ATM skimming, four ways your card gets cloned.

By Bernard Huang

Editor, tabiji.ai · Published April 30, 2026

ATM skimming and card cloning runs four mechanics across 19 countries: overlay skimmers, shoulder-surf PIN capture, private-ATM machines, and Lebanese-loop card traps. The universal defense is a 60-second routine. Use major-bank ATMs (BNP Paribas, Intesa Sanpaolo, Santander, Bangkok Bank), inside the branch when possible. Wiggle the card slot before inserting; legitimate slots have zero play. Cover the keypad with your free hand on every PIN entry. Stay at the machine until your card and receipt are physically in your hand, ignoring any "helpful stranger" who approaches mid-transaction. Set up real-time card-fraud alerts before you leave home. The clone-to-first-fraud window is typically four to twelve hours; an instant alert lets you freeze the card before the second charge lands.

A scene · Paris Champs-Élysées · 6pm Saturday

The €4,000 cloned in three seconds while a stranger handed you a €20.

You walk up to a standalone ATM half a block off the Champs-Élysées at 6pm on a Saturday because the BNP Paribas queue is fifteen people deep. The standalone says "International Cards Welcome," in five languages. The slot looks normal. You insert your card and start the withdrawal.

Behind you, a man in a windbreaker approaches with a smile and a €20 note in his hand. "Excuse me, monsieur, you dropped this." You half-turn. Your PIN goes into the keypad while your eyes are on him. His partner across the plaza, phone raised like a tourist photo, has just captured your four digits.

The €20 he's holding was always his. While you thank him and turn back, your card is already being swapped for a near-identical decoy by a third person who came up on your other side. You finish the withdrawal, take the cash and the wrong card, and walk away. By the time your bank flags the cloned-card transactions in Marseille that night, you're €4,000 in.

That is the universal mechanic, executed at the Paris archetype: a private ATM with skimming hardware, plus a three-person team running shoulder-surf PIN capture and a card swap. A March 2025 DailyMail investigation estimated 1 in 10 tourists to France, 212,000 people across five years, had been scammed, with ATM fraud a significant contributor. The same crews work the Champs-Élysées, the Marais, Montmartre, and the perimeter of Sacré-Cœur. Le Parisien publishes annual coverage of the Champs-Élysées card-fraud belt; arrests are made in cycles and the activity resumes within weeks.

The rest of this page is the four-mechanic playbook, the four other cities where it runs, and the 60-second wiggle-cover-stay routine that defeats every variant.

Read the full Paris scam guide →

The wiggle-cover-stay routine

ATM skimming depends on you not noticing for the seconds it takes to capture your card data and PIN. The capture itself is fast, under three seconds, but unwinding it after a clone is in the wild requires hours of bank disputes and possibly an embassy visit if your access to cash is gone. The defensive routine is a 60-second sequence that runs once per ATM, in any country.

1. Use major-bank ATMs only, inside the branch when possible. France: BNP Paribas, Crédit Agricole, Société Générale, LCL. Italy: Intesa Sanpaolo, UniCredit, Banca Nazionale del Lavoro. Spain: Santander, BBVA, CaixaBank. Thailand: Bangkok Bank, Kasikornbank, Siam Commercial Bank. Czech Republic: Česká spořitelna, ČSOB. Avoid pharmacy, mini-market, hotel-lobby, and standalone street-kiosk ATMs entirely. The fraud rate at non-bank ATMs is 5–10× the bank-branch rate; the fee saving is 1–2%.
2. Wiggle the card slot before inserting. Overlay skimmers are loosely attached to the legitimate slot. A firm wiggle reveals plastic that comes off in your hand or rocks suspiciously. The genuine slot has zero play. Five seconds defeats every overlay-skimmer variant; takes longer to explain than to perform.
3. Cover the keypad with your free hand on every PIN entry. Cup your free hand over the keypad as you type. Defeats both shoulder-surf observers and pinhole cameras hidden in the faceplate. One second; the universal defense against PIN capture across all four sub-variants.
4. Stay at the machine until your card and receipt are physically in your hand. Do not turn around for any approach: a dropped bill, asked directions, a tap on the shoulder. The Lebanese-loop card-trap and the swap-during-distraction variants both depend on you breaking eye contact. If anyone approaches, finish the transaction first or cancel and walk away. The thirty seconds after PIN entry are when both lift variants execute.
5. Set up real-time card-fraud alerts before you travel. Most major issuers (Chase, Amex, Capital One, Wise, Revolut) offer push notifications on every transaction. Enable them. Keep a backup card from a different network in a separate physical location so a single compromise does not strand you. The clone-to-first-fraud window is typically 4–12 hours; instant alerts let you freeze before the second charge lands.

The four mechanics

Different countries and different operator crews lean on different mechanics within the same family. Here are the four sub-variants documented globally. Each has a recognition tell, a primary geography, and the routine step that defeats it.

Where it runs

ATM skimming concentrates where two conditions overlap: dense tourist foot traffic and prevalence of non-bank ATMs. Western Europe and Southeast Asia account for over 70% of documented variants.

Bar width is data-bound at 10 pixels per documented variant. The eight countries above account for 39 of 45 total variants, or 87% of the global atlas.

Four more cities, four more variants

The Champs-Élysées scene above showed the shoulder-surf and card-swap stack. Here are four more cities where different sub-variants dominate. Each links to the full city scam guide.

Barcelona, Spain · Las Ramblas & Gothic Quarter Overlay Skimmer · Pinhole Camera

You step off Las Ramblas into a covered passageway housing a standalone ATM in front of a souvenir shop. The screen shows the bank network logos and "International Cards Welcome." The slot looks normal but the faceplate around it is a slightly off-color beige. You wiggle the slot before inserting; it rocks. The overlay comes off in your hand. The Las Ramblas and Gothic Quarter perimeter run overlay-skimmer hardware on standalones near Plaça de Catalunya, the Liceu Metro entrance, and the small alleys feeding off Carrer de Ferran. Pinhole cameras above the keypad pair with the overlay; the combination captures both stripe and PIN. The Mossos d'Esquadra publish quarterly card-fraud arrest numbers; Las Ramblas accounts for 30 to 40% of Barcelona's tourist-card-fraud incidents. Defense: walk back up Las Ramblas to the BBVA, Santander, or CaixaBank branch ATMs around Plaça Catalunya. The 200-meter walk saves four-figure cloning losses. The Mossos Tourist Help line at +34 932 903 000 takes English-language reports.

Read the full Barcelona scam guide →

Bangkok, Thailand · Sukhumvit & Khao San Private-ATM Machine

You walk into a 24-hour mini-market on Soi Sukhumvit 11 at 11pm because the BTS Asok station ATMs are gated after midnight. The mini-market has a standalone ATM near the back, branded "AEON" or "Easy Pass" or just "ATM" with no bank logo. You withdraw 5,000 baht. Two days later, your bank flags 80,000 baht in transactions you did not authorize, all stamped Bangkok. The Sukhumvit and Khao San private-ATM circuit is documented through Bangkok Post, Khaosod English, and r/Thailand threads as the highest-density skimming exposure in Southeast Asia. The Tourist Police Bangkok line at 1155 (24/7, English-speaking) accepts card-fraud reports; the report number is what your card issuer needs for chargeback under Visa/Mastercard zero-liability. Defense: Bangkok Bank, Kasikornbank (KBank), and Siam Commercial Bank (SCB) operate 24/7 ATMs at most BTS stations and major shopping centers (Terminal 21, EmQuartier, ICONSIAM). The Bangkok Bank ATM at Asok station is open round-the-clock and is the canonical safe alternative to Sukhumvit private ATMs.

Read the full Bangkok scam guide →

Prague, Czech Republic · Wenceslas Square & Old Town Lebanese Loop Card Trap

You insert your card at a standalone ATM at the bottom of Wenceslas Square at 9pm. The PIN works. Then the machine displays "Card retained" and your card does not return. You walk away assuming the bank kept it for some routine reason. A man who has been watching from a doorway moves in, slides a thin tool into the slot, and extracts your card; he has your PIN from a hidden camera in the faceplate above the keypad. By the time you call your bank from the hotel, six transactions across Prague's private ATMs have already drawn your daily limit. The Wenceslas Square and Old Town areas (around Staromestske Namesti and the Charles Bridge approaches) run Lebanese-loop hardware most consistently. The Czech Tourist Police accepts complaints at the Old Town station off Bartolomějská; Česká spořitelna and ČSOB are the safer alternatives, with branches at Wenceslas nám. and Nám. Republiky. Defense: if your card does not return within 30 seconds, stand at the machine and immediately call your issuer's 24/7 fraud line on the back of any other card you have. Most banks can flag the card mid-trap.

Read the full Prague scam guide →

Nice, France · Promenade des Anglais & Vieille Ville Overlay Skimmer · Beach-Promenade ATMs

You walk along the Promenade des Anglais at sunset. A standalone ATM sits in a small kiosk between two beachfront cafés, branded with the colors of a major French bank but missing the actual bank's logo. You wiggle the slot, it shifts. Skimmer hardware is fitted snugly inside the kiosk. The Vieille Ville (Old Town) of Nice and the eastern stretch of the Promenade between the Negresco and the Casino Ruhl run overlay-skimmer hardware seasonally; the operator crews follow the cruise-ship calendar from May through October. The Police Nationale Nice tourist help desk at the Hôtel de Police on Avenue Maréchal Foch accepts English-language reports. The Crédit Agricole and BNP Paribas branches at Place Masséna are 200 meters off the Promenade and have 24/7 ATM access. Defense: the standalone-on-the-Promenade pattern is the tell. Walk inland one block to a major-bank branch.

Read the full Nice scam guide →

Red flags

If two or more of these signals fire when you approach an ATM, walk to the next major-bank branch instead. The compounding rule: a single signal might be a coincidence; two signals are a script.

If you got hit

Your bank flagged a transaction you did not make, or your card was retained at an ATM and the machine wallet shows charges already posting. The first hour matters most: the cloned card will be used in cycles until you freeze it, and Visa/Mastercard zero-liability policies require you to report the unauthorized transactions promptly.

Within five minutes: call your card issuer's 24/7 international fraud line. The number is printed on the back of every card; save photos of every card back separately on your phone for exactly this moment. Freeze the card; the issuer will block all future transactions and reverse fraudulent ones.

Within thirty minutes: file a police report with the local tourist-police line. The report number is what most card issuers' fraud-investigation teams require for full reimbursement above a small threshold.

• Paris: Préfecture de Police 17 (24/7); SARIJ commissariats including 10 boulevard Strasbourg-Saint-Denis; English-language reports accepted.
• Barcelona: Mossos d'Esquadra Tourist Help, +34 932 903 000 (24/7, English).
• Madrid: SATE (Sala de Atención al Turista Extranjero), Calle Leganitos 19, +34 91 548 8537.
• Rome: Carabinieri 112; Polizia di Stato 113; Termini-area Polizia Ferroviaria 06-481-661.
• Bangkok: Tourist Police 1155 (24/7, English-speaking).
• Prague: Tourist Police, Městská policie Praha; Old Town station off Bartolomějská; English-language reports accepted.
• Nice: Police Nationale Hôtel de Police, Avenue Maréchal Foch.

Within 24 hours: order a replacement card. Most major issuers (Amex, Chase, Capital One, Wise, Revolut) offer overnight emergency replacement cards via DHL or FedEx to your hotel. Premium-tier travel cards (Amex Platinum, Chase Sapphire Reserve, Capital One Venture X) include emergency cash-advance assistance up to $1,000–$2,500. Keep a backup card from a different network in a separate physical location, not your wallet, so a single compromise does not strand you. The Visa/Mastercard zero-liability policy covers all unauthorized transactions made before the freeze, with the police report as supporting evidence.

Related atlas entries

Sister entries in the Scam Atlas. ATM skimming overlaps with currency-related scams (where cash withdrawal is the trigger event) and with distraction-theft tactics (where the helpful-stranger approach pairs with PIN capture).

Get the full ATM-safety playbook for your destination.

Each Travel Safety atlas covers every documented ATM-skimming variant in one country, plus the country's full scam catalog: taxi, restaurant, pickpocket, fake authority. Buy once, lifetime updates as scams evolve. $4.99 on Kindle.

🇫🇷 France: Tourist Scams

Read on Kindle ↗ $4.99 🇮🇹 Italy: Tourist Scams

Read on Kindle ↗ $4.99 🇹🇭 Thailand: Tourist Scams

Read on Kindle ↗ $4.99

Frequently asked questions