Difficult to detect and very worrying: what is “shimming,” this new bank card scam?

A devious method that's enough to make you paranoid. The Signal Arnaques website, which lists scams and guides victims in their efforts to obtain compensation, issued a warning on Friday about "shimming." This fraud allows hackers to hijack banking data and siphon off accounts without their targets noticing. The modus operandi, precautions to take... We take a look.

"The principle is to place a device on a card reader (for example on an ATM or a gas pump) that records the data of all the cards that pass through it," explains Signal Arnaques in its message broadcast on X.

This small electronic device called a "shimmer" can be inserted into any credit card reader. According to the National Cybersecurity Alliance , it is inserted into the chip card slot. It then transmits all banking information to a remote hacker. If a customer enters their credit card PIN into a booby-trapped machine, the criminals will also have access to it, in addition to their banking information.

Once the information is obtained, hackers have all the elements necessary to empty their victims' bank accounts. As we revealed on June 19 , scammers managed to extract large sums of money from Madrid and Barcelona after placing "shimmers" on the terminals of a gas station in Vitry-sur-Seine (Val-de-Marne).

After arresting the four suspects in Essonne a few days later, investigators conducted several searches. They found shimming equipment and just under €9,000 in cash, confirming their suspicions.

Skimming is a similar scam that has been on the radar of authorities for several years. "The difference is slight: while skimming records data via the card's magnetic stripe, shimming uses the card's chip," explains Signal Arnaques.

This is the complexity of this scam: victims can't really anticipate the scam. Since the "shimmer" is virtually undetectable, it's impossible to know if the payment terminal, whatever it is, has been rigged by a hacker.

"The only real way to avoid becoming a victim is to monitor your accounts and report any unusual activity to your bank," advises Signal Arnaques. "You must then be reimbursed in accordance with the Monetary and Financial Code."

On the other side of the Atlantic, the National Cybersecurity Alliance claims that contactless payment, or payment via a smartphone's digital wallet, helps prevent people from falling victim to this fraud.

According to the Paris prosecutor's office, the Vitry-sur-Seine gas station may not have been the only target of these scammers. Since the team is mobile, other gas stations and ATMs in France may have been equipped with the same devices. A police source told us on June 19 that the damage was currently being assessed.

In 2023, shimming represented, according to data from the Payment Security Observatory, an estimated financial loss of €36,000 in France. This amount is down from the previous year, when nearly €50,000 was embezzled.