Formjacking
A cyberattack in which malicious JavaScript is injected into a website's payment or checkout form to silently copy card details as they are entered.
Also known as: digital skimming, web skimming, Magecart attack, e-skimming
Last reviewed: 1 June 2026
Formjacking is the digital equivalent of a card skimmer installed on a legitimate shop's checkout. Attackers compromise a website — typically a small to mid-sized e-commerce store with weaker security than large retailers — and insert a few lines of JavaScript into the payment page. When a customer fills in their card number, expiry date, and CVV, the script sends a copy of that data to the attacker's server at the moment of submission, before the page processes the legitimate payment.
The victim's transaction completes normally and they receive their order, so the theft may not be discovered until fraudulent charges appear on their statement days or weeks later. Large-scale formjacking campaigns have affected thousands of sites simultaneously by compromising widely-used third-party JavaScript libraries or e-commerce plugins.
Content Security Policy (CSP) headers and subresource integrity checks are technical mitigations. Shoppers can reduce risk by using virtual card numbers or payment services that add an extra authentication layer.
Examples
- A customer buys from a small online florist; unknown to them, injected code sends their card details to a criminal server. Fraudulent purchases appear on their card two weeks later.
- A Magecart-style script is added to a popular WordPress e-commerce plugin update, affecting hundreds of stores simultaneously.