Victims from several suburbs, including Bloomingdale, West Chicago, Naperville, Bolingbrook and Park Ridge, reported problems after using a debit or credit card at Michaels, an arts and crafts chain store.
Jennifer Gatz canceled her debit card this week after two fraudulent transactions totaling more than a $1,000.
"They were not mine because they were from ATMs that were from nowhere that I've ever been to. Immediately, I started panicking," said Gatz.
Gatz closed her account and learned from a Facebook friend that Brandi Ramundo of West Chicago was also a victim. The two touched base on the social network and realized they both recently shopped at Michaels stores.
"I couldn't believe it. It's such a well known store, it's a huge chain. There are stores everywhere. I was actually shocked," said Gatz.
"We have our credit cards in hand. There had to be some type of skimming device that was capturing it and assuming our pin numbers," said Ramundo.
Michaels released a statement saying, in part, that it "may have been a victim of PIN pad tampering in the Chicago area and that customer debit and credit card information may have been compromised." Michaels also encourages customers to take precautions.
When it comes to using debit cards, the Better Business Bureau of Chicago and Northern Illinois has plenty of advice.
"The protection is not there that consumers think," Steve Bernas, Better Business Bureau of Chicago and Northern Illinois.
Bernas recommends the following:
"With a debit card, after 60 days, you can be liable for the full amount that was stolen from you. So think about it - you can lose your life savings or everything in your account to a fraudster, to a scam artist if you don't report it in time," said Bernas.
Bernas says most banks want customers to report fraud within two days. If it's more than 60 days, victims could be legally responsible for the stolen money.
ABC7's news partner, the Daily Herald, also talked to Glenview police who say that their cases are not necessarily linked to Michaels. They say it's possible someone accessed the information at a credit processing center that serves several companies.