Formjacking: How your card details are copied when you shop online

We all know to be wary of shady ATMs in dark corners, fearing someone has installed a “skimmer.” But what do you do when that device becomes invisible and moves to your favorite shopping site?

In 2026, this method is called Formjacking. It is a huge threat because it does not target your computer, but the store's website. At Altanet Craiova we want you to understand how this silent theft works, so you know how to protect your money.

What is Formjacking and how does the "digital skimmer" work?

Formjacking occurs when hackers manage to insert malicious code (a script) into the checkout page of a legitimate online store. The store is functioning perfectly normally, the products are real, and the payment appears secure.

However, the moment you enter your card number, expiration date, and CVV code and hit “Pay,” that hidden code makes a copy of the data and instantly sends it to hackers. It’s basically like having a thief looking over your shoulder while you fill out the form.

Why is it difficult to detect?

Unlike phishing sites (which are fake), in the case of Formjacking you are on the real, original site. The browser shows you the green padlock (HTTPS), everything seems fine. Even the store owner doesn't know, most of the time, that his site has been compromised, until customers start complaining about money missing from their account.

How do you protect yourself when paying online?

Because you can't see the code behind the site, you need to use payment methods that protect you even if your data is stolen:

• Use virtual cards (Disposable): Modern banking apps (like Revolut or those of local banks) allow you to create a virtual disposable card. After you have made the payment, the card self-destructs. Even if the hacker has copied the data, it is no longer valid after 5 minutes.
• Enable SMS/Push notifications: You need to know instantly if a transaction occurs that you didn't make. The sooner you call your bank to block your card, the better.
• Avoid saving your card to your account: While it's convenient to "Save Card for future purchases," if the store's database is compromised, your data is exposed. It's safer to enter it manually each time (using a virtual card).

To delve deeper into the subject and see examples of famous attacks (such as those of the Magecart group), you can read the technical analysis from Palo Alto Networks on Formjacking attacks.

Conclusion

Online shopping is great, but it comes with responsibilities. Don't just rely on a site being "famous" or "safe." Always use an extra layer of financial protection, such as virtual cards.

Do you have an online store and want to make sure your checkout page hasn't been compromised? We offer security audits and IT services to protect your e-commerce businesses. Visit our contact page and secure your customers' transactions.

This material is part of Altanet's educational series on digital security. Want to know what other risks you are exposed to this year? See Complete list of cyber threats in 2026.