Skip to content

Advertiser Disclosure

Credit Card Insider is an independent, advertising supported website. Credit Card Insider receives compensation from some credit card issuers as advertisers. Advertiser relationships do not affect card ratings or our Editor’s Best Card Picks. Credit Card Insider has not reviewed all available credit card offers in the marketplace. Content is not provided or commissioned by any credit card issuers. Reasonable efforts are made to maintain accurate information, though all credit card information is presented without warranty. When you click on any ‘Apply Now’ button, the most up-to-date terms and conditions, rates, and fee information will be presented by the issuer. Credit Card Insider has partnered with CardRatings for our coverage of credit card products. Credit Card Insider and CardRatings may receive a commission from card issuers. A list of these issuers can be found on our Editorial Guidelines.

How to Protect Yourself From Credit Card Fraud: Scams, Skimmers, and Phishing

9 min read
Abigail Welles By Abigail Welles Sep 20, 2019 | Updated Oct 02, 2019

While there may never be a shortage of scammers and fraudsters working vigilantly to steal your personal information, there are always ways to be diligent about protecting yourself from potential threats.

Keep reading to learn how to prevent credit card fraud and the resulting unauthorized charges, which, if not caught and removed, can have long-lasting negative effects on your credit scores.

Credit Card Scams to Watch Out For

The first step in protecting yourself from scams is to know which ones to look out for. Recognizing the possible signs of the many different scams can help you be more proactive in defending yourself.

Credit Card Skimming

Credit Card Skimmer

A card skimmer found on an ATM at a 7-Eleven. Image credit: WXYZ Detroit

You make your weekly stop for gas at the same station you always do. When you go to insert your card into the terminal, it doesn’t slide as smoothly as usual but you don’t think much of it. Later that week, you receive a text alert from your issuer claiming that suspicious activity occurred on your account. But how could this have happened?

Credit and debit card skimming devices fit over real card readers, and are strategically designed to look like the authentic readers. When you swipe your card, the skimmer captures the information associated with the magnetic strip, such as card numbers and PINs, and stores it.

There are similar devices that replicate keypads, allowing fraudsters to capture PINs by other means. And in some cases, thieves may set up tiny hidden cameras nearby to spy on people as they enter their PINs.

Fake PIN Keypad

Keypad overlay used to capture PINs. Image credit: Krebs on Security

The fraudster may return to the skimmer to remove it and download the stored information. Other systems allow the information to be downloaded remotely.

Skimmers don’t need to interfere with the normal operation of the reader; you may use your card successfully and go about your business, never knowing your information was nabbed in the process.

Credit Card Shimming

Shimming is a relatively new scam, which evolved from skimming when chip cards were created to help defend cardholders from theft. Where skimmers are used to steal data during mag strip transactions, shimmers are used for chip transactions: either chip-and-signature or chip-and-PIN.

Shimmers are paper-thin devices with their own readers and storage, which are inserted into the slots in card terminals. When a card is dipped into the device, the information is stored in the shim. While the information stored in the shim can’t be used to replicate another chip card, scammers can create a version of the stolen card with a magnetic strip.

Credit Card Shimmer

Razor-thin shimmer device. Image credit: PC Magazine

Similar to skimmers, always check to see if a terminal has been tampered with before inserting your card. Tampered terminals may have torn security labels or could seem tighter when you try to insert your card. If this is the case, cancel the transaction immediately. Shimmers are still relatively rare, thankfully, and chip transactions are still quite secure in most cases.

Phone Scams

One man in Fontana, California, received a call from the IRS demanding a hefty payment in order to avoid arrest. The price? $2,200 in Target gift cards. After the two women who orchestrated this phone scam (and successfully received their gift card payment) were arrested, it was found that they were part of a large phone scam ring wreaking havoc on the entire nation. $900,000 in gift cards and goods were found in their apartment.

Fraudsters will reach out with unsolicited calls to pressure you to send over money or personal information. They may pitch elaborate giveaways —You’ve just won an all-inclusive vacation to Cuba! All you have to do is send over a security deposit to secure your cabin! — or impersonate a federal organization like the IRS and prey on the natural fear of arrest.

Robocalls saw a 57% increase from 2017 to 2018, with over 47.8 billion robocalls sent out in the United States alone. These deliver pre-recorded messages from a living person or an automated voice, and are used by scammers as a cheap and easy way to target large numbers of people from any location.

Phone scams also go beyond calls. Text messages are suspect too, thanks to a method called “smishing” — short for “SMS phishing.” Smishing is basically phishing with text messages. Never click on any attachments or follow any links sent to you from unknown numbers. If you do, malware may be downloaded onto your device.

Phishing

Phishing scams target a potential victim, typically through email, pretending to be a reputable agency or company.

Two recent phishing scams are targeting users of Facebook and Instagram. The first targets users of Facebook Messenger, through which the scammer will impersonate a friend of the user. Scammers will send malicious video links with a baity message like “Is this you?” or a call to action to open the video.

The second scam reaches out to Instagram users as Instagram itself, claiming accounts will be suspended for violating the social media network’s copyright laws. It prompts users to fill out a Copyright Objection Form, but it’s actually a scheme to obtain your login details.

Screenshot of a fake Copyright Infringement message sent to Instagram users. Image credit: Naked Security

Screenshot of a fake Copyright Infringement message sent to Instagram users. Image credit: Naked Security

Scammers leverage credibility by impersonating established companies, to steal personal information or bait victims into clicking malicious links.

How to Protect Yourself From Credit Card Skimmers and Shimmers

Always Go to the Source

Your safest bet is to always go into the station itself to pay for gas or visit an actual teller when withdrawing cash rather than use an ATM. A card reader in front of a cashier is always harder for a scammer to target.

The safest form of payment for avoiding skimmers is to simply opt for cash — some gas stations may even offer a small discount on the cash price of gasoline (although it may be less than what you can earn with a good gas credit card).

Feel for Foul Play

Before inserting or swiping your card, always check to see if the card reader is firmly attached. If there is movement, or if your card doesn’t slide in properly, it may have been tampered with. Look for signs of small cameras near the keyboard, which could be used to record your PIN.

Pay With a Mobile Wallet

Mobile wallets, like Apple Pay, Google Pay, and Samsung Pay, provide another layer of security when opting for cashless payment methods. While the primary perk of digital wallets is their convenience factor, they use encryption technology to protect the information on your cards, so your actual card data is never involved in the transaction.

Use an App

If you’re an Android user, you may benefit from the Skim Plus smartphone app, which is meant to detect Bluetooth skimmers and will plot any located skimmers using Google Maps. There’s at least one iPhone app as well, but it doesn’t have great reviews; users may expect more iOS-compatible skimmer apps in the future, if any enterprising developers take up the task.

Bluetana, another Bluetooth skimmer locator, is an app currently used by law enforcement. So far it’s been able to detect 64 skimmers within seconds across the several states it’s being used in, which weren’t found using existing scanning technology. Bluetana is not currently available to the public.

How to Protect Yourself From Phone Scams

Identifying a Potential Phone Scam

While Frank Abagnale is most recognizable as the inspiration for Leonardo DiCaprio’s character interpretation in Steven Spielberg’s film “Catch Me If You Can,” the former con artist now serves as a professional security consultant for the FBI. He trains agents to fight back against scams, and offers advice to consumers as well.

Does an unsolicited caller who wants to hand over a small fortune you won in a foreign lottery sound too good to be true? It probably is. Abagnale highlights a few common signs that you’re dealing with a scammer:

  • Request for action: The caller instructs you to write something down or demands basic information. Abagnale say scammers will do this to take control and put you in a vulnerable position.
  • Demanding additional fees: The caller may present a prerequisite to receiving your “exotic getaway to Mumbai” or “New Zealand lotto winnings,” like a handling fee. Prize offers will never require a payment to claim.
  • Urgent tone: The scammer may sound frantic and speak quickly, demanding that you make an immediate decision.
  • Request for payment: If the phone conversation involves an ask for any type of payment, especially an untraceable source such as a gift card or wire transfer to an unverified account, it’s probably a scam.

Phone scams may appear as:

  • Charities asking for donations
  • Foreign lotteries identifying you as a winner
  • Sweepstakes and prizes, like a free Marriott vacation
  • Calls from your bank, credit card company, or utility company
  • Tech support calls wanting to help you with computer issues
  • Urgent requests that require immediate feedback
  • Threatening calls purporting to be from the IRS or FBI
Phone Scam Script

An example script of a phone scam, where a fraudster tries to lure a victim (the “mooch”) into “investing.” Image credit: NY Attorney General

Do Your Research

Always research any information the caller provides. Skilled scammers can make phone calls seem legitimate by masquerading as banks or government agencies, and sometimes they’re quite good at it.

Fact check company names the caller claims to be associated with. Hang up and call the company, bank, or other organization directly via an official number to confirm the call’s legitimacy. Contacting an official number will give you the opportunity to check whether or not the call you received was real.

How to Protect Yourself From Phishing

Phishing has evolved in both its approach to and depth of deception, and now exists beyond the standard email scam. Examples may include:

Deceptive Phishing

If you receive an email from what appears to be a legitimate company, like Microsoft or your bank, threatening to deactivate your account or claiming suspicious activity requires you to sign in to your account, you may be dealing with a common type of phishing. An urgent tone is typically used to intimidate recipients into handing over personal information.

Legitimate companies will typically never request personal information over email. Look for misspellings in the company’s name, the URL, the appearance of an unknown URL when hovering over a provided link, or messages that don’t use your name — real companies will typically customize the message to use the customer’s name, although scammers can do this too.

Real-life phishing email in which a scammer impersonated a member of Microsoft’s Online Security Team to encourage the recipient to click on a malicious link (“Validate account”). Image credit: Reddit

Real-life phishing email in which a scammer impersonated a member of Microsoft’s Online Security Team to encourage the recipient to click on a malicious link (“Validate account”). Image credit: Reddit

Spear phishing is a variation of deceptive phishing that is targeted at a specific individual or company. Scammers customize emails to use the recipient’s name in order to better bait them into opening a malicious link or attachment that can steal information. Companies should focus on strengthening their IT and email security to help prevent this.

Newer phishing methods are targeting cloud services such as Dropbox or Google Docs. Scammers will lure users into opening up a shared doc or Dropbox file, which may automatically download malware.

Fake Dropbox Email

Screengrab of a Dropbox phishing attempt. Note the mark over the second “o” in “Dropbôx” — it shows this isn’t from the actual company. Image credit: MailGuard

CEO Fraud

A fraudster can target employees of a specific corporation through a business email compromise: The attacker poses as the CEO and reaches out to employees through work emails. Signs that you’re dealing with a scammer may include frequent grammatical errors or unusual information being requested.

In one case Centrify was the target of CEO fraud, where scammers reached out to an employee from what appeared as the boss’ email. The scammer requested a six-figure wire transfer to an external account, which was almost fulfilled before it was noticed that the ‘f’ and the ‘i’ in Centrify were switched within the fake email.

Pharming

Rather than reach out via email, attackers hack the domain naming system (DNS) of a legitimate website so that, when a user types in that URL, he or she is redirected to a malicious website. This is known as DNS poisoning. The same effect can also be achieved by hacking an individual computer, forcing the user to visit fraudulent sites even when typing in the correct URLs.

DNS poisoning needs to be mitigated by the internet service provider in most cases, but you can make efforts to protect yourself by always using a legitimate ISP that regularly updates its security software. Staying diligent with the latest anti-virus software and security updates can improve your own defenses.

More Tips for Staying Protected

Being educated on the common tactics fraudsters use to steal your personal information is only the first step. It’s also important to practice other forms of defense to help stay protected.

  • Choose credit over debit: Use credit cards over debit cards whenever possible. If the card info is stolen, the fraudster is playing with the bank’s money rather than yours, and credit cards typically have zero liability policies in place so you won’t be held liable for fraudulent charges (debit cards do too, but they’re not as strong).
  • Reach out to an alternative contact: If you receive a suspicious email or phone call from someone claiming to be from a legitimate company, cease contact and locate an official contact email or number to reach back out with. Customer support can verify if the initial message was legit.
  • Monitor your payment card accounts: Whether you use credit or debit, keep an eye on your card statements to check for any fraudulent purchases. In many cases, as long as you report the fraud quickly you won’t be on the hook. But, as mentioned, credit cards tend to have better protections than debit cards, and the fraud resolution process may be quicker and less hassle.
  • Sign up for alerts: Set up alerts with your issuer to catch fraudulent spending. Being aware of suspicious activity as soon as it occurs will give you enough time to contact your card issuer and cancel the card before more damage is done. Look into the security features your issuer offers; some provide apps that can alert you in real time of card activity. If you fear that your identity may have been compromised, you can place fraud alerts on your credit reports as well.
  • Never sign in to accounts on unsecured WiFi: If public WiFi is your only option, refrain from logging in to any websites that manage personal information, such as banking and shopping sites. Turn off the automatic connectivity feature on your device, to prevent yourself from accidentally connecting to a dangerous network. If you need to log in using public WiFi, consider using a VPN.
  • Shred any mail that contains personal info: Always properly dispose of any mail you receive that includes personal account numbers, Social Security numbers, or addresses. Shredding it is the most effective way of ensuring that fraudsters can’t take advantage of your mail.

Despite your best efforts, payment card fraud can happen in many different ways, so it’s good to be informed. Read more about ways to prevent identity theft with credit and debit cards.

If you become a victim of credit card fraud, immediately dispute any unauthorized charges. Alerts on your credit accounts (and credit reports) may only notify you of activity; they don’t necessarily take action for you, so familiarize yourself with ways to fight back against fraud and identity theft.

Was this helpful?

Credit Card Insider receives compensation from advertisers whose products may be mentioned on this page. Advertiser relationships do not affect card evaluations. Advertising partners do not edit or endorse our editorial content. Content is accurate to the best of our knowledge when it's published. Learn more in our Editorial Guidelines.

The responses below are not provided or commissioned by bank advertisers. Responses have not been reviewed, approved or otherwise endorsed by bank advertisers. It is not the bank advertisers' responsibility to ensure all posts and/or questions are answered.

  • Michael

    Never check your banking info in public or on a public network. Even with a secure VPN like ExpressVPN or Nord I’d still advise caution.