Cybercrime is everywhere, but it’s not always easy to spot. Some types are disruptive and in-your-face, while others, like formjacking, are more subtle. If you don’t know how to prevent formjacking, cybercriminals could steal private information without anyone noticing anything wrong.

So what exactly is formjacking, and how can you stop yourself falling victim?

What Is Formjacking?

man holding credit card while he is on his laptop

Formjacking is a cyberattack whereby hackers insert malicious code into a website, usually a payment form. When you enter your personal information, this code will send a copy to a server so that cybercriminals can access and use it.

Stealing financial information from e-commerce sites is the most common formjacking example, but it’s not the only one. Sometimes, formjackers steal names and addresses to commit identity fraud or break into other accounts. Other times, they’ll just sell your personal information on the dark web. Some cybercriminals will do all of the above too!

Email marketing has taken off during the COVID-19 pandemic; with an ROI of $44 for every $1 spent and the massive shift to online storefronts, the high level of trust we place in email marketing forms has only heightened the issue. Legitimate information forms are everywhere online, giving hackers a perfect opportunity to steal valuable data.

How to Prevent Formjacking

Formjacking is a real danger if you run a website, but you can prevent it. And your visitors can protect themselves from formjacking too. Some of the most effective tools are script blockers like ScriptSafe or JS Blocker. These browser extensions block scripts from running, including those that formjackers might use.

Masked credit cards or tokenization through apps like Apple Pay or Google Pay also helps by hiding sensitive information. Most antivirus programs further include measures to block some formjacking scripts.

Website owners should run tests before every update. This will help reveal any suspicious code and ensure everything works as it should. Putting Subresource Integrity (SRI) into website code will make browsers verify resources deliver without manipulation, helping prevent formjacking.

How to Detect and Respond to Formjacking

man holding four credit cards, a capitol one card, a discover card, and amex card, and an apple card

Regardless of how you prevent formjacking, no prevention method is 100 percent effective. As a result, you should also know how to detect and respond to things that slip through the cracks.

Scan your website’s code regularly, especially before releasing an update, to look for irregularities. Anything you didn’t write or put there could be malicious, so remove it. Obviously, you need to be careful you don't accidentally delete something that's important; be doubly sure before you get rid of code.

Two-Factor Authentication (2FA) won’t prevent formjacking, but it will minimize the damage because it makes it harder to breach other accounts. Admittedly, 2FA isn't perfect, but some experts nonetheless call it the most effective tool against cyberattacks. Website owners should offer it and visitors should enable it.

You can also detect formjacking by regularly checking your bank accounts, credit score, and other records. Call your bank to cancel or freeze your cards if you see any unusual activity, and then change your passwords. Automated monitoring apps can make this easier by checking your records for you.

Website owners should contact affected users if they notice unusual code. It's your responsibility to handle users' data, so take that burden seriously and be up-front about cyberattacks. Tell them to monitor their accounts and change their passwords. On top of keeping them safe, this transparency will help build trust.

Keep Your Website and Your Data Safe

Even small, non-business sites could become victims of formjacking. Knowing how to prevent formjacking is an important first step in the fight against cybercrime. Website owners and visitors who understand these threats can take the right steps to stay safe.