By Jim Dudlicek / NGA Director, Communications and External Affairs
Criminals can attach devices called skimmers to point-of-sale (POS) machines/PIN pads to steal card numbers and other information from credit, debit and EBT cards. These devices look like a normal part of a POS machine. They are easy to place and hard to spot, and they help criminals steal benefits from SNAP recipients.
The victims are your customers, and for individuals and families who rely on SNAP benefits to meet their food needs, losing benefits can have a devastating impact.
NGA hosted a recent webinar in which asset protection experts from the U.S. Secret Service explained how to watch out for skimmers and protect your business and your customers from these thieves. The discussion was led by Vincent Porter, contract fraud investigator with the U.S. Secret Service, and Hannah Feldman, investigative analyst with the Secret Service located at the National Cyber Forensics and Training Alliance.
Here are some key takeaways from the discussion:
What are skimming devices? They’re typically designed to look like real POS payment devices and attach to or fit over them, so they can intercept and capture payment card information when customers complete their transactions.
What’s the payoff? Skimmers monetize their stolen data by cloning benefit carts to make illegal ATM withdrawals in rapid succession or purchases of bulk goods.
How often does it happen? The National Cyber-Forensics and Training Alliance maintains a skimming database that includes more than 6,500 suspect images, including surveillance and arrest photos, along with more than 1,000 images of equipment from more than 9,000 unique skimming locations. More than 1,700 skimming devices have been recovered since 2021. The number of skimming incidents rose from 671 in 2021 to 1,068 in 2022. If you’re aware of skimming incidents, report them to firstname.lastname@example.org.
Why are EBT cards targeted? They’re easier to compromise, clone and monetize than credit or debit cards because they don’t have EMV chips, only a magnetic stripe. Some states deposit funds at the same time each month, so offenders know exactly when the EBT funds are available. Additionally, consequences for these crimes at the state level can be minimal.
How big is the problem? Examples of some state losses due to EBT fraud: California loses millions per month, mainly from skimming and illicit cash withdrawals. Maryland reported more than $400,000 stolen in February 2023, nearly $2.4 million in the last year, largely from skimming. New York reports more than $8 million in skimming losses in the last year. Upticks have been reported in Washington, Virginia, Rhode Island and other states.
Skimmers are adapting. Criminals identify vulnerabilities in the system, then exploit them.
Who is responsible? Skimming is largely led by international crime groups from Eastern Europe. Many are Romanian and Armenian nationals who possess fake passports and work in different splintered groups lacking a clearly defined boss, moving between major cities while skimming along the way.
What’s being done to stop it? Federal, state, and local law enforcement agencies are working together as part of cyber fraud taskforces across the country. The Secret Service is working with Romanian authorities to identify suspects, and investigations have targeted manufacturers of skimming devices. Last year, there were 106 skimming arrests in connection with thefts totaling $23 million. So far this year, there have been 65 arrests connected to $25 million in fraud losses.
What can you do? Train and instruct cashiers to physically inspect POS terminals before and after shifts. If skimming devices are discovered, call local law enforcement and shut down the targeted register. Keep an eye on POS terminals and in-store ATMs. Implement an internal process for consistent reporting of incidents. Apply tamper-evident tape on POS terminal edges and install security bars or locking mounts on POS terminals.
For more information, direct questions to https://www.secretservice.gov/contact.