You have probably heard of skimming, a type of fraud in which criminals install physical devices capable of capturing your payment card details on ATMs, gas pumps, and point-of-sale terminals. If you enter your debit or credit card into one of these fake card readers, your data is stored for later download or transmitted wirelessly in real time to a device controlled by scammers, who will use the information to steal from your accounts.
Unfortunately, online shoppers aren’t immune from this scheme. Web skimming is a type of cyberattack that uses malicious code to steal card data during checkout, and researchers have identified an ongoing campaign targeting major payment providers and, by extension, consumers.
Online credit card skimming
Web skimming attacks, broadly referred to as “Magecart” campaigns, are initiated when malicious JavaScript is injected into e-commerce websites and payment portals. When a checkout page loads, the skimmer replaces it with a spoofed form that collects card numbers, expiry dates, card verification codes, and billing or shipping addresses—everything threat actors need to turn around and use your card for fraudulent purchases.
The fake payment forms use legitimate-looking branding and styling to minimize suspicion. Once payment details are transmitted to the attacker, the user gets an error message and is redirected to the real checkout page, a flow designed to make you believe that you’ve simply entered your information incorrectly.
Web skimmers are typically designed to avoid detection and may even self-destruct, making them difficult to identify even for site admins. They also utilize bulletproof hosting, which shields cyber actors from takedown requests and law enforcement action.
What do you think so far?
How to protect your payment card
Unfortunately, consumers can’t do much about the presence of web skimmers, but they can play defense against them. Red flags of an online shopping scam are also red flags for skimming—for example, deals and discounts that are too good to be true are indicators of a possible fraudulent vendor or malicious site, where you may be more likely to have your card details stolen. Shopping with reputable vendors will reduce (though not entirely eliminate) the risk. You should also be vigilant about any unusual steps during checkout, such as redirects or error messages, and abandon any suspicious transactions.
If you suspect that your payment details may have been stolen, keep an eye on your bank and credit card statements for unauthorized activity, and enable transaction alerts for real-time updates. Remember that credit cards offer more security protections than debit cards. You could also use virtual cards for online purchases, which allows you to keep your actual card details private and protect you from further fraud. (Note, however, that virtual cards have some drawbacks. For example, you may lose some protections offered by your primary card provider and have a tougher time obtaining refunds.)
