Card Cloning Fraud in 2026: What It Is & How to Prevent It

Card cloning is a major concern for banks and cardholders alike. In 2025, three individuals were accused of a high-profile $14 million gift-card cloning scheme in Texas, where criminals copied gift card data, tampered with the cards, and drained funds after unsuspecting customers activated them.

A consistent pattern is that stolen payment data may be encoded onto counterfeit cards or used for other fraud types, including card-not-present fraud and account takeover.

Fraudsters go to great lengths to clone cards, including tampering with ATMs to steal cardholder data. As our payment methods evolve, they might not even need your card to steal from you.

To stop card-cloning fraud, individuals and businesses need to remain vigilant. The good news is that there is a lot that can be done to combat this type of financial crime, so it is important to stay aware of what you can do to fight against card cloning.

Let's examine how card cloning and card skimming operate, explore related card fraud types, and outline effective steps businesses can take to prevent these threats in 2026.

What is card cloning fraud?

Card cloning is the act of copying a debit or credit card’s payment details onto a duplicate “clone card.” These clone cards can then be used for fraudulent payments at the expense of the original cardholder. 

As payment methods evolve, fraudsters use increasingly sophisticated methods to keep stealing cardholders’ money, so card cloning fraud continues to evolve. It may often go unnoticed and carries serious risks of landing people in heavy debt or ruining their credit scores without their knowing it. In 2026, debit and credit card cloning is one of the most common types of card theft. 

Card cloning usually occurs through card skimming, which involves capturing card details using devices placed on ATMs or payment terminals without the cardholder’s knowledge.

In 2026, card cloning remains a persistent financial crime despite the adoption of chip-enabled cards. According to the FBI, skimming fraud causes roughly $1 billion in annual losses in the United States, while card skimming accounts for around 60% of ATM fraud globally. The payment card skimming market size is expected to grow from $3.99 billion in 2025 to $4.49 billion in 2026 at a CAGR of 12.5%.

The problem is particularly severe in regions with outdated ATM infrastructure, and millions of stolen card records circulating on dark-web markets continue to fuel cloning operations.

What is a clone card, and how is it used?

Clone cards are counterfeit versions of payment cards designed to mimic the originals. Duplicate credit cards, debit cards, or even gift cards can be created by copying the details from a legitimate card onto a counterfeit one, such as onto its magnetic strip. These fraudulent cards function in the same way as the original cards; when payments are made with them, the funds are deducted from the original cardholder’s bank account.

Depending on what information the fraudsters have (e.g., PIN/CVV), counterfeit cards are typically used in card-present environments such as ATMs or in-store terminals. Stolen card details may also be used separately for online card-not-present fraud. Counterfeit cards can be used for all the same purposes as genuine cards, from buying a cup of coffee and a croissant in a cafe to buying luxury designer goods. Due to the illicit nature of stolen cards, criminals typically prefer to withdraw hard-to-trace cash, purchase untraceable gift cards, or acquire high-value items, such as luxury products, that can be easily resold.

How does card cloning work? (Step-by-step)

Fraudsters employ various strategies to clone cards, making the process highly variable. Cardholders are at risk of card cloning when withdrawing cash from an ATM and when entering their card credentials for an online purchase. 

In general, card cloning consists of copying a cardholder’s details and then putting these details onto a duplicate card. Fraudsters also often try to learn cardholders’ PINs or CVV codes to use their cards in more situations and defraud victims of even more money. Fraudsters may use these cards themselves or sell them to other criminals via dark web marketplaces.

Card skimming is a prevalent method used to capture data from a card’s magnetic stripe. This involves a device that reads the static information stored on the stripe, making it relatively easy for criminals to copy. In contrast, EMV chip transaction data is more difficult to replicate, adding an extra layer of security for those cards.

The card cloning process step-by-step

Here’s a typical example of how debit and credit card cloning works:

1. Preparation: Fraudsters may attach a skimming or shimmer device to ATMs, point-of-sale (POS) terminals, or even recruit accomplices like restaurant servers to help obtain credit and debit card information. 

2. Obtaining card details: Skimming devices secretly read and copy the card's magnetic stripe data when inserted or swiped, while shimming is a more advanced method that detects EMV chip data. Fraudsters may also exploit compromised websites or networks to obtain online card payment details.

3. Capturing extra information (PIN/CVV): Fraudsters may go on to use hidden cameras, fake keypads, or even just watch over someone's shoulder to record PINs. They may use phishing or malware to steal CVV codes for online transactions.

4. Creating clones: Criminals can now program a blank magnetic stripe card (this could even be a previously stolen card) with the captured card details, creating a counterfeit duplicate of the original card.

5. Making fraudulent transactions: Fraudsters may withdraw cash from ATMs and make transactions online or in-store, or even sell the card to another criminal, all at the cost of the cardholder. Fraudsters tend to act quickly, making it harder for banks and authorities to trace the criminals.

Magnetic stripe cards

Magnetic stripe cloning works by copying the data contained on the magnetic strip (magstripe) on a payment card. This is done using a special machine called a ‘skimming device’, which copies the magstripe data as the card is passed through it. This is called ‘card skimming’. Many companies are now moving away from magstripe technology due to the risks from skimmer devices, but anyone with a magstripe card should remain cautious.

EMV chip cards

EMV chip technology has become the default for most card providers, accounting for 96.2% of transactions by late 2024. EMV cards are considered more secure than magnetic stripe cards because they use embedded microchips and generate one-time dynamic transaction data, making it extremely difficult to create counterfeit cards that can successfully perform EMV transactions.

However, fraud can still occur through techniques such as card shimming. Shimming involves placing thin devices inside card readers to intercept data from the chip during a transaction. While this data cannot be used to clone a fully functional EMV chip card or replicate EMV transactions, it may be used in other types of fraud, such as creating magnetic stripe cards for use in regions or systems that still rely on magstripe technology. The term “shimming fraud” describes this type of activity.

Contactless / NFC payments

Contactless cards feature dynamic transaction security, which makes claims of routine 'RFID cloning' easy to exaggerate. Most contactless fraud is linked to lost or stolen cards rather than feasible cloning of cards. This type of contactless payment fraud is sometimes called ‘RFID card cloning’ or ‘NFC card skimming’.

Common methods used to clone cards

There is a wide range of methods criminals can use for card cloning. These include physically stealing card details through methods such as card skimming, which rely on a consumer unwittingly putting their card into a card-cloning machine or allowing someone to do so for them. However, criminals can also steal consumers' card details online, so it is important to be ever vigilant.

Common card cloning methods include:

ATM skimming

ATM skimming, also called ‘ATM card skimming’, is when criminals tamper with a real ATM by adding a skimming device, or create a fake ‘card skimmer ATM’, to capture people’s card details when they use the ATM to take out cash, check their balance, or carry out other transactions.

Skimming devices used by debit and credit card skimmers can be hard to spot, so consumers are advised to carefully check ATMs for any signs of tampering, such as loose or misaligned card slots and glue residue that could indicate a skimmer has been added.

POS terminal skimming

Customers need to be careful when paying at POS terminals as they can easily be tampered with. Point of Sale skimming, or ‘POS skimming,’ involves criminals using a debit or credit card skimmer to capture customers’ card details when they are making a payment at a Point of Sale in a store or other consumer-facing business. For example, a large number of skimmers were found in 2025 across Virginia, suggesting a coordinated campaign of card fraud using skimmer devices.

Gas station/fuel pump skimming

Skimming devices can also be installed at gas stations, stealing consumers’ details when they pay for fuel. This is called ‘gas station skimming’ or ‘fuel pump skimming’, and it can be an appealing option for criminals, as fuel pumps are typically not attended by employees, reducing the chance of a skimming device being spotted.

Shimming (EMV chip attack)

EMV cards are less susceptible to skimming because they use embedded microchips and one-time dynamic codes for transactions, rather than the older magnetic stripe technology that skimmers target. However, EMV cards are vulnerable to an alternative method of stealing card details called ‘card shimming’. Criminals insert a more advanced "shimmer" into a card reader, allowing them to intercept EMV chip card data. This is also called ‘EMV chip cloning,’ and the process is often referred to as shimming fraud.

Overlay keypads 

Criminals are known to place fake keypads over real ones to record PINs entered at ATMs or other payment terminals, allowing them to find out PINs. These scams are widespread. For example, a compromised ATM scam was uncovered in Beaumont, Texas, in 2024, with criminals found to have defrauded cardholders of $10,000.

Fake ATMs

Fraudsters have even been known to set up counterfeit ATMs solely designed to capture card details and PINs.

RFID/NFC theft 

With the rise of contactless near-field communication (NFC) technology, criminals can now stand close to victims and use radio frequency identification (RFID) scanners or mobile apps to steal card data from contactless payment cards. RFID card cloning involves loading the stolen data onto a blank card so it can be used for contactless payments. This type of contactless card cloning can be hard for consumers to detect, as there may be no obvious signs that NFC card skimming is taking place, making contactless payment fraud particularly concerning. 

Fraudsters may impersonate trusted institutions such as banks to trick consumers into handing over their card information. These are often referred to as ‘phishing credit card scams’.

Insider fraud 

Criminals working at stores, restaurants, or other locations with POS terminals may steal card details during transactions. These insiders may also manipulate consumers into providing additional information, such as their PIN, through social engineering fraud.

Card cloning forums 

Criminals may trade stolen card details or offer cloning services via forums.

Suggested read: Payment Fraud Guide: Detection and Prevention

Card fraud statistics & trends 2026

Card cloning fraud results in losses of an estimated $1 billion a year to consumers and financial institutions, with over 4 million stolen card details available online. 

Here are some key card cloning fraud statistics and trends to be aware of:

Card fraud is on the rise

In recent years, card fraud statistics have shown a big increase in compromised cards, with the numbers almost doubling from 2022 to 2023. In the UK alone, there was a 22% increase in cases of ‘card not present fraud’ (where a criminal uses stolen card details) in the first half of 2025, compared to the same period in 2024. 

Payment methods are now a top target for fraudsters

Our research shows that payment methods are now the top target for fraudsters, with a 6.6% fraud rate—the highest among all document types. Previously, ID cards were the top target, with the shift likely due to criminals’ ability to quickly monetize stolen payment details.

Magstripe giving way to EMV chips

These worrying debit and credit card fraud statistics are driving change in the banking and payment services industry. Efforts to make cards safer include many companies moving away from less secure magstripe technology, with EMV chip technology now used by almost all card providers.

Digital skimming is making online payments less secure

However, criminals are also evolving their tactics. Stealing card details online (‘digital skimming’) is a growing threat, with this technique being used in around 3 in 4 publicly disclosed data breaches, as well as more and more websites being infected with malware designed to collect card details.

ATM skimming remains a major attack vector

Despite the introduction of chip cards, ATM skimming remains a key method used to capture card data for cloning. Reports indicate that skimming accounts for roughly 60% of ATM-related fraud worldwide.

Payment providers are upping their game with new technology (but criminals are catching up)

Payment providers must implement more advanced technology, such as biometric checks, to combat these types of online payment fraud trends. However, choosing the right technical solution is essential as it has been shown that fraudsters can use deepfakes to bypass biometric security checks.

AI and machine learning could supercharge card cloning fraud 

It is also likely that criminals will use AI and machine learning technology to supercharge their card cloning fraud operations. In our Identity Fraud Report 2025–2026, we predict that criminals may use automation to ramp up card-testing fraud (where stolen card details are used to make small transactions before larger ones). This could involve using bot farms to push thousands of micro transactions across multiple merchants in seconds, overwhelming their defenses.

We also believe AI-generated content could be used to make phishing and social engineering attacks more sophisticated and harder to stop. For example, criminals could use realistic deepfake voices of family members or tailored phishing emails produced in real time to convince people to hand over payment details.

To stay ahead of these threats, consumers and businesses must keep up with the latest trends and tactics used by fraudsters. Businesses can then ensure they implement the best technical solutions to combat card cloning, while consumers remain vigilant for suspicious activity.

Is card cloning illegal?

Yes. Card cloning is a crime that is prohibited globally. Various jurisdictions have established specific laws addressing credit card fraud and related offenses involving card cloning. Penalties for such crimes vary across jurisdictions and depend on the nature of the offense.

The following are examples of penalties associated with card cloning and credit card fraud in various jurisdictions worldwide:

Can cloned cards be traced?

Yes, cloned cards can be traced. Banks and financial institutions use card fraud detection systems to detect unusual patterns, such as where payments are being made and if a card is being used in multiple locations.

ATM logs and POS system records, as well as camera footage, can also be used to trace cloned cards and break up criminal networks. EMV chips also generate transaction codes, which make fraudulent transactions easier to detect. IP addresses, device information, and geographical location can be tracked during online transactions.

Card fraud detection, however, can be complicated by money mules and prepaid cards. Additionally, VPNs and international criminal rings operating across different jurisdictions can create further challenges for detection.

How to detect card cloning fraud

Card fraud detection requires businesses to stay on top of the tactics criminals use and to invest in the right technical solutions. Real-time transaction monitoring is one of the most effective tactics for detecting fraudsters using stolen card details, but other methods can make a huge difference in the fight against card cloning fraud.

Here are some of the key tactics that can be used to detect card cloning fraud, including AI fraud detection and machine learning fraud detection:

Behavioral & device intelligence

Cloned cards are often used by "fraud rings" or automated bots. Sumsub looks for technical red flags that suggest the user isn't who they say they are:

• Device Fingerprinting: Detects if the same device is being used to attempt transactions with dozens of different credit cards (a hallmark of card cloning/testing).
• Fraud Network Detection: Uses AI to find hidden links between accounts. For example, if two "different" users share the same IP, device ID, and unique browser configuration, they are likely part of the same fraud network.
• IP/Geolocation Analysis: Flags mismatches between the card's issuing country, the user’s claimed residence, and the user's current IP address.

Real-time transaction monitoring

Real-time transaction monitoring is critical for detecting card cloning fraud. It can help quickly spot suspicious transactions that may indicate a card is being used by a criminal rather than the account holder. AI-fraud detection technology is central to modern transaction monitoring and card fraud detection systems, as it enables vast volumes of transactions to be checked in real time. This means more accounts can be monitored and suspicious activity flagged faster, while reducing manual workloads for compliance teams.

Machine learning & AI fraud detection

Machine learning and AI enable faster, more accurate card fraud detection. Machine learning fraud detection tools can assist with functions such as analyzing transaction data to build behavioral profiles, which can then be used to spot anomalies indicative of fraud. 

Behavioral profiling of cardholders

Behavioral profiling for fraud prevention can be highly effective. Most customers behave in fairly predictable ways, spending similar amounts of money on similar things in similar locations. While there will always be some degree of variation in these patterns, machine learning can be used to create highly accurate behavioral profiles. These can then be used in card fraud detection by providing a baseline of expected behavior, with any anomalies flagged for investigation.

Reviewing physical infrastructure (ATMs & POS terminals)

One of the simplest ways to detect and prevent ATM skimming and POS skimming is for providers to regularly check infrastructure for signs of tampering, such as the presence of a skimming device at a POS or a card skimmer on an ATM.

Implementing EMV chips

EMV chip technology is more secure than magstripes, so all new cards should include EMV chips, and many providers are ditching magstripes altogether. However, the dangers posed by card shimming must be considered, so providers should still conduct physical checks of EMV payment devices to maintain payment card security.

How to prevent card cloning fraud

Credit card fraud prevention is the responsibility of both businesses and consumers. There are various ways to prevent bank card cloning.

Educating consumers

Educating consumers on how to prevent credit card cloning is essential. Card cloning prevention measures include checking for skimming and shimming devices, using RFID-blocking wallets, entering card details only on websites you trust, and enabling multi-factor authentication.

You can read more about what consumers can do about bank card fraud prevention below.

Building customer profiles

Businesses should implement behavioral profiling for fraud prevention. Creating profiles of expected customer behavior based on previous transactions can make it much easier to spot fraud using real-time transaction monitoring. Using machine learning, fraud detection can be made much more effective, as this technology allows vast amounts of data to be processed to produce highly accurate behavioral profiles, which can be quickly updated as a customer’s behavior changes.

Investing in new card security technologies

Payment card security can be substantially improved using the latest technical solutions, such as EMV chip technology, biometric payment authentication, and tokenization (where payment details are replaced with unique, randomized digital tokens that cannot be reused if stolen). These technologies can make card cloning protection much more robust, keeping consumers and businesses safer.

How to protect yourself from card cloning fraud and other types of card fraud: A checklist for cardholders

Card fraud, including card cloning, is a serious threat to cardholders, and losses from it are increasing. Make sure to do the following to keep yourself safe from card cloning:

❗Check for skimming and shimming devices on ATMs and any other POS terminals

❗Do not share your PIN, and cover your PIN whenever you enter it

❗Use an RFID-blocking wallet to lower your risk of wireless skimming

❗Don’t enter your card details on websites you don’t trust

❗Don’t open email links you don’t trust, and especially don’t enter any information on such links

❗Use Multi-Factor Authentication

❗Don’t use public Wi-Fi networks for any financial transactions

❗Use reputable banks with advanced anti-fraud programs

❗Turn on transaction alerts to monitor all activity on your card, helping you identify any unauthorized transactions.

❗Use chip-enabled cards instead of magnetic stripe-only cards

❗If you have to use an ATM, use one inside a bank and inspect it for any loose parts, unusual attachments, or hidden cameras

❗Read about scams; they evolve over time!

Unfortunately, you can do all of the above and still be a victim of card cloning due to no fault of your own. This is why it’s important to monitor bank statements regularly and understand your rights to protect yourself as a fraud victim.

💡Consider regulated banks and financial institutions. These organizations typically have strong consumer protection measures in place, along with robust cybersecurity and anti-fraud policies. This combination can provide customers with added security and peace of mind. 

💡Be patient if your bank asks for extra checks—it's all to keep you and your money safe. 

Sumsub is dedicated to fighting fraud and uses the latest anti-fraud technologies to help financial institutions verify account holders and protect clients. Here are a few developments in anti-fraud tech we’re excited about:

The future of card cloning & fraud prevention

While fraudsters may be developing their strategies with tools like RFID skimming, emerging payment card security technologies are likely to make card cloning and fraud even harder for criminals. 

These emerging prevention tools include:

Biometric payment authentication: Fingerprints, facial recognition, and voice IDs could replace PINs and passwords

AI fraud detection: Machine learning may analyze transaction patterns in real time, helping to detect any anomalies and block suspicious activity before too much damage is done

Tokenization payment security: Substituting card details with non-sensitive digital tokens can stop fraudsters from using stolen data

Contactless & dynamic CVV cards: In addition to contactless cards, banks may issue cards with CVVs on tiny screens that change at regular intervals, making any cloned data useless

Blockchain: Blockchain technology can enhance security by encrypting transaction data

Geolocation-based security: Transactions could only be approved if they match a cardholder’s physical location

While there are exciting developments on the horizon, it’s still important to stay alert to new payment fraud trends. Experience has shown that as security evolves, so do fraudsters.

For more from Sumsub about the latest in verification fraud, read and listen to our Fraud Trends 2025: “What the Fraud?” Podcast

Be one step ahead of fraudsters

Try Sumsub Fraud Prevention and protect your business from the newest types of fraud

Book a demo

Card cloning fraud FAQs

• What is card cloning?

  Card cloning is a process criminals use to copy a consumer’s credit or debit card information, then place this onto a duplicate card they can use to make fraudulent purchases. Fraudsters may also attempt to obtain the card’s PIN and/or CVV so they can use the cloned card in more situations.

• What can be done to mitigate card cloning?

  Measures to mitigate card cloning fraud fall into two main camps: preventing cards from being cloned and rapidly detecting cloned cards to minimize losses. Tactics to prevent card cloning include educating consumers about the risks and using technology such as biometrics to make cards more secure against cloning. Strategies to quickly identify and block cloned cards include building customer behavior profiles and using AI-assisted, real-time transaction monitoring to spot suspicious transactions that may indicate a cloned card.

• Can EMV cards be skimmed?

  EMV cards can be skimmed if they have a magnetic stripe, and this is used to make a payment. EMV cards are also vulnerable to ‘shimming’ which involves placing thin, card-like devices inside card slots to read the encrypted data on EMV cards.

• Can cloned cards be traced?

  Yes. Cloned cards can be tracked by financial institutions through transaction monitoring. This process helps detect unusual activity patterns that indicate a card is being used by someone other than its rightful owner. Modern transaction monitoring employs AI and machine learning to quickly identify suspicious transactions, enabling faster, more reliable tracing of cloned cards.

• What industries are most targeted by cloned card fraud?

  Any industry with high transaction volumes and card use is at risk of cloned card fraud. This includes retail, gas stations, and ATMs. Small businesses with poor fraud detection processes are also at high risk.

• What are the early warning signs of card cloning fraud for merchants?

  Early warning signs of card cloning fraud may include mismatched billing and shipping addresses, very high transaction volumes, repeatedly declined payments, and the use of multiple cards by one person in quick succession. Merchants should also implement robust cybersecurity measures to prevent web skimming.

• How do banks detect credit card cloning fraud?

  Machine learning can be used in fraud detection systems to analyze transaction patterns. This can assist with debit and credit card cloning fraud detection as it allows unusual behaviors to be flagged in real-time, potentially detecting the use of cloned cards.

• Can AI help prevent credit card cloning in online transactions?

  AI may help prevent card cloning in online transactions. It could do so by considering multiple factors to assess fraud risk. This means potentially suspicious transactions could be blocked and flagged for further investigation. However, AI can also pose a threat, and it is important for merchants and customers alike to maintain strong cybersecurity awareness and remain vigilant against scams.