harvest a larger number of cards with one compromise, according to Cobb.
“Even within California, FICO sees many compromises in Los Angeles. Plus, a significant percentage of compromises occur at convenience stores,” Cobb says. “California has a large number of convenience stores, providing ample opportunity for criminals to target locations where there is often less security than at a typical bank location.”
When looking at total fraud cases related to skimming, FICO found 70% were tied to points of compromise in five states: California, New York, Pennsylvania, and Florida/Washington (tied).
The rise in skimming incidents shows no signs of slowing down in the new year. Skimming-event data during January showed a nearly 10-fold increase from January last year.
