ITRC_Formjacking_Computer_OnlinePayment

Consumers have been warned for years about the potential danger of compromised payment card readers. Whether in a store, at a gas pump, or even an ATM, a thief simply has to tamper with the keypad and card reader a little bit, install a micro-thin skimming device, then gather up your card information.

Now, a recently uncovered threat called formjacking is basically doing the same thing, only it is happening when you enter your payment details on a website. By inserting malicious code into the site, cyberthieves can swoop in and steal your card number, security code, zip code, and much more.

According to security software developer Symantec, “The number of instances of formjacking blocked by Symantec more than doubled, jumping from just over 41,000 to almost 88,500—a percentage increase of 117 percent.” The company estimates it blocks nearly 7,000 formjacking attempts every day.

This might sound like a problem that only targets less secure websites, but that’s not who thieves are going after. With websites like Ticketmaster being a victim, formjacking targets large e-commerce companies. By gaining access and injecting the harmful code into a website payment page or form, the hackers steal your information without you realizing it and without you ever leaving the trustworthy site you visited. Hackers can gain access to these trustworthy sites through supply chain attacks or by going through a third-party integration like payments, analytics or chat. If a third-party integration is compromised by hackers that is used widely, multiple websites could be at risk from just one infiltration.

That means consumers have to protect themselves from an invisible threat. Fortunately, a comprehensive security suite can often include additional features like suspicious URL blockers which keep you from landing on unsafe websites as well as payment card protections. With options out there to meet every budget—from free to car payment-sized—you can certainly find a solution that offers you greater protection and still fits your finances. If your card information is stolen, you can find out about it immediately by launching “card not present” transaction alerts from your financial institution.

On the other side of the web, it’s up to businesses to ensure they are not putting their customers at risk. It’s important to fully vet any third-party provider that connects to your company’s website, no matter what kind of service they offer. Companies should also ensure they are taking proactive steps to prevent these attacks and perform regular security checks.

Symantec is a proud financial sponsor of the Identity Theft Resource Center


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft