What we discovered
Our network-wide view makes us uniquely suited to understanding the complexities of digital skimming attacks — and to help businesses find solutions.
A website’s vulnerability to digital skimming is usually strongly linked to the strength of its security systems. Hackers must smuggle their code into the site through some weakness in its defenses. Just as a cat burglar would pass up Fort Knox for a suburban house with an open window, skimmers tend to target websites with poor cybersecurity.
Those cybersecurity solutions are not for businesses alone. They also create an environment where consumers are free to shop online without fear. With advanced tools and real-time, global-scale data, we can work together to fight cybercrime and help build a financial system that is safer for everyone.
There’s a new strain of cybercrime out there. And it’s targeting consumers as they go about their everyday business — such as ordering clothes from a favorite department store, buying
concert tickets or booking flights.
It’s called digital skimming.
In this twist on cybertheft, hackers plant malware at online stores so they can harvest consumer data. Once they have it, they can cause damage that reaches far and wide. For instance, over the course of two weeks, criminals stole data linked to 380,000 passengers through a national airline’s website. Another attack, on a concert ticket vendor, lasted two months and affected
9 million customers.
The advanced sequel to credit card skimming
Like a virus hijacking a cell by splicing its genetic material into the host’s DNA, skimmers weave their malware into the e-commerce site’s source code. When unsuspecting customers fill out the payment form, the malware copies their card details and personal information. The attackers then sell the credentials to fraudsters on the black market.
You may have heard of physical skimming, which is when fraudsters rig credit card readers or conceal pinhole cameras in the corners of ATMs, gas pumps and point-of-sale systems, secretly capturing customers’ credit card information. Digital skimming is even harder to detect and can strike more victims at once. Instead of hiding surveillance devices on individual machines, criminals sneak malicious code into e-commerce sites and then steal the payment data of every customer who shops there.
A growing threat
Difficult to trace and offering huge economies of scale, digital skimming — also known as electric or e-skimming — is quickly becoming a go-to for cybercriminals
More than
19M
companies
Across over
40
industries
Including some
13M
e-commerce sites
Nearly
3/4
of the publicly disclosed breaches in 2022 involved digital skimming
In 2022, skimmers infected 4,500 new sites — a 129% increase from 2021 — and it rose by another 2,700 in 2023
+129% increase
Over
$1B annually
The FBI estimates that these scams now cost cardholders and banks over $1 billion annually
What’s concerning is that anyone could be
a victim
Any website that collects payment data, any consumer who shops online. The results can be devastating. Businesses may face financial losses, damaged reputations and legal repercussions. Cardholders may find unexpected payments on their bank statements and unfamiliar charges on their credit card bills.
Understanding the problem
To gain more insight into how businesses can potentially defend against these attacks, Mastercard’s Cyber Analytics Research team analyzed the records of nearly 6,500 digital skimming events for a report entitled “Digital Skimming: How to Stay Protected.”
Outdated software is the prime culprit
Merchants with at least one critical software vulnerability were 3.3 times more likely to fall prey to a digital skimmer
Those who habitually neglected to patch security gaps with updates — earning a “C” rating from a risk ratings platform such as RiskRecon — are 12 times more likely
In many cases, the software had gone out of date less than a month before the skimmers hit
Through RiskRecon, Mastercard continuously monitors
And when it comes to managing this type of cyber risk at scale, continuous monitoring is crucial. That’s where AI comes in. Automated risk management tools harness open-source intelligence and machine learning to help businesses fortify their own defenses and evaluate the cyber hygiene of third-party vendors. RiskRecon, a risk-rating platform from Mastercard, constantly tracks activity and then uses a proprietary algorithm to provide real-time risk assessment and steps to help mitigate risk, thwarting attacks and helping to prevent bad actors from infiltrating a business’s cyber assets.
In 2022,
441,882 cases
of identity theft in the U.S. were facilitated by skimmed information1
One of the remedies, then, is to put in place — and maintain — stringent safeguards
Staying current with software updates is a key defense; businesses should also encrypt all data transmission, thoroughly vet third-party tools and scan their source code for unauthorized changes.
Learn more about your company’s security posture
Learn more
1. https://www.ftc.gov/system/files/ftc_gov/pdf/CSN-Data-Book-2022.pdf
Digital skimming: How cybercriminals are using a new form of attack against unexpecting online shoppers
EVOLUTION OF FRAUD
Digital skimming: How cybercriminals are using a new form of attack against unexpecting online shoppers
EVOLUTION OF FRAUD