What is digital skimming? Your guide to staying safe while shopping online

There’s a new strain of cybercrime in online retail. It targets consumers going about their everyday business, whether it’s booking flights on a major airline or purchasing concert tickets from their go-to platform.

It’s called digital skimming, also known as e-skimming, online card skimming, or web skimming, and it’s the evolution of an older scam known as card skimming. That’s when criminals install equipment on point-of-sale systems or tiny cameras at ATMS or gas pumps to capture card data. With digital skimming, hackers plant malware at online stores to harvest that information, and it can be harder than physical skimming to detect and can strike more victims at once. 

1. the removal of a substance from the surface of a liquid

2. the practice of concealing gambling or other profits so as to avoid paying taxes, commissions

3. the practice of electronically appropriating account numbers or other confidential data for illegal use

For instance, on one airline website, criminals stole 380,000 passengers’ personal information over two weeks using just 22 lines of computer code. A separate attack on a concert ticket vendor affected 9 million customers in two months.

These breaches can have severe consequences for businesses, including financial losses, damaged reputations and legal repercussions. For their customers, compromised personal information — including payment data — may enable subsequent identify theft or financial fraud.

Here’s what you need to know to stay safe.

What is card skimming?

Card skimming is a scam in which criminals compromise payment machines to steal customers’ card information. Rigged card readers cling unseen to ATMs, gas pumps and point-of-sale systems, secretly capturing card numbers and billing credentials. Keypad overlays or mini cameras record customers’ PINs.

The information can then be transmitted via Bluetooth to a nearby storage device controlled by the attacker.

What is digital skimming?

Digital skimming is card skimming that is carried out over the internet. Instead of concealing surveillance devices on physical machines, criminals sneak malicious code into e-commerce websites to steal the payment data of every customer who uses their cards there.

Digital skimming is even harder to detect than physical skimming, and it can strike more victims at once.

How does digital skimming work?

Digital skimming infects e-commerce sites and apps with computer code that steals payment data. Skimmers weave their instructions into the site’s source code. When unsuspecting customers fill in the checkout forms, the malware copies their card details and personal information.

Hackers also embed harmful code in third-party products, such as shopping cart software. When online merchants integrate these sabotaged tools, they unknowingly infect their own networks. Often, the counterfeit products carry scripts that mask the skimmer’s presence on the customer’s e-commerce site. As a result, it can take years before some merchants notice — and remove — the skimming malware.

How widespread is digital skimming?

Digital skimming is becoming a favorite of cybercriminals. According to Mastercard data, nearly three quarters of publicly disclosed breaches in 2022 involved digital skimming. That year, skimmers infected 4,500 new sites — a 129% increase from 2021 — and the number rose by another 2,700 in 2023.

The FBI estimates that these scams now cost cardholders and banks over $1 billion every year.

What kinds of data are digital skimmers looking for?

Digital skimmers are looking for payment credentials to use in other types of financial crime, such as fraud and theft. They collect credit card details, including card numbers, expiration dates and CVC codes, as well as personal identifiable information, such as the cardholder’s name, address and phone number.

What do criminals do with the information they steal?

The attackers usually sell the stolen information to fraudsters on the black market — in 2023, 416,582 cases of identity theft in the U.S. were facilitated by skimmed credit card data. Fraudsters use the credentials to ransack accounts with unauthorized transactions.

Fraudulent transactions typically begin around five months after the credentials were skimmed, once the card data has been tested for validity and sold. Based on incidents reported to Mastercard, customers who transact at infected merchants are 31% more likely to become victims of fraud.

What will happen if my card gets skimmed?

Card skimmers pose a serious threat to your finances. Cardholders may find their savings emptied, their credit cards maxed out, even their medical records forged as thieves rack up expenses for prescription drugs and other services.

Although cardholders can reverse the losses, they may have to spend hours disputing charges and filling out paperwork. In the meantime, their accounts could be frozen or charged with overdraft fees.  

Mastercard cardholders receive zero liability protection and will not be held responsible for unauthorized transactions if they have used reasonable care in protecting their card from loss or theft, and if they promptly reported the loss or theft to their financial institution. 

How do I know if I've been a victim of digital skimming?

Digital skimming can be tough to detect. The first signs are usually unexpected payments on bank statements and unfamiliar charges on credit card bills. It’s wise to review account statements regularly for anomalies.

How can consumers protect themselves against digital skimmers?

Consumers can protect themselves by exercising vigilance when shopping online. Heed browser warnings about insecure pages, and be on the lookout for unexpected pop-ups, amateurish ads and spelling and grammar errors — this could indicate that the merchant site has been infiltrated or spoofed.

Good digital hygiene can also stop the invasion from spreading if your information is breached. Setting strong, unique passwords and using a trusted VPN to connect to public Wi-Fi networks will prevent the hackers from accessing your other accounts. To limit financial losses, dedicate only one card for online transactions and activate transaction alerts that notify you whenever your card is used.

What makes a website vulnerable to digital skimming?

A website’s vulnerability to digital skimming is strongly linked to the strength of its security systems. Hackers must smuggle their code in through weaknesses in the site’s defenses. Just as a burglar would pass up a bank for a house with an open window, skimmers target websites with poor cybersecurity.

Outdated software is the prime culprit: According to an analysis by Mastercard’s Cyber Analytics Research team, merchants with at least one critical software vulnerability are 3.3 times more likely to fall prey to a digital skimmer. Those who habitually neglect to patch security gaps with updates are 12 times more likely.

How can companies protect themselves against digital skimmers?

Companies can protect themselves against digital skimmers by erecting and maintaining stringent safeguards. Staying current with software updates is a key defense; businesses should encrypt all data transmission, thoroughly vet third-party tools, and scan their source code for unauthorized changes.

To curb harm to customers in case of an attack, businesses should collect the minimum customer data required for any transaction; backing up the site’s code and databases will allow it to be restored quickly, minimizing disruptions. 

To manage this type of cyber risk at scale, businesses must be constantly on the lookout for signs of a breach, in both their own sites and the tools they integrate. That’s where artificial intelligence comes in. Automated risk management tools harness open-source intelligence and machine learning to help businesses fortify their defenses and evaluate the cyber hygiene of third-party vendors.