Formjacking: Cybersecurity’s Crime du Jour

Formjacking: Cybersecurity’s Crime du Jour

by Keith Barthold

Move over phishing, ransomware, and cryptojacking. The latest fad in cybercrime, “formjacking” — hijacking personal data from an online form — is the most formidable weapon in a hacker’s malicious online arsenal.

With online users becoming more suspicious and savvy regarding phishing and ransomware tactics and the fact that the decreasing value of cryptocurrencies is driving cybercriminals to other means of attack, this new and innovative method of stealing online data is becoming more predominant. It only takes a few entries on a “trusted” online source and you’ve lost access to your valuable data and assets before you even know it. You’ve been formjacked!

According to the Symantec Internet Security Threat Report 2019, formjackers compromised 4,818 unique websites every month in 2018. Over the course of the year, Symantec blocked over 3.7 million formjacking attempts. This is definitely a threat everyone needs to take seriously.

Here’s a brief explanation on what formjacking is, how it works, and how to combat it.

What is it?

Formjacking, as its name suggests, is when an outside source highjacks the data —most often financial, private, and personal — from a form you’re filling out online.

So when you think your information is getting transmitted safely and securely online, there’s an outside party looking over your shoulder, watching everything you’re entering, and stealing it.

How does it work?

Formjacking involves inserting malicious code into a website, most often in the form of a secondary e-commerce provider. The implanted code then intercepts sensitive or payment information such as credit card details, names, and other personal data commonly used when doing business online. The stolen data is sent to a server for reuse or sale and the victim is left unaware that their private information has been compromised.

In many cases, you don’t even have to send the document. Simply filling out the form at any time makes your data vulnerable for formjacking.

How do you stop it?

  1. Always be on the alert. Heed the old adage, “Buyer beware.” Not just on the major, more sophisticated online sites. Formjacking is just as likely to be perpetrated on smaller, online e-commerce sites because the larger organizations will probably have taken increased security measures.


  1. Install a data blocker. There are many good software or plugin options that will reduce your risk of being formjacked. Once you add the script blocking extensions to your browser, you’ll have more protection against data attacks. But this isn’t always foolproof.


  1. Scan selected sites for compromising code. If you don’t trust it, test it. There are ways you can check that web apps or code for a website has been developed with proper attention to both security and privacy. Automated website vulnerability services can scan websites for possible threats.

Formjacking. It’s a new term but with the same old suspicious characters and dire consequences. Don’t be taken off guard or victimized. Be alert. Be smart. Be safe.

DKBinnovative is a Dallas-based managed IT and cyber defense firm that offers secure, reliable IT solutions to small and medium-sized businesses around the world who value productivity and security. Established in 2004, DKB acts as a company’s virtual chief information and security officer, whose role as a strategic partner and extension of its C-suite is to assist in planning, day-to-day execution, and future-proofing the organization. You can find more about DKBinnovative at


Leave a Reply