PrivacyOn
SecurityMay 26, 20268 min read

How to Protect Yourself From Formjacking Attacks

SC

By Sarah Chen

Head of Privacy Research

How to Protect Yourself From Formjacking Attacks

Formjacking — also known as e-skimming or Magecart attacks — is one of the fastest-growing online threats, with attacks surging over 100% in recent years. Unlike traditional phishing, formjacking targets legitimate websites, silently stealing your credit card information as you type it into real checkout forms. Here's how to recognize and protect yourself from this invisible threat.

What Is Formjacking?

Formjacking is a cyberattack where criminals inject malicious JavaScript code into the payment forms of legitimate e-commerce websites. When you enter your credit card number, expiration date, CVV, and billing address into a compromised checkout page, the malicious script captures that data in real time and sends it to the attacker's server — all while the legitimate transaction processes normally.

The attack is completely invisible to shoppers. The website looks normal, the transaction goes through, and you receive your order. You won't know your card has been compromised until fraudulent charges appear on your statement — sometimes weeks or months later.

A Growing Threat

In January 2026, security researchers exposed a sophisticated Magecart skimming network that had been operating undetected since 2022, harvesting payment data from thousands of e-commerce websites across six major payment networks including American Express, Mastercard, Discover, and JCB. These aren't small or sketchy sites — major retailers have been victims.

How Formjacking Attacks Work

Understanding the attack chain helps you appreciate why formjacking is so difficult to detect:

  1. The attacker compromises the website — either by exploiting a vulnerability in the site's code, hacking a third-party script provider, or compromising the site's content management system
  2. Malicious JavaScript is injected into the payment page — often just a few lines of code that are nearly impossible to spot in the site's source
  3. The script activates on checkout — it monitors form fields and captures everything you type into the payment form
  4. Data is exfiltrated — your card details are sent to a server controlled by the attacker, often disguised to look like a legitimate analytics or advertising service
  5. The legitimate transaction completes normally — neither you nor the merchant realizes anything is wrong

Why Traditional Security Doesn't Catch It

Formjacking is particularly dangerous because it bypasses many common security measures:

  • HTTPS doesn't help — the site has a valid SSL certificate and the connection is encrypted, but the malicious code runs within that encrypted session
  • Antivirus may miss it — the malicious code runs in your browser, not on your computer, so traditional antivirus software often doesn't detect it
  • The site is legitimate — you're not on a fake or phishing site, so URL-checking tools won't flag it
  • Web application firewalls can fail — attackers often compromise third-party scripts that are already trusted by the site's security systems

How to Protect Yourself

Use Virtual or Disposable Credit Cards

This is the single most effective defense against formjacking. Virtual credit card services generate one-time-use card numbers with spending limits you set. If a formjacker steals the number, it's already expired or limited to a small amount.

  • Many banks now offer virtual card numbers through their apps
  • Services like Privacy.com create disposable card numbers for online purchases
  • Apple Pay, Google Pay, and PayPal generate tokenized transactions that don't expose your real card number

Prefer Digital Wallets at Checkout

When a checkout page offers Apple Pay, Google Pay, or PayPal, use them. These services use tokenization — they send a one-time code to the merchant instead of your actual card number. Since you never type your card details into the form, a formjacking script has nothing to capture.

Enable Transaction Alerts

Set up real-time notifications for every transaction on your credit and debit cards. Most banks offer push notifications, text alerts, or email notifications for purchases. The sooner you spot a fraudulent charge, the faster you can freeze your card and limit the damage.

Use a Script-Blocking Browser Extension

Browser extensions like uBlock Origin, NoScript, or Privacy Badger can block suspicious JavaScript from running on web pages. While this won't catch every formjacking script, it adds an extra layer of protection by blocking known malicious domains and preventing unauthorized scripts from executing.

Keep Your Browser Updated

Modern browsers include security features that can help detect and block malicious scripts. Always use the latest version of your browser and enable any built-in security features like Safe Browsing (Chrome) or Enhanced Tracking Protection (Firefox).

Check Your Cards Regularly

Review your credit card and bank statements at least weekly. Don't wait for your monthly statement — by then, a formjacker could have made dozens of fraudulent purchases. Most banks allow you to set up alerts for transactions above a certain threshold, or for any transaction at all.

What to Do If You're a Victim

If you notice unauthorized charges that may be the result of a formjacking attack:

  1. Contact your bank immediately to freeze the compromised card and dispute fraudulent charges
  2. Request a new card number — don't just block individual transactions, as the attacker has your full card details
  3. Change passwords on any accounts associated with the compromised card
  4. File a report with the FTC at reportfraud.ftc.gov
  5. Monitor your credit — formjacking victims sometimes experience broader identity theft if billing address and personal details were also captured
  6. Alert the merchant — they may not know their site has been compromised, and your report could protect other shoppers

The Connection Between Formjacking and Identity Theft

Formjacking doesn't just steal credit card numbers. Many checkout forms also capture your full name, billing address, phone number, and email address. This information can be combined with data from data brokers to commit more serious identity theft — opening new accounts, filing false tax returns, or taking over existing financial accounts.

This is why protecting your personal information beyond just your payment details is so important. PrivacyOn removes your personal data from over 100 data broker sites, making it harder for criminals to cross-reference stolen payment information with your full identity profile. Combined with dark web monitoring that alerts you if your financial information appears on criminal marketplaces, PrivacyOn helps you reduce the impact of a formjacking attack before and after it happens.

Quick Protection Checklist

  • Use virtual credit cards or digital wallets for online purchases
  • Enable real-time transaction alerts on all payment cards
  • Install a script-blocking browser extension
  • Keep your browser and operating system updated
  • Review bank and credit card statements weekly
  • Use a credit monitoring service to catch new account fraud
  • Remove your personal data from data brokers with a service like PrivacyOn
  • Freeze your credit at all three bureaus if you're not actively applying for credit
SC
Sarah Chen

Head of Privacy Research

CIPP/US CertifiedIAPP MemberB.S. Computer Science

CIPP/US-certified privacy researcher with over a decade of experience helping consumers remove their personal information from data brokers.

Related Articles

Security

How to Protect Yourself From Digital Skimming

Privacy Guide

How to Use Virtual Credit Cards to Protect Your Privacy

Privacy Guide

How to Protect Your Privacy When Shopping Online

Ready to Protect Your Privacy?

Let PrivacyOn automatically remove your personal information from data broker sites and keep it removed.