Card Cloning: Everything You Need to Know (2025)

Card cloning is a major concern for banks and cardholders alike. According to the FBI, this type of fraud costs consumers and financial institutions an estimated $1 billion every year. Fraudsters go to considerable lengths to clone cards, even installing fake ATMs behind ones, and as the way we pay changes, they might not even need your card to steal from you.

What is card cloning?

Card cloning is the act of copying a debit or credit card’s payment details onto a duplicate “clone card.” These clone cards can then be used for fraudulent payments at the expense of the original cardholder. 

As the way we pay changes, fraudsters are using evolving methods to keep stealing cardholders’ money. This type of fraud may often go unnoticed and carries serious risks of landing people in heavy debt or ruining their credit scores without their knowing it. With card cloning being one of the most common types of card theft and reported incidents on the increase, it’s important to understand how criminals operate so you can stay safe.

What is a clone card, and how is it used?

Clone cards are duplicate payment cards. These can be duplicate credit cards, debit cards, or even gift cards. They’re made by taking the details from a legitimate card and copying them onto an illegitimate one (e.g., onto its magnetic strip). In function, these work in the same way as the genuine card and payments made with them will be taken out of the original cardholder’s bank account.

Depending on what information the fraudsters have (e.g., PIN/CVV), clone cards can be used for everything the original card could, from buying a cup of coffee and a croissant in a cafe to buying luxury designer goods. Due to the criminal nature of clone cards, criminals may often favor taking out hard-to-trace cash, buying untraceable gift cards, or purchasing goods with a high resale value, such as luxury products.

How does card cloning work?

Fraudsters use a range of strategies to clone cards, putting cardholders at risk of card cloning, whether they are taking out cash from an ATM or entering their card details for an online purchase. 

In general, card cloning consists of copying a cardholder’s details and then putting these details onto a duplicate card. Fraudsters also often try to learn cardholders’ PINs or CVV codes to use their cards in more situations and defraud victims of even more money. Fraudsters may use these cards themselves or sell them to other criminals via marketplaces on the dark web.

One of the easiest ways to clone a card is to use a “skimming” device. These read the information on the magnetic strip in cards, which functions in a similar way to a cassette, and offers no encoding protection. Many cards now also include EMV chips, which make it harder for criminals to clone a card, but it is still possible by a chip-reading process known as “shimming”.

Here’s how card cloning typically works:
1. Preparation: Fraudsters may attach a skimming or shimmer device to ATMs, point-of-sale (POS) terminals, or even recruit accomplices like restaurant servers to help obtain credit and debit card information. 

2. Obtaining card details: Skimming devices secretly read and copy the card’s magnetic stripe data when inserted or swiped, while shimming is a more advanced method that detects EMV chip data. Fraudsters may also take advantage of compromised websites or networks to obtain online card payment details.

3. Capturing extra information (PIN/CVV): Fraudsters may go on to use hidden cameras, fake keypads, or even just watching over a shoulder to record PINs. They may use phishing or malware to steal CVV codes for online transactions.

4. Creating clones: Criminals can now program a blank magnetic stripe card (this could even be a previously stolen card) with the captured card details, creating a counterfeit duplicate of the original card.

5. Making fraudulent transactions: Fraudsters may withdraw cash from ATMs and make transactions online or in-store, or even sell the card to another criminal, all at the cost of the cardholder. Fraudsters tend to act quickly, making it harder for banks and authorities to trace the criminals.

Common methods used for cloning cards

Common card cloning methods include:

• Card skimming: Criminals install a skimming device on ATMs or POS terminals to capture magnetic stripe data when a card is swiped. Customers need to be careful when paying at POS terminals as they can easily be tampered with. For example, a huge number of skimmers has been found in 2025 all over Virginia in what seems to be a coordinated campaign of card fraud. 
• Shimming: Criminals insert a more advanced “shimmer” into a card reader, allowing them to intercept EMV chip card data.
• Overlay keypads: Criminals are known to place fake keypads over real ones to record PINs entered at ATMs or other payment terminals, allowing them to find out PINs. These scams are widespread. For example, a compromised ATM scam was uncovered in Beaumont, Texas, in 2024, with criminals having been found to defraud cardholders of $10,000.
• Fake ATMs: Fraudsters have even been known to set up counterfeit ATMs solely designed to capture card details and PINs.
• RFID/NFC theft: With the rise of contactless technology, criminals can now stand close to victims and use RFID scanners or mobile apps to steal card data from contactless payment cards.
• Insider fraud: Criminal employees at stores, restaurants, or anywhere else with POS terminals may steal card details during transactions.
• Fake online stores: Fraudsters can create fake online stores or even hack real ones to steal card details at checkout.
• Social engineering scams: Scammers often impersonate government agencies, banks, businesses, and loved ones to trick victims into giving them their card details. 
• Card cloning forums: Criminals may trade stolen card details or offer cloning services via forums.
• Data breaches & dark web purchases: Hackers and fraud rings steal huge volumes of card data from retailers and other payment processors, often selling these in bulk on the dark web for card cloning purposes. A major scandal hit British Airways in 2018, when it was found that 380,000 transactions had been compromised. Criminals had captured user data without disrupting their experience, allowing them to potentially clone their cards and sell their details on the dark web.
• Phishing: Criminals are known to trick users into entering their card details on fake websites via phishing scams. 
• Malware: Criminals may send malware to unsuspecting victims via email to log keystrokes and help capture personal information like passwords and card details.

Suggested read: Payment Fraud Guide 2024: Detection and Prevention

Is card cloning illegal?

Yes, card cloning is illegal worldwide. Penalties vary from jurisdiction to jurisdiction, depending on the offense. Here are a few examples:

Country/Region	Card cloning penalties
United Kingdom	Individuals convicted of credit card fraud, including card cloning, may face imprisonment of up to 10 years, fines, or both under the Fraud Act 2006.
United States	Individuals convicted under federal laws like 18 US Code § 1029, addressing fraud involving credit and debit cards, may face fines up to $250,000 and imprisonment of up to 10 years.
European Union	Although penalties vary across EU member states, credit card fraud is a serious crime across the EU, with penalties including imprisonment and heavy fines.
Singapore	The Computer Misuse Act (CMA), Chapter 50A, criminalizes unauthorized access to computer systems, including hacking or skimming devices to obtain card data, with penalties up to 7 years imprisonment or fines up to SGD 50,000.Penal Code, Section 420, covers cheating and dishonestly inducing delivery of property (e.g., using cloned cards), with penalties up to 7 years imprisonment and fines.Payment Services Act (2019) regulates payment systems and imposes obligations on financial institutions to prevent fraud, indirectly supporting anti-cloning measures.
Australia	Under the Criminal Code Act 1995 (Commonwealth): Using a device to obtain or deal with identification information (e.g., card data) without consent is an offense, punishable by up to 7 years imprisonment (Section 480.4). Unauthorized access to or modification of restricted data (e.g., via skimmers) carries up to 2 years imprisonment (Section 477.2).State laws also cover cloned cards. For example, under the Crimes Act 1900 (NSW), fraudulent use of cloned cards falls under theft or deception offenses, with penalties up to 7 years imprisonment.
Canada	Under the Criminal Code of Canada: Theft, forgery, or misuse of credit card data (including cloning) is punishable by up to 7 years imprisonment (Section 342).Fraud involving cloned cards carries penalties up to 14 years for large-scale offenses or 2 years for lesser cases (Section 380).Identity theft, including obtaining card data for cloning, is punishable by up to 5 years imprisonment (Section 402.2).
Brazil	Under the Brazilian Penal Code (Decree-Law No. 2,848/1940):Theft, including electronic theft of card data, carries 1-4 years imprisonment plus fines (Article 155).Fraud, such as using cloned cards, is punishable by 1-5 years imprisonment and fines (Article 171).

Can cloned cards be traced?

Yes, cloned cards can be traced. Banks and financial institutions use fraud detection systems to detect unusual patterns, such as where payments are being made and if a card is being used in multiple locations.

ATM logs and POS system records, as well as camera footage, can also be used to trace cloned cards and break up criminal networks. EMV chips also generate transaction codes, which make fraudulent transactions easier to detect. IP addresses, device details, and location can also be traced for online transactions. 

However, detection can be complicated by the use of money mules and prepaid cards. VPNs can also lead to difficulties, as can international criminal rings operating across different jurisdictions to avoid detection.

How to protect yourself from card cloning

Card cloning is a serious threat to cardholders, and losses due to card fraud are increasing. Make sure to do the following to keep yourself safe from card cloning:

• Check for skimming and shimming devices on ATMs and any other POS terminal
• Do not share your PIN and cover your PIN whenever you enter it
• Use an RFID-blocking wallet to lower your risk of wireless skimming
• Don’t enter your card details on websites you don’t trust
• Don’t open email links you don’t trust and especially don’t enter any information on such links
• Use multi-factor authentication
• Don’t use public Wi-Fi networks for any financial transactions
• Use reputable banks with advanced anti-fraud programs
• Turn on transaction alerts to monitor unauthorized uses of your card
• Use chip-enabled cards instead of magnetic stripe-only cards
• If you have to use an ATM, use one inside a bank and inspect it for any loose parts, unusual attachments, or hidden cameras
• Educate yourself on scams.

Unfortunately, you can do all of the above and still be a victim of card cloning due to no fault of your own. This is why it’s important to monitor bank statements regularly and know your rights for how to protect yourself as a victim of fraud.

You should also only choose trusted banks with strong cybersecurity and anti-fraud policies. Be patient if your bank asks for extra checks; it’s all to keep you and your money safe. 

Sumsub is dedicated to fighting fraud and uses the latest anti-fraud technologies to help financial institutions verify account holders and protect clients. Here are a few developments in anti-fraud tech we’re excited about.

The future of card cloning & fraud prevention

While fraudsters may be developing their strategies with tools like RFID skimming, emerging security technologies are likely to make card cloning and fraud even harder for criminals. These emerging prevention tools include:

Biometric authentication: Fingerprints, facial recognition, and voice IDs could replace PINs and passwords

AI fraud detection: Machine learning may analyze transaction patterns in real time, helping to detect any anomalies and block suspicious activity before too much damage is done

Tokenization: Substituting card details with non-sensitive digital tokens can stop fraudsters from using stolen data

Contactless & dynamic CVV cards: In addition to contactless cards, banks may issue cards with CVVs on tiny screens that change at regular intervals, making any cloned data useless

Blockchain: Blockchain technology can enhance security by encrypting transaction data

Geolocation-based security: Transactions could only be approved if they match a cardholder’s physical location

While there are exciting developments on the horizon, it’s still important to stay alert. Experience has shown that as security has evolved, so have fraudsters.

For more from Sumsub about the latest in verification fraud, read and listen to our Fraud Trends 2025: “What the Fraud?” Podcast

FAQs

• What industries are most targeted by cloned card fraud?

  Any industry with high transaction volumes and card use is at a risk of cloned card fraud. This includes retail, e-commerce, gas stations, and ATMs. Small businesses with poor fraud detection processes are also at high risk.

• What are the early warning signs of card cloning fraud for merchants?

  Early warning signs of card cloning fraud may include mismatched billing and shipping addresses, very high transaction volumes, repeatedly declined payments, and the use of multiple cards by one person in quick succession. Merchants should also have tight cybersecurity measures in place to prevent web skimming.

• How can businesses detect cloned card transactions in real-time?

  Machine learning can be used in fraud detection systems to analyze transaction patterns. This allows unusual behaviors to be flagged in real-time, potentially detecting the use of cloned cards.

• Can AI help prevent credit card cloning in online transactions?

  AI may help prevent card cloning in online transactions. It could do so by considering multiple factors to determine if there is a risk of fraud. This means potentially suspicious transactions could be blocked and flagged for further investigation. However, AI could also pose a threat and it is important for merchants and customers alike to have good standards of cybersecurity awareness while being conscious of scams.