Cyberthieves are now combining two crimes – skimming consumers’ card information and then making spoofing phone calls to pretend they are from your bank – to commit fraud. Here’s how to protect your data when using your card at an ATM or a gas pump.
You might be worried about someone skimming your credit or debit card information at the gas pump, or calling you up and pretending to be from your bank, trying to get your personal or financial information.
Now cyberthieves are combining the two crimes – skimming consumers’ card information and then making spoofing phone calls to pretend they are from your bank. They say your card has been compromised and they need your security code to freeze your account, according to Florida’s attorney general.
The scammers instead use the information to run up your credit card bills, drain your bank account or sell your information on the dark web.
“This scam incorporates some of the worst uses of modern technology to drain victims’ bank accounts and ruin their credit. Floridians must arm themselves with the latest information and take steps to avoid these fraudsters to protect their hard-earned money,” Florida Attorney General Ashley Moody said in a news release.
“It’s not surprising to me that schemers combine the two types of fraud,” says John Breyault, a vice president at the National Consumers League.
While Florida seems to be ground zero for the crime, “It wouldn’t be a surprise to see this pop up in other states. Bad guys share information on what works,” Breyault says.
Skimming seems to make headlines around the country on a daily basis as bad guys plant skimmers at gas pumps or ATMs.
They may put a fake keyboard over a real one to capture keystrokes or place a card reader on top of the legitimate one. They may plant hidden cameras near an ATM to steal your information as you type. Some skimmers are so tiny they are almost impossible to spot.
Previously, the crooks had to return to the scene of the crime to remove the skimmers and access your information. Now, with Bluetooth-enabled technology, they are able to sit in a nearby car or building and retrieve your information.
The fraud analytics firm Rippleshot reports that a single gas pump with a skimming device can steal data from 30 to 100 cards a day.
Even using an EMV card doesn’t save you from skimming because data is still on the magnetic stripe on your card. Breyault says the stripe has your name, account number and card expiration date. Once they have your name “it’s not that difficult to get your phone number.”
Once the bad guys have that information from your card, they can turn to spoofing. They mask the number they are calling from, and it shows up on your caller ID as a call from your financial institution.
They’ll ask for your security code – ostensibly to freeze your credit or debit card – and instead use the information for their own financial gain. They might run up charges on your card, withdraw cash from your bank account or sell your personal information to other scammers. The more information they have, the more money they can get from selling it on the dark web.
The skimming and spoofing scam isn’t brand new, although it seems to be gaining traction in Florida.
Humberto Gauna, an information security consultant at BTB Security who lives near Chicago, says he fell victim to such a scam three years ago. He says the skimming and spoofing scam hasn’t been as prevalent as other scams because it takes the extra step of finding someone’s phone number.
Gauna cautions that credit card companies often will try to verify your identity by asking for more of your personal information, such as your address and date of birth, and scammers might try the same tactic. “Once you have verified that information you just gave some key answers if they want to impersonate you” with a financial institution.
See related: Another form of card skimming: ‘Shimming’
New gadget could put the kibosh on skimmers
Some companies and law enforcement agencies are preparing to make it harder for thieves to reap credit card information from gas pumps, ATMs and point-of-sale devices.
Researchers at the University of Florida have developed the Skim Reaper, a device that detects the presence of a skimmer, says Patrick Traynor, an associate professor in the Department of Computer and Information Science and Engineering at the university and co-director of the Florida Institute for Cybersecurity Research.
The university is expecting to ship its first 100 devices this month. The Skim Reaper is about the size of a credit card, and law enforcement officers and merchants can insert the device into a card reader and it will immediately detect if a skimmer is hidden there.
“Anyone who works there can quickly determine if they have a problem,” Traynor said.
If a business uses the Skim Reaper two or three times a shift, it will limit the amount of time a skimmer can be hidden in a card reader, he says.
Eventually, the Skim Reaper may also be available for consumers.
To protect yourself from falling prey to the skimming and spoofing scam, Gauna recommends checking an ATM or gas pump before you use it. Inspect it to make sure nothing looks amiss, and tug on it to be sure nothing is loose.
“If you frequent a place, you should be familiar with what those card slots look like,” he says.
Breyault recommends using your credit card rather than your debit card. Credit cards have better protections, such as a $50 limit on fraud liability, and card issuers usually won’t hold you responsible if you report the fraud.
Your credit card company will also take the charge off your bill while it is disputed. With a debit card, if a fraudster rings up $500 in purchases, your financial institution might freeze $500 in your account until the dispute is resolved, he says.
Also, be sure to check your bank account and credit card statements regularly to look for fraudulent charges, Gauna says.
If someone calls purporting to be from your financial institution, you don’t have to answer their questions, he says. Instead, you can ask the caller questions, such as what the ZIP code is for the account, to see if the caller has your actual information.
If you’re suspicious, hang up and call the bank directly.
“We all have the number to call on the back of the card,” Gauna says.