Card skimmers are mostly invisible, but they share three tells. Three seconds of looking saves your account.
Skimming is the practice of installing a tiny device over an ATM or EFTPOS terminal that reads your card data as it goes in, plus a hidden camera that watches you type the PIN. Modern skimmers are alarmingly thin and fit over the real card slot without changing the look of the machine. But they share three physical tells anyone can spot.
Before inserting your card, grip the plastic surround of the slot and try to wiggle it. Real card slots are bolted into the steel cabinet — they don't move. A skimmer is glued or clipped over the real slot, so it will give a little. If it shifts, walk away to a different ATM and report it to the bank.
Skimmers need a camera to see your PIN — usually disguised as a small black hole or pinhole somewhere above the keypad, in a fake brochure holder, or in a small attachment beside the screen. Anything that looks slightly out of place above the PIN pad is suspect. When in doubt, cover the keypad with your hand as you type — defeats most cameras even if one is present.
Sophisticated skimmers also use a thin keypad overlay that records what you type. Run your finger across the keypad — if the keys feel spongy, raised, or different to the metal/plastic of the machine surround, that's an overlay. Real ATM keypads are recessed and feel solid.
Outdoor ATMs (especially overnight) are skimmer targets. Indoor ATMs in bank branches and supermarkets are physically harder to tamper with and have CCTV pointed at them. The convenience of the street-side ATM is rarely worth the risk for a routine withdrawal.
Most ATMs now accept contactless. Tap-and-go bypasses the card slot entirely — no card insertion means no skimming. Same for EFTPOS at retail. Tap is safer than insert for any transaction under your contactless limit.
If you find a skimmer, don't touch it — pulling it off destroys the bank's evidence. Take a photo (don't use flash — the camera can see it), step away, and call the bank's fraud line. They send someone to recover the device intact for forensics, which has put dozens of skimming rings out of business.
Card safety is a full pattern — slot, tap, online, all share the same defensive instincts.
If you run a retail or hospitality business, your EFTPOS terminal is the target too. whedo.it runs a 15-minute terminal-tamper-check training for client teams. Spots the same tells. Free for managed clients.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do Managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director