HomeBlogSecurityWhat is Skimming: Examples and How Does It works?

What is Skimming: Examples and How Does It works?

21st Sep, 2023
view count loader
Read it in
10 Mins
In this article
    What is Skimming: Examples and How Does It works?

    As the world moves to a more digitalized era, the internet is starting to root deeply into the lives of people. From connecting with friends and family to shopping and banking, all of it is done online. Signing up for such benefits requires users to submit their personal information (such as their credit card details) to the organization providing these services, which opens the window to a whole bunch of fraud and scams. But at the same time, it is almost impossible for the average person to go a day without making an online purchase or swiping their card. With so many digital transactions taking place and considering the potential of cyber crimes that can arise from sharing of such information, it becomes increasingly important to spread awareness among users about IT security measures.

    Out of all of the scams that cyber criminals can pull using the personal information of users, credit or debit card information theft still remains the most prevalent and devastating scam that can happen to a person today. In this article, we’ll take a detailed look at what is Skimming in cyber security, a type of credit/debit card fraud, what it is, how it works, and what you can do to prevent yourself from such attacks. 

    What is a Skimming Attack? 

    Skimming is an act of copying the cardholder’s personal payment information. Criminals employ different strategies for this purpose, such as photocopying receipts or more advanced methods, such as installing a small electronic device called a skimmer, mostly inside ATM or EFTPOS terminals, to store hundreds of victims' card numbers and PINs. 

    The stolen credit card information is used by scammers to make online purchases, card cloning, or sell on different black markets on the web. Victims usually don’t notice that they have fallen victim to the attack until they notice unauthorized activity on their bank account.  

    What is Skimming in Cyber Security? 

    Skimming in cybersecurity refers to the same credit/debit card information theft but is usually concerned with the more advanced methods of carrying out this fraud. This includes the skimmer, a small device hidden inside an ATM or POS machine to steal information as the card is swiped, and online skimming attacks such as infecting e-commerce websites with malicious code. Often referred to as JavaScript (JS) sniffers, these codes are extremely difficult to detect. Once the website is infected, the credit/debit card information that the customer fills in is sent to the hackers, unbeknown to the customer, until it’s too late.  

    To learn more about different tactics that are employed by malicious hackers, you can check out the best online Ethical Hacking course, which goes over skimming in great detail and much more.  

    5 Types of Skimming in Cybersecurity

    Types of Skimming in Cyber Security

    Now let us take a closer look at how debit and credit card skimming attacks can occur. These include: 

    1. E-Skimming

    The most advanced and prevalent forms of skimming today include e-skimming, which is carried out by infecting e-commerce websites with malicious code to steal the customer’s debit or credit card information. Since it does not involve the physical tampering of a device, it is much harder to detect compared to other forms of skimming. The customer fills in their card details, believing it to be a secure transaction but the malicious code incorporated into the website records their information and sends it to the hackers in real-time.  

    2. Hand-held point-of-sale skimming

    Hand-held point-of-sale skimming refers to the skimming attacks carried out by insider threats, mostly employees such as waiters or receptionists. The adversary uses a small, concealed skimming device, which records all of the information stored in the magnetic stripe of the card. This information can later be used in malicious activities. Cybercriminals mostly employ this tactic in retail establishments, where hundreds of customers use their debit or credit cards daily.  

    3. POS swaps

    Also referred to as POS device tampering, POS swaps are common frauds that are carried out by cybercriminals. The process entails criminals swapping the usual POS device at any retailer with one engineered to copy and collect card data from all customer transactions. This can also be carried out by tampering with the original machine by placing a small skimming device inside the machine at an opportune time and coming back to collect all of the data.  

    4. Self-service skimming

    A similar fraud can be carried out by cybercriminals at self-service locations such as ATMs, gas stations, or other similar terminals. After strategically gaining entry to the terminal, these criminals install skimmers or minute cameras inside in a concealed location which steal and record the customer’s card data as soon as they swipe their card. The recorded data can be collected either physically or using more advanced tactics such as using wireless technologies to send the data to the criminal’s computer.  

    5. Dummy ATMs

    While not as prevalent as the other methods, cybercriminals are often known to use dummy ATMs in high-traffic areas. These ATMs resemble the real ones, but instead of dispensing cash after the user inserts their card, they steal information stored inside the magnetic stripe of the card along with the PIN code, using it later for malicious activities. If you’d like to learn more about skimming in cybersecurity, be sure to check out the Best Cyber Security Courses Online on our website.  

    How Do Skimming Attacks Work?

    Skimming attacks, in general, are carried out in three main steps:  

    1. Gaining Access: The first step involves the attackers gaining access to the mode through which they will carry out the attack. This can include gaining access to an ATM or POS terminal or exploiting vulnerabilities in an organization’s infrastructure, such as checkout pages on e-commerce websites.  
    2. Collecting Data: In the next step, attackers tamper with the original device or install skimmers to collect sensitive information. As the customer swipes their card or inputs the details, all of the sensitive information is recorded and collected inside the skimmer.  
    3. Harvesting sensitive information: After collecting all of the sensitive customer card details, the attackers send it to their own servers or collect it physically by retracting the skimmer device that they installed. The collected information can then be used for malicious activities. 

    Skimming and Identity Theft

    Skimming and other types of credit/debit card information theft often lead to identity theft as well. Skimming permits unauthorized people to gain access to the personal information of all the customers, such as login credentials, emails, bank accounts, social security numbers, location data, and much more. Gaining access to such vital information can allow fraudsters to sell it on the dark web which can be used to commit different crimes. For example, credit cards can be used to purchase illegal facilities online, which will keep the actual buyers anonymous by using the identity of the person whose credit card was stolen.  

    Besides withdrawing all the funds, the instance they get their hands on sensitive information, cybercriminals often use the information for other purposes, such as identity theft by cloning the cards to be used in fraudulent activities or by withdrawing insignificant amounts of money infrequently to avoid detection by the banks or the card holders.

    Overview of a web skimming attack

    Why Should You Care About Skimming Fraud? 

    The risk of skimming fraud happening is ever-present and keeps growing with recent advancements in technology. Now, fraudsters are employing highly advanced tactics that are extremely hard to catch by an average person to steal their sensitive credit or debit card information. Stealing funds from an individual’s account happens in just a couple of hours after this fraud, leaving a very small time frame for corrective actions. It is best to be aware of the tactics that cyber criminals employ to carry out skimming attacks, as opposed to trying to get your funds or information back after you’ve fallen victim to these frauds.  

    How to Protect Yourself from Skimming Attacks? 

    Several measures can be taken to protect yourself from skimming attacks. These include:  

    1. Account monitoring: It is essential to monitor your bank account closely to detect any suspicious and unauthorized activity happening on your account. Usually, there’s a small time frame to dispute unaccountable charges if they have fallen victim to such a fraud.
    2. Using low-limit cards: Users should always prioritize using low-limit cards for online and physical transactions. The reason is that if they fall victim to skimming, the low limit on the card will restrict the amount of damage that can be carried out by the fraudsters and will alert the cardholders that their card information has been compromised.
    3. Avoiding suspicious ATMs: If you suspect that an ATM is not in optimal condition, such as an unknown object attached to the area where you’re supposed to enter the card, report it immediately and avoid using it. It could be that the criminals have installed a skimmer on the ATM to carry out a skimming attack.
    4. Using only trusted websites for online transactions: This one is perhaps the most important measure you can take to prevent yourself from an online skimming attack. Always ensure that the website where you are entering your card details is trusted and has implemented security measures such as SSL certificates, which encrypt your information and prevent it from being stolen.

    Looking to boost your career? Get ITIL certified with our online exam! Enhance your skills and knowledge in IT service management. Enroll now!


    It is estimated that skimming costs organizations and consumers more than $1 billion each year. It is clear that skimming poses a real threat to society, and appropriate awareness should be spread among consumers to prevent it from happening. Most importantly, merchants, retailers, and e-commerce organizations should use the best security practices and PCI compliance guidelines to prevent skimming, as the outcome is not only just the loss of funds but also identity theft and much more.  

    If you found this article informative and would like to check out something similar, KnowledgeHut’s best online Ethical Hacking course is now available on our website, offering industry-leading ethical hacking training online.

    Frequently Asked Questions (FAQs)

    1What is an example of card skimming?

    In 2018, hackers gained access to a vulnerability in the British Airways website, where they planted a skimmer. The fraud affected well above 380,000 cardholders, and all of the payments via the website and the app were stolen in a three-week period. 

    2What type of crime is skimming?

    Skimming is a type of criminal fraud. Stealing credit/debit card information can either be a misdemeanor or a felony for more serious theft cases.  

    3What are the five types of skimming attacks in cybersecurity?

    Skimming can be of many times, but in regards to cybersecurity, it is mostly of five types:  

    • E-Skimming 
    • Hand-held point of sale skimming 
    • POS swaps 
    • Self-service skimming 
    • Dummy ATMs 
    4What are skimming attacks?

    Skimming is the unauthorized capture and transfer of sensitive credit or debit card information. Cybercriminals employ different tactics to steal information, which is then used for fraudulent activities. 


    Sulaiman Asif


    Sulaiman Asif is an information security professional with 4+ years of experience in Ethical Hacking and a degree of Master in Information Security, he is an EC- Council CEH Certified and has also been engaged with University of Karachi and Institute of Business Management as a cyber security faculty.

    Share This Article
    Ready to Master the Skills that Drive Your Career?

    Avail your free 1:1 mentorship session.

    Your Message (Optional)

    Upcoming Cyber Security Batches & Dates

    NameDateFeeKnow more
    Course advisor icon
    Course Advisor
    Whatsapp/Chat icon