The first method is a more pure social engineering trick, usually committed against easily confused individuals, such as the elderly. It's called the "$20 drop". In it, the perp watches an elderly person use an ATM, shoulder surfing their PIN number, which is usually done very slowly anyway. He waits for the victim to complete the transaction, and then drops a $20 just beside the victim just before she goes to retrieve her card from the machine. He tells her she dropped a $20 bill, and while she is bent over to pick it up, he quickly swaps her card for a blank one with similar markings. She then retrieves "her" card, takes the $20 and leaves, unaware that the perp now has her real card and the PIN.

The advent of fairly cheap "spy cams" has made it feasible for a crook to attach one to an ATM enclosure so that it has an excellent view of the keypad. Typically the user's PIN is videotaped, and later the account numbers are retrieved from discarded ATM receipts, correlated with recorded PINs by transaction time, and used to record fake ATM cards. Since this is not a very low-tech scam, it is much less common than the other two in this advisory. It could, however, be combined with the $20 drop to eliminate the need to manufacture a fake card.

A variation of this method involves a working but false membrane keypad taped over the machine's real keypad. It records the victim's PIN, or transmits it to a readout device carried by the perp.

The third method is effective against victims of nearly any age, but relies to some extent on victim ignorance/stupidity. In this method, a false faceplate is placed over the machine's lower part, covering the cash outlet but leaving the rest of the machine exposed. Some crooks use parts vandalized/cannibalized from ATMs elsewhere, others have fakes made up at plastic fabrication houses. Usually the false fronts bear the logos of the target ATM's bank, the ATM network, Visa or Mastercard, etc. A few crooks even go so far as to attach a dummy cash outlet. To use this method, the perp fastens the false front to the ATM and waits, out of immediate view, for a victim to come along. The victim attempts to make a withdrawal, hears the machine's mechanism count out the money, but no money comes out. Puzzled and probably very annoyed, the victim leaves to try another ATM elsewhere, feeling safe in the knowledge that ATMs are supposed to be designed to fail safe and not complete the debit to account unless the cash is actually given. The perp waits for the victim to leave, and removes the false front and the cash.

Solution:

The banks are aware of all these scams. In a way the banks are partly responsible for them as moves to replace human tellers with machines has forced more and more people who really don't have the mental capacity to use ATMs safely and prudently to use them anyway. Elderly people should not enter an ATM vestibule without a trusted person present.

In the case of the false front scams, look at the ATM before you use it. Where does the money come out? If you can't tell right away, it might be hidden behind a false front. And the keypad should always be flush with the console of the ATM, not part of a small box that protrudes from it.

• What is Phishing and Phar…: Phishing attacks use both social engineering and t…
  
• Scholarship Scams: Trying to get your college paid for through a scho…
  
• Credit Card Scams: Having had a web business since 1997, I've gotten …
  
• 809 Telephone Scams: The 809-telephone scam is quite a genius scam, how…