We've been reviewing the full-year results of card skimming data in the US from 2025, and the picture is a mixed one. While criminal activity escalated significantly in 2025, early signs from 2026 offer a glimmer of hope.

2025 by the Numbers: More Attacks, Slightly More Cards

In 2025, data from FICO Card Alert Service, one of the industry's most widely used compromise notification services, showed a 5% increase in identified compromised debit cards, rising from 231,000+ in 2024 to more than 243,000.¹ While these figures reflect cards protected with Card Alert and not the full US debit card population, the service's broad coverage makes it a strong indicator of skimming trends nationally.. The number of financial institutions (FIs) affected also ticked upward, with more than 3,500 FIs dealing with skimming-related compromises, a slight increase over the roughly 3,300 impacted the year prior.

But the real story isn't about card volume – it’s about the explosive growth in compromise events. FICO’s Card Alert team sent over 3,200 Compromised Card Reports (CCRs) in 2025, representing a staggering 90% year-over-year increase in compromise events. In practical terms, that means criminals are executing more frequent, smaller-scale attacks. Rather than hitting one location hard, they're spreading their efforts across more targets, which is a shift that demands a corresponding change in how we detect and respond.

That acceleration didn't let up as the year went on. Compromise events increased an additional 15% in the second half of 2025 compared to the first half, continuing the upward trajectory we flagged last year. While I don’t relish being right, I predicted we'd see continued increases in both POCs and compromised cards for 2025, and unfortunately the data bore that out.

Points of Compromise: Non-Bank ATMs Still Dominate

The geographic and location patterns for compromise events we've tracked for years remain largely consistent, but the concentration is becoming even more pronounced. In 2025, 70% of all compromises occurred in the top 10 states — up from the 66% we reported for 2024. That tightening concentration is worth paying attention to. If your institution operates in or issues cards in those high-activity states, your exposure is elevated, and your monitoring strategies should reflect that.

For 2025, the top ten states for compromise activity were nearly identical to last year and comprise New York, California, Massachusetts, Maryland, Virginia, Pennsylvania, New Jersey, Colorado, Texas, and Illinois. Notably, we saw New York surpass California for the first time ever, to earn the dubious honor of the state with the highest incidence of compromise.  Illinois is new to the top ten list, while Michigan fell off after a brief appearance in 2024. 

The location profile of compromised ATMs also tells a familiar story: 90% of compromises occurred at non-bank ATMs. Free-standing terminals in convenience stores, gas stations, and other high-traffic locations remain the prime targets. And many of these ATMs were hit more than once, reinforcing the need for better security at these locations.

Early 2026 Data: A Cautious Reason for Optimism

There is encouraging news to share. FICO's latest data shows that the first two months of 2026 brought a decrease in both compromise events and total cards compromised compared to the same period in 2025. While it's far too early to call this a turning point since skimming patterns can shift quickly and seasonal trends may still emerge, it's a positive signal that the industry's collective efforts may be making a positive impact.

Banks: Double Down on Layered Defenses

Given the dramatic surge in compromise events last year, the message for issuers and fraud teams is clear: the threat remains, and your defenses need to factor skimming into your fraud management strategy. FICO research continues to show that consumers believe the number one action their bank can take to protect them is to have better fraud detection systems. Every layer you add helps protect your customers and your bottom line.

Here are the actions I continue to recommend for fighting card skimming:

1. Monitor your equipment relentlessly. Regularly inspect ATMs for signs of tampering and report suspicious findings to internal teams and law enforcement. Deploy video surveillance wherever feasible.
2. Leverage intelligence and patterns. Pay close attention to ATM location data and out-of-area transactions. With 70% of compromises concentrated in the top 10 states and many ATMs being targeted repeatedly, pattern recognition is one of your most powerful tools. Watch for telltale activity like an increase in balance inquiries preceding withdrawals and non-PIN-based transactions.
3. Implement multi-layered defenses. Deploy comprehensive monitoring systems that combine risk-based strategies, advanced analytics, and proactive customer communications to distinguish legitimate transactions from potentially fraudulent activity or scam attempts.
4. Expand fraud protection beyond ATMs. Criminals don't limit themselves to skimming. They use diverse scams and social engineering tactics across channels. Implement channel-specific fraud strategies before authorizing any purchase or payment transaction across all platforms.
5. Communicate with customers proactively. Engage customers in real time, in the channel they prefer - whether text, email, phone, or in-app messaging. Give them the ability to confirm or deny transactions, check card status, and receive warnings about known and emerging threats.

Consumers: Vigilance Still Matters

The advice for consumers hasn't changed, because the fundamentals of protection at the point of sale remain the same:

• Use tap-to-pay or digital wallets whenever possible. Contactless payments use tokenization to obscure card details, making it far harder for criminals to steal your information compared to swiping a magnetic stripe.
• Examine payment terminals before you use them. If a tap reader isn't working, or a keypad feels loose or unusual, consider that a red flag. Conduct your transaction elsewhere if anything seems off.
• Choose chip and PIN over swiping. If tap isn't available, chip-based transactions are the next safest option — but cover the PIN pad, as criminals sometimes install hidden cameras to capture PINs.
• Avoid swiping your magnetic stripe. This remains the least secure method of payment. A compromised terminal will often force you to swipe. If you can't use tap or chip, find another location.

The Bigger Fraud Picture

Skimming remains one piece of a broader fraud landscape that includes scams, account takeover, and the exploitation of stolen personal data from breaches. The surge in compromise events we saw in 2025 is a reminder that criminals are relentless in adapting their tactics. But with the right combination of technology, intelligence, and swift action, FIs can protect customers and their accounts. AI- and ML-powered fraud detection models, real-time customer communications, and services like FICO® Card Alert Service are essential tools in that fight.

How FICO Fights Card Skimming Fraud

• Learn how FICO can stop fraud, regardless of channel or portfolio.
• Get more details on FICO® Card Alert Service and how it helps protect US consumers.
• Explore how Customer Communications Services for Fraud can intervene in real time to prevent fraud losses.

Follow me on LinkedIn for more insights about FICO's innovative fraud-fighting efforts.