Skip to main content
Cert Posts

Receipt scam (ATM): how it works and how to protect yourself

14 October 20256 min read

In recent weeks, we have seen a wave of reports about the so-called “receipt scam”: recovered or photographed ATM/POS receipts become the starting point for social engineering attacks that lead to accounts being emptied or identity theft.

Public reports converge on a recurring pattern: the paper document provides information (even partial) that is then exploited to convince the victim to reveal further credentials or OTPs.

 

Receipts: why they are useful to cybercriminals

Although ATM/POS receipts almost never show the full PAN or CVV, they may contain:

  • the date/time and amount of the transaction, branch or ATM/POS ID;
  • the last 4 digits of the card and sometimes part of the account number;
  • the balance shown or previous/subsequent transactions, which help with profiling.

These fragments, combined with data available on social media or via OSINT, allow fraudsters to construct a credible narrative: “We have detected suspicious transactions on your account X, please provide the code that will be sent to you…”.

Therefore, it is recommended that you do not print or keep the receipt unless strictly necessary.

 

Mechanics of the attack

Below is the typical chain of events that an attacker follows to transform the information obtained from the receipt into access and emptying of the account:

  • Collection: physical retrieval of the receipt from an ATM or bar/shop; or photograph of the receipt given to the customer
  • Context reconstruction: use of OSINT and data enrichment (e.g., searching for the name associated with the phone number, social profiles, withdrawal patterns)
  • Initial contact: call/text message/WhatsApp pretending to be a bank or call center (vishing/smishing)
  • Escalation request: request for OTP codes, PINs, security codes, or invitation to install a “remote support” app
  • Emptying: use of the information obtained for rapid transfers or fraudulent push authentications.

This chain is dangerous because a single fragment of truth (e.g., amount/real time) makes social-engineered communication much more convincing.

Technical analysis

A SOC or a bank’s anti-fraud team should consider at least the following signals:

  • sudden increase in reset/push auth requests for the same account within a narrow time window
  • duplication of OTP requests from different lockstep devices
  • multiple high-value transactions in quick succession on cards that show regular monthly withdrawals.

To demonstrate a practical approach, we have prepared a simple detection example: the number of transactions per card is counted in hourly windows and reported when the count exceeds a statistical threshold (mean + k·std). This is a basic heuristic: in production, more robust probabilistic models (MLE, Bayesian change point, ML/seq-anomaly models) would be needed.

 

Sample code

To demonstrate a detection approach in a practical way, we have created a simple Python script that analyzes the number of transactions for each card in hourly windows and automatically flags anomalies.

The algorithm uses a basic statistical threshold (the mean plus four standard deviations) to identify atypical behavior, such as a sudden increase in transactions over a short period of time.

Although elementary, this method allows us to see how a rapid account emptying attack can clearly emerge from transactional data. In real-world contexts, the same principle can be extended to more sophisticated machine learning models or behavioral analysis.

The code snippet below shows the core of the detection logic:

# count per time window
counts = df.groupby(['card_id','hour']).size().reset_index(name='tx_count')
# simple threshold: mean + 4*std
stats = counts.groupby('card_id')['tx_count'].agg(['mean','std']).reset_index()
counts = counts.merge(stats, on='card_id', how='left')
counts['threshold'] = counts['mean'] + 4*counts['std']
counts['anomaly'] = counts['tx_count'] > counts['threshold']

In the simulation test, the model detected an abnormal spike on one of the cards, shown in the graph below /mnt/data/anomaly_plot_card2.png and the dataset used as a practical example /mnt/data/sample_transactions_scontrino.csv.

The graph illustrates how an hourly window with many ATM transactions on a single card can be flagged as anomalous by the detection described.

 

Related criminal techniques

Let’s take a look at the techniques and methods used in attacks related to receipt fraud:

  • Vishing & Smishing: phone calls or messages that exploit receipt details to increase credibility
  • Sim-swap and social engineering: using data to perform SIM swaps and intercept OTPs
  • Photo-collection + deep-OSINT: date/time + merchant pairs allow you to cross-reference and identify individuals who frequent certain locations.

 

Practical mitigation measures (for users)

Good habits, awareness, and careful management of seemingly harmless information such as receipts are the basis for reducing the risk of exposure. Let’s take a look at how to behave:

  • Do not print the receipt unless you really need it; if you print it, destroy it immediately
  • Always check the sender of calls/text messages; banks do not ask for PINs or OTPs over the phone
  • Enable push notifications on the official app (more difficult to intercept than text messages)
  • Block your card immediately at the first sign of suspicious activity and report it to your bank
  • Use multi-factor authentication with different channels (e.g., push on a secure device + hardware token).

 

Technical mitigations (for banks)

In addition to practical mitigations, we analyze how security teams, SOCs, and banking institutions can detect, prevent, and contain receipt fraud through automated controls, behavioral monitoring, and system hardening strategies.

  • Implement behavioral detection with models that analyze transaction sequences and device fingerprinting
  • Rate-limit and challenge step-up (e.g., request biometric confirmation for atypical transactions)
  • Monitor coordinated SMS & vishing campaigns (threat intel) and take down smishing operators
  • Customer awareness campaigns: avoid printing receipts and indicate official contact channels.

 

Operational example: rapid response playbook

In the event of a suspected receipt scam attack, timely and structured intervention is essential. Below is an example of an operational playbook that summarizes the main rapid response actions:

  1. Isolate the card and disable payment channels immediately.
  2. Provide the user with a verified channel (official number) and activate challenge push on a secondary device.
  3. Analyze logs for 48–72 hours before and after the event to track any related accounts.
  4. Collaborate with telephone operators in case of suspected SIM swapping.

 

The “receipt scam” is effective because it exploits trust: seemingly harmless data makes the criminals’ narrative much more credible. To defend yourself, you need a combination of personal hygiene (don’t print, don’t share) and technical countermeasures (behavioral detection, robust MFA, awareness campaigns).

Recent reports confirm that the phenomenon is ongoing and that a coordinated operational and training approach is needed.