Formjacking: What It Is and How to Protect Yourself From It

Watch out for credit card skimming when online shopping on websites

Formjacking, often also referred to as e-skimming or credit card skimming, is a tactic used by hackers and scammers to hijack online shopping forms with the intent to steal personal and financial information from victims while they shop on legitimate online shopping websites.

What Is the Formjacking Scam?

Formjacking is a relatively new online scam, having received mainstream attention in 2018 and 2019 after a number of major online retailers, such as Target and British Airways, were hacked and the private credit card information of hundreds of thousands customers was stolen.

How Does the E-Skimming Scam Work?

Unlike a system hack or data breach which steals saved information, formjacking involves the hacking of an online storefront and the placing of JavaScript code into checkout-related forms. This JavaScript allows the online order to be placed as usual on the hacked website but it also sends a copy of all of the customer’s entered information, such as name, address, and credit card information, to the hacker.

Formjacking scammers have also been known to hack third-party shopping cart providers which allows them to simultaneously skim credit card and banking information from various online stores at the same time.

The hacker can then use the collected information to make online orders. Often the data will be sold online to other parties and can lead to the victim becoming the target of additional online scams in the future.

How Do Credit Card Skimming Scammers Find Victims?

Both large and small online businesses have fallen victim to e-skimming hacks and there doesn’t appear to be a specific type of shopper that’s targeted more than others.

The hackers behind formjacking are often referred to as Magecart hackers, after the software used to perform e-skimming hacks. There is no one Magecart organization though. Numerous unrelated individuals and groups commit this hacks.

Major online businesses offer the potential for a larger number of formjacking victims though their sites may be harder to hack due to increased security.

An example of an online form that could potentially contain formjacking code.

Smaller online stores, such as arts and crafts shops, may have fewer customers but they also typically have less security than larger organizations so are much easier to hack. On smaller sites, these hacks can remain undetected for a longer period of time.

How Do I Avoid Getting Involved in This Scam?

There are several ways to prevent yourself from falling victim to formjacking when shopping online.

  • Use Apple Pay or Google Pay. Both services completely hide your credit card information when making online purchases.
  • Use PayPal. PayPal and other similar online financial services are mostly protected against formjacking as they don’t require you to enter any banking information.
  • Save your payment information on the website. If your credit card information is already connected to your account, you won’t need to enter it into the form. Your financial info may be exposed if the website or database is hacked however.
  • Check the website security status. While not a complete guarantee, if the online store’s website address begins with https, not http, that can indicate an increased level of security. A lock icon next to the address bar also indicates a site is using security precautions.
  • Disable scripts in your web browser. Most internet browsers will have an option to disable JavaScripts within their settings. Browser plugins can also be used.
  • Use a privacy-focused web browser. Some browsers, such as Brave, feature a strong focus on privacy and security and disable many scripts by default.
  • Check your bank statements. The easiest way to make sure your information hasn’t been stolen or sold online is to check your financial statements on a monthly basis for any suspicious or unusual transactions. You may also want to keep an eye on your credit score.

I’m Already a Victim. What Should I Do?

If you suspect that you’ve fallen victim to credit card skimming or e-skimming, the first thing you should do is to contact your bank or credit card provider and place a freeze on any future transactions.

Your credit card provider, depending on the type of card you use, may also be able to reverse any suspicious charges that have been made. You will likely be encouraged to get a new credit card as, once your credit card information has been exposed, it’s next to impossible to re-secure it.

If you also happened to enter your phone number into the hacked form, you may become the target of a wide number of phone scams such as the Google Voice code scam, Social Security scam calls, and the area code 833 scam. Be very careful of suspicious phone calls.

You may also want to inform the owners of the website where you suspect your information was skimmed from as they could be unaware of such a hack.

How Do I Avoid Being Targeted for the Formjacking Scam?

Fortunately, formjacking scammers and hackers don’t target individuals as the entire scam focuses on attacking vulnerable websites. You can decrease your chances of falling victim on a hacked website though by not entering your personal information and credit card details wherever possible and following the tips mentioned above.

While a different type of online scam, you should also take care not to be tricked by fake websites which are designed to look exactly like official ones and are designed to steal your financial information in a similar way to how e-skimming or formjacking works.