The global body for professional accountants

Skimmer Scams

New report highlights myriad ways skimmer scams are pickpocketing consumers across the globe, from the gas pump to the ATM

New York, N.Y. (February 13, 2014)
A new report out today details how skimmer fraud has proliferated across the globe, ripping off consumers everywhere from the gas pump to the ATM.

According to the report, by ACCA USA, the US arm of the Association of Chartered Certified Accountants, and Pace University in New York City, United States, criminal enterprises are devising novel ways to steal as skimming devices have become smaller and more sophisticated in terms of power, memory, communication and encryption.  

'Skimmer fraud is a huge problem across the world. While skimmers have existed for many years and they have advanced quite considerably over time,' said Pace University Professor Darren Hayes, DPS, who authored the report.

'Without significant steps being taken to combat this activity, it’s clear that this type of fraud will continue to escalate.'

'This is a war being fought at the ATM and the gas pump, at the intersection of street crime and tech crime. As criminals become more sophisticated, they are devising creative ways to separate consumers from their cash,' said Warner Johnston, head of ACCA USA.

The report identifies the myriad ways in which skimmer scams are cropping up across the globe. 

According to a 2013 Norton Report, the global cost of cybercrime rose to $113 billion (up from $110 billion), with an average cost per victim of $298 (up from $197 in 2012). A significant portion of that cost involves payment card fraud. Estimates indicate that payment card fraud costs the United States $8.6 billion annually. A Q3 2012 ACI Worldwide study of 5,223 consumers in 17 countries reported that a staggering 27% of payment card holders (debit, credit and prepaid).

The Aite Group has reported that in 2011 the average loss from skimming crime $50,000, up by $20,000 from the previous year. And, the U.S. was ranked number one in the world in terms of financial losses associated with skimming fraud in the first six months of 2011, followed by the Dominican Republic, Russia and Brazil.

Skimmer Episodes Around the World

United States: In the United States, in January, Manhattan District Attorney Cy Vance, Jr. announced the indictment of 13 persons charged with operating a multi-million dollar fraud ring that employed Bluetooth-enabled skimmers at gas station pumps. The devices connected directly to a pump’s power supply, equipped with a Bluetooth chip allowing thieves to lift stolen data wirelessly.

Canada: Canada has a population of about 35 million. Founded in 1994, Interac is a Canadian-based organization that facilitates electronic financial transactions through their national payment network. The organization was founded by CIBC, Royal Bank of Canada, Scotiabank, TD Bank and Desjardins. They manage 60,000 ATMs and 766,000 POS terminals throughout Canada.

Interac Association announced that all Interac acceptance devices must be EMV-compliant by December 31, 2015. As of October 31, 2012, there are 73.9 million Visa and MasterCard payment cards in circulation in Canada. In 2012, credit card fraud in Canada was $CAD 439.36 million, compared to $CAD 436.59 million in 2011. However, Interac debit card fraud dropped 45%, from $CAD 70 million in 2011 to $CAD 38.5 million. The notable decline in fraud is as a result of enhanced fraud detection analytics, increased law enforcement support and the introduction of EMV.

In 2009, debit card fraud in Canada was estimated to be $142 million, which subsequently declined to $119 million in 2010 and then fell to $70 million by 2011. Visa and MasterCard implemented a domestic liability shift in the first half of 2011, which accounts for the dramatic decline in payment card fraud.

China and Southeast Asia: A number of organized crime groups in China and Southeast Asia have been cloning payment cards and then sending “mules”, using forged travel documents, to Western Europe to fraudulently purchase luxury goods, which are then sent back to Asia.

Europe: Skimmer fraud in Europe is different from the United States because of a number of factors. One factor is that ATMs in Europe are for the most part EMV-compliant. Another reason for differences in ATM fraud is that ATMs are often different in the United States. For example, there is a large number of non-bank ATMs in the United States, which are not found in every country. Moreover, Certain ATMs have certain vulnerabilities and the type of ATMs from country to country will vary greatly. According to a report by the European Central Bank (ECB) in July 2013, ATM fraud accounted for 20% of all payment card fraud (€232 million). The report also states that 95% of counterfeit card fraud, related to ATM fraud, occurs outside of Europe. 

Ireland: Ireland has a population of approximately 4.58 million. According to the Irish Payment Services Organization (IPSO), in 2011 there were 194 skimming incidents, of which 142 were successful. During 2011, anti-skimming devices were installed on the majority of ATMs. Coupled with an anti-skimming initiative was more vigilance by banks and ATM maintenance workers. Additionally, there were some notable ATM fraud-related arrests by the Gardaí (Irish police). 

The outcome was that in 2012 there were only 13 ATM skimming incidents and 12 of those were successful.  In 2013, there have been some successful ATM skimmer incidents where an anti-skimming device became inoperable or was incorrectly installed. 

An ATM skimmer that was found in Ireland in 2013 is arguably the first stereo skimmer in the world. This find may indicate a new technical advancement for thieves. Most ATMs in Ireland are manufactured by NCR but there are also some Siemens Nixdorf machines. Diebold is virtually non-existent in Ireland and the U.K. All card readers in Ireland are motorized as opposed to the United States where newer ATMs generally have dip readers.

ATM skimmers do account for the majority of skimmers but there are cases of skimmers being used at petrol stations. In 2012, according to IPSO, there were 15 skimmers found at fuel pumps. It appears that these skimmers are less prevalent in Ireland and the U.K. than in Europe because there are far fewer unattended petrol stations in Ireland and the U.K. than in Continental Europe. 

According to the report:

• One of the most common types of skimmer is the ATM skimmer, used to record the data contained on the magnetic strip on the back of a consumer’s ATM card. A skimmer may be placed on a stand-alone ATM, such as one at a convenience stores or doorway at a bank.

• Security standards with European credit, debit and ATM cards differ from standards in the United States, rendering it easier to conduct skimmer fraud in the U.S.

• The United States is pivotal for criminal gangs because it has more ATMs than another country and because it is not EMV-compliant (cards do not contain a global chip) and its EMV cards skimmed can easily be cloned. Cards that are cloned by criminals are also used in other non-EMV countries, such as Ghana, Costa Rica, Mexico and Malta.

• Handheld skimmers are not an issue in other countries as much as in the U.S. For example, at U.S. restaurants, a waiter takes a credit or debit card and later with a receipt. At European restaurants, a card remains in sight at all times, and a waiter brings a terminal to the table.

• Equipment used in various types of skimming operations is readily available from online sites such as and spy stores.

The report offered recommendations to combat skimmer fraud. Financial institutions should speed up the integration of anti-skimming solutions and fraud investigations into their daily operations and improve cooperation with national and international law enforcement to keep up with the increased sophistication and global nature of skimmer schemes. The future of ATM transactions lies in contactless cards, biometric security, and smartphone withdrawals instead of traditional ATM cards.

Meanwhile, customers should:

• Use one hand to cover the keypad while entering their PIN and be careful of criminals “shoulder surfing.”

• Regularly monitor their accounts, financial statements, and credit reports to be alerted to skimmer fraud or any type of identity theft.

• Provide financial institutions with up-to-date contact information, including a mobile telephone number.

Additionally, banks should:

• Ensure that ATMs have ample lighting and good visibility.

• Install cameras with ample memory to store video recording suspicious activity at ATMs.

• Ensure that technology is installed to alert them when criminals are fitting overlay devices.

About ACCA (the Association of Chartered Certified Accountants): ACCA is the global body for professional accountants with 162,000 members and 428,000 students in 170 countries worldwide. We aim to offer business-relevant, first-choice qualifications to people of application, ability and ambition around the world who seek a rewarding career in accountancy, finance and management.  We work through a network of 89 offices and centers and more than 8,400 Approved Employers worldwide, who provide high standards of employee learning and development.

About Pace University: Since 1906, Pace University has educated thinking professionals by providing high quality education for the professions on a firm base of liberal learning amid the advantages of the New York metropolitan area. A private university, Pace has campuses in New York City and Westchester County, New York, enrolling nearly 13,000 students in bachelor’s, master’s, and doctoral programs in its Dyson College of Arts and Sciences, Lubin School of Business, College of Health Professions, School of Education, School of Law, and Seidenberg School of Computer Science and Information Systems.

About Darren Hayes: Dr. Darren Hayes is an Assistant Professor at Pace University, New York. He is a leading expert in the field of digital forensics and cyber security. In 2013, he was listed as one of the Top 10 Computer Forensics Professors by Forensics Colleges. Hayes has developed a computer forensics program at Pace and has created a computer forensics research laboratory at the Seidenberg School of Computer Science and Information Systems. As a practitioner, he has worked on numerous cases involving digital evidence related to both civil and criminal investigations. Hayes is also a professional consultant in computer forensics and cyberlaw for the Department of Education. He is an accomplished author and is looking forward to publishing his book in 2014 entitled “A Practical Guide to Computer Forensics Investigations”.