Shimming: What Is It and How Do You Protect Yourself?


Today’s highly-digital world establishes ample conveniences for day-to-day life—but it also opens the door to even more security risks and threats, especially in the world of finances. Card shimming is a trend that is on the rise. However, there are steps you can take to spot the red flags of fraud and better protect against scammers. 

What Is Shimming? 

Credit and debit cards are one of the most popular forms of payment, and fraudsters take advantage of this through various schemes designed to gather card and other personal information to use to their benefit. While using cards online poses its own set of risks and safety measures (like ensuring you are purchasing only through a known seller), scammers often also utilize devices at in-person card readers to steal and store information that the person can then download and use themselves to commit fraud. When a scammer places a device on a card reader at point-of-sale terminals like ATMs and gas pumps to take data from the card’s microchip, this is known as shimming. Both credit and debit cards are susceptible to shimming. 

The downside of shimming is that it’s not always obvious when a device is installed on a point-of-sale terminal. The device is small and thin and is placed right inside the machine’s reader slot – making it hard to detect. While they can be unnoticeable, it helps to know where they are most commonly in play: gas pumps, ATMs, vending machines, and parking meters. Additionally, there are steps to keep in mind to avoid a run-in with shimming. 

Shimming vs. Skimming 

You are likely already familiar with card skimming, which is essentially the little sibling to card shimming. Scammers are skimming when they use a device at a point-of-sale terminal to steal information from the card’s magnetic stripe and/or save the card PIN. This allows the thief to create a new, fake card using the information. Shimming is more advanced in that it deals with taking the information from the card’s microchip—a newer card feature used in addition to the magnetic stripes. Essentially, shimming is the new skimming. Shimming devices are more challenging to detect since they are so much smaller than skimming devices, but the result can still be the same: card fraud and the risk of bank information/access being exposed. According to Experian, experts “say using a chip-enabled card is a more secure option than using a magnetic-stripe card.” 

How to Protect Yourself 

Luckily, today’s digital world offers many payment method options. You may consider utilizing contactless payment methods, such as contactless cards, Apple Pay, Google Pay, and Samsung Pay, to avoid inserting a physical card into a machine. Alternatively, cash is always an option for trusted in-person transactions. If you do choose to use a card, be sure to check the machines for any signs of tampering and abnormalities, which could be a sign that a shimming (or skimming) device has been installed. When getting gas, opt for the tap-to-pay option if your card has it or choose to pay inside with a cashier. With ATMs, use one close to a building in clear view of other people, find one inside a physical location, or use a trusted credit union-owned machine as these are all the least likely to be targeted by scammers with these fraudulent devices (although it still can happen). You can find more tips on ATM safety in this previous Weekly Update article. 

What to Do if You Fall Victim 

If a scammer gets a hold of your information through shimming, take the following steps to report the fraudulent activity: 

  • Contact your card issuer immediately and let them know you’ve been shimmed. Action as quickly as possible can limit the damage. 
  • Consider setting up fraud alerts on your credit report through Experian, Equifax, and/or TransUnion for free. This requires any creditors to verify your identity before allowing new credit on your profile. 
  • Check your bank and credit accounts regularly and keep an eye on your credit report. If anything looks suspicious, contact your financial institution for assistance. 
  • As always, if you are a victim of fraud, you should file a report with the Federal Trade Commission at IdentityTheft.gov. 

Draft Social Media Post: 

The League has drafted copy and created graphics for your credit union to utilize on your social media channels to educate members about shimming. Below, please find graphics for Facebook, X, and Instagram (right-click on the graphic to download). 

Draft Copy: 

Credit card shimming is a growing concern for consumers across the globe, but you can take steps to protect yourself. Shimming happens when a scammer installs a device at a point-of-sale terminal to read a card’s microchip, allowing them to later download and use the card information to commit fraud. Consider contactless payment methods and cash for in-person transactions, and always report suspicious bank account and credit activity immediately.  

For X with the character limit: 

Credit card shimming happens when a device is installed in a card reader to steal information from the card’s microchip and commit fraud. Consider contactless payment methods and cash for in-person transactions and report suspicious bank account and credit activity immediately. 

Facebook: 

X: 

Instagram: