If you shop online, you probably assume the biggest risk is typing your card number into the wrong website. But there’s another threat that’s much harder to spot: formjacking. Formjacking happens when criminals inject malicious code into a legitimate website’s online form—usually a checkout page—so they can secretly steal whatever you type, such as payment card details, billing addresses, passwords, or other personal information. Europol describes this crime as digital skimming, also known as web skimming, e-skimming, or Magecart. Europol’s digital skimming guide explains that the theft happens during the online checkout process, often without the customer noticing anything unusual.
That stealth is what makes formjacking so dangerous. Unlike a fake website or phishing email, a formjacking attack can happen on a real site you already trust. The page looks normal. The purchase may even go through. But behind the scenes, a hidden script quietly copies your information and sends it to criminals. Broadcom’s threat research found that 4,818 unique websites were compromised with formjacking code each month in 2018, showing just how widespread this technique became. Broadcom’s Internet Security Threat Report remains one of the most cited sources on the scale of the threat.
How formjacking works
Formjacking usually follows a simple pattern:
- Criminals first gain access to a retailer’s site or a third-party script the site uses
- They inject malicious JavaScript into a payment form or checkout page
- The code captures customer data as it is typed into the form
- The stolen data is sent to an attacker-controlled server while the transaction still appears normal to the shopper
Attackers may breach either the online store itself or a third-party tool connected to it, which is one reason formjacking can spread widely across multiple sites at once.
Why formjacking is so hard to detect
Formjacking is designed to stay invisible. Most victims do not see an error message, warning, or anything unusual during checkout. In many cases, the product order still completes successfully, so there is no obvious clue that anything went wrong. Symantec’s deep-dive report adds that compromised websites stayed infected for an average of 46 days, giving attackers plenty of time to collect data before anyone notices.
What data formjacking can steal
Formjacking is not limited to credit cards. Attackers may steal:
- Card numbers, expiration dates, and security codes
- Billing and shipping addresses
- Names, phone numbers, and email addresses
- Login credentials entered into web forms
How consumers can reduce the risk
You cannot inspect a site’s code before every purchase, but you can lower your exposure:
- Shop with major retailers that use strong security controls
- Keep your browser and devices updated
- Use virtual card numbers or a credit card with strong fraud protection
- Watch statements closely for small test charges or unfamiliar purchases
- Be cautious if a checkout page suddenly looks odd, loads strangely, or asks for more information than usual
Formjacking is a quiet but powerful threat because it turns trusted websites into data theft tools. You may do everything right and still be exposed if a retailer or one of its third-party services gets compromised. That is why monitoring accounts, using secure payment methods, and staying alert to fraud matter so much. If online checkout is part of daily life, understanding formjacking is now part of basic digital self-defense.
