Digital skimming is becoming a favorite of cybercriminals. According to Mastercard data, nearly three quarters of publicly disclosed breaches in 2022 involved digital skimming. That year, skimmers infected 4,500 new sites — a 129% increase from 2021 — and the number rose by another 2,700 in 2023.

The FBI estimates that these scams now cost cardholders and banks over $1 billion every year.

Digital skimmers are looking for payment credentials to use in other types of financial crime, such as fraud and theft. They collect credit card details, including card numbers, expiration dates and CVC codes, as well as personal identifiable information, such as the cardholder’s name, address and phone number.

The attackers usually sell the stolen information to fraudsters on the black market — in 2023, 416,582 cases of identity theft in the U.S. were facilitated by skimmed credit card data. Fraudsters use the credentials to ransack accounts with unauthorized transactions.

Fraudulent transactions typically begin around five months after the credentials were skimmed, once the card data has been tested for validity and sold. Based on incidents reported to Mastercard, customers who transact at infected merchants are 31% more likely to become victims of fraud.

Card skimmers pose a serious threat to your finances. Cardholders may find their savings emptied, their credit cards maxed out, even their medical records forged as thieves rack up expenses for prescription drugs and other services.

Although cardholders can reverse the losses, they may have to spend hours disputing charges and filling out paperwork. In the meantime, their accounts could be frozen or charged with overdraft fees.  

Mastercard cardholders receive zero liability protection and will not be held responsible for unauthorized transactions if they have used reasonable care in protecting their card from loss or theft, and if they promptly reported the loss or theft to their financial institution.

Digital skimming can be tough to detect. The first signs are usually unexpected payments on bank statements and unfamiliar charges on credit card bills. It’s wise to review account statements regularly for anomalies.

Consumers can protect themselves by exercising vigilance when shopping online. Heed browser warnings about insecure pages, and be on the lookout for unexpected pop-ups, amateurish ads and spelling and grammar errors — this could indicate that the merchant site has been infiltrated or spoofed.

Good digital hygiene can also stop the invasion from spreading if your information is breached. Setting strong, unique passwords and using a trusted VPN to connect to public Wi-Fi networks will prevent the hackers from accessing your other accounts. To limit financial losses, dedicate only one card for online transactions and activate transaction alerts that notify you whenever your card is used.

A website’s vulnerability to digital skimming is strongly linked to the strength of its security systems. Hackers must smuggle their code in through weaknesses in the site’s defenses. Just as a burglar would pass up a bank for a house with an open window, skimmers target websites with poor cybersecurity.

Outdated software is the prime culprit: According to an analysis by Mastercard’s Cyber Analytics Research team, merchants with at least one critical software vulnerability are 3.3 times more likely to fall prey to a digital skimmer. Those who habitually neglect to patch security gaps with updates are 12 times more likely.

Companies can protect themselves against digital skimmers by erecting and maintaining stringent safeguards. Staying current with software updates is a key defense; businesses should encrypt all data transmission, thoroughly vet third-party tools, and scan their source code for unauthorized changes.

To curb harm to customers in case of an attack, businesses should collect the minimum customer data required for any transaction; backing up the site’s code and databases will allow it to be restored quickly, minimizing disruptions. 

To manage this type of cyber risk at scale, businesses must be constantly on the lookout for signs of a breach, in both their own sites and the tools they integrate. That’s where artificial intelligence comes in. Automated risk management tools harness open-source intelligence and machine learning to help businesses fortify their defenses and evaluate the cyber hygiene of third-party vendors.