Tom Grill / Photographer's Choice RF / Getty Images

Formjacking: The biggest credit card cybertheft you’ve never heard of

Cyberthieves aim to steal your info when you fill out an online form; here’s how to protect yourself


Formjacking – in which cyberthieves surreptitiously lift your credit card information from forms you fill out online – affects nearly 5,000 websites per month. It’s nearly impossible to detect while it’s happening, but there are ways to protect yourself.

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Formjacking is probably the biggest type of credit card cybertheft you’ve never heard of.

Cybercriminals insert malicious code onto legitimate retailers’ sites in order to steal consumers’ credit card and personal information. It affects almost 5,000 websites each month.

Starting last year, cyberthieves “figured out how to perfect it and make a lot of money off it,” says Kevin Haley, director of security response for the cybersecurity provider Symantec, which issued the initial warning about the cybercrime.

Symantec blocked more than 3.7 million formjacking attempts last year, with almost one-third of the cases detected during the busy holiday shopping season.

But plenty of other attempts were successful, affecting such major companies as Ticketmaster and British Airways and earning the thieves millions of dollars by using consumers’ credit card information to make unauthorized purchases or by selling it on the dark web.

See related:  How to protect your personal information when booking travel

Formjacking is nearly impossible to detect

In 2018, more than 4,800 websites were compromised each month with formjacking code, according to Symantec.

Because consumers’ legitimate transactions typically go through, and they receive their merchandise, it can take quite a while for formjacking to be detected, Haley says. Usually, the consumer is never the wiser.

“Scammers don’t need a fake page, they just need a fake code,” says Ron Schlecht, founder of BTB Security, an information security company.

Haley compares formjacking to skimmers that might be concealed in a gas pump or ATM. But instead of inserting a counterfeit device on top of a legitimate one, cybercrooks insert malicious JavaScript code into merchants’ software.

Unlike a gas pump or ATM that might look suspicious because of a skimmer, there’s almost nothing a consumer can do to tell if a malicious code has been added to a retailer’s site.

“It’s almost impossible to know this is happening,” Haley says.

“Data is stolen as soon as it’s entered by a user and is siphoned off to a malicious third party in a readable format,” says Anurag Kahol, chief technology officer at Bitglass, an information security company.

The crooks can gain immediate access to credit card numbers, security codes and expiration dates, as well as the personal information you enter on an online form, Kahol says.

Because cybercriminals can get that full range of information, it makes it particularly valuable, and one credit card can be worth up to $45 on the dark web, Haley says.

A study by the credit reporting agency Experian found a credit card number and security code typically sell for $5 on the dark web.

How to protect your small business

While major merchants have been hit by formjacking, small- and medium-sized businesses are more likely to be targeted, Schlecht says. Because smaller businesses might have less security on their websites, it makes them “really juicy targets.”

The formjacking trend cuts across all types of industries, Schlecht says.

Schlecht admits formjacking gives him “pause” for his own business, as potential clients who are looking for a security assessment from BTB Security fill out an online form with information about their company.

While a small business doesn’t have the volume of credit card transactions a merchant such as Ticketmaster or British Airways does, it typically takes longer for formjacking to be detected on small business websites, Haley says, making them lucrative targets.

Many of the formjacking incidents identified last year involved cybercrooks who targeted third-party services, such as chatbots and customer review widgets, according to Symantec.

Haley urges small-business owners to “be careful with the third-party provider you use.”

It also might be worthwhile to consult with a security expert, and small businesses should be up to date with their latest software security patches, he says.

Kahol says it’s incumbent on merchants to train their employees to identify phishing emails that could deliver malicious code to the company’s website.

Having real-time security monitoring across all of a company’s devices and apps helps merchants “thwart formjacking attacks and keep customer data protected,” Kahol says.

See related:  Are mobile card readers safe for small businesses?

How to protect yourself

For a consumer, it’s not apparent that formjacking is taking place.

“There’s nothing from a user’s perspective that’s going to be easy to spot,” Schlecht says.

Along with stealing your credit card information, formjackers might be after your rewards account information or your account login details – anything you might type into an online form.

“Usually, the consumer won’t even realize their information has been stolen until something such as suspicious charges appear on their credit card and financial statements or new accounts are being opened with their details,” says Eva Casey-Velasquez, CEO of the Identity Theft Resource Center.

If you have issues with a form you are filling out online, Velasquez recommends reporting it to the company so it can check to make sure formjacking isn’t taking place.

Kelvin Murray, senior threat research analyst at the cybersecurity firm Webroot, recommends you get confirmation of any online purchases you make.

“If you suspect anything, don’t be afraid to reach out to the vendor to double-check that a transaction was received,” he says.

He also recommends avoiding doing businesses with those companies that have poor online security.

“This, admittedly, can be hard to ascertain, but Googling reviews can be a good place to start.”

It’s also important to be proactive and monitor your credit card and bank account statements regularly, Schlecht says, to watch for fraudulent transactions. You also might want to consider setting up credit monitoring or placing a freeze on your credit report.

“Nothing is going to be the ‘easy button,’ ” he says.

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In News

What is credit card reconsideration?

If your credit card application has been denied you might have a second chance of approval by calling the issuer’s reconsideration line. Here’s when to call and what to say.

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more