What is the new ‘shimming’ bank card scam in France and how to protect yourself?

Bank card holders in France are being warned of a new scam that is almost impossible to detect or trace and can empty bank accounts in minutes. 

The scam known as ‘shimming’ is when fraudsters place a hidden device on a bank card reader, such as an ATM or at a service station, which can record the data of cards that use them.

Unlike more obvious card number readers or cameras that can be placed at these terminals, the device records the data from the chip or magnetic strip of your bank card. It is difficult to spot, as it is hidden essentially inside the card reader.

It also records information without impacting the bank card – either in appearance or function – leaving victims unaware they have had sensitive data compromised.

The device, known as a shimmer, can remotely send this electronic information to a hacker, who can use it to take money out of an unsuspecting victim’s account. 

The hacker can strike immediately after receiving the information or at any point after, making it difficult to trace the origin of the incident or where the device has been installed.

In addition, hackers can make a counterfeit bank card connected to an account, and use it to make contactless payments, pass road tolls, or be used abroad, which can itself result in additional hefty international fees.

A recent case in June saw four people arrested for ‘shimming’ at a service station in the Parisian suburbs, and using the information to withdraw money from ATMs in Spain.

However, due to the technical complexity required, it is rare to be impacted.

In 2023, around €36,000 was taken from bank accounts using this method, according to the Banque de France. This is compared to around €500 million in bank card fraud using other means.

How can ‘shimming’ be combatted?

Due to the hidden nature of the shimmer and the complete access it grants fraudsters to bank accounts, it is difficult to be proactive against the scam.

One way to avoid this is by using contactless payments, as you do not need to enter your PIN code at the terminal, limiting the access hackers can have to your account. 

However, this form of payment comes with its own set of associated risks. And you cannot avoid entering your code at a terminal when using an ATM or making larger payments. 

“The only real way to avoid falling victim to it is to monitor your accounts and report any unusual activity to your bank,” says the official anti-fraud website Signal-Arnaques. 

If you are the victim of a scam, your money should be reimbursed, as you were not at fault in the incident. 

This is in comparison to other types of scams, such as ‘phishing’, where banks can argue victims willingly handed over their password or personal information to a hacker.