Published: 03/09/2021


What is formjacking?

The term “formjacking” describes the fraudulent use of a company’s existing online forms to gain access to personal information, credit card numbers or even hacking a website. Hackers gain access by changing the HTML form action or form fields. They do this by intercepting the traffic between your web browser and the server that is hosting your online shopping site.

How formjacking works

Hackers change the homepage with a fake checkout page in order to trick users into divulging private information such as credit card numbers. This process bypasses the security measures that are already in place for your online shopping site. In addition, well-known systems can be hacked using formjacking to increase the fraudulent activity of cybercriminals.

Why are hackers targeting forms

The most common ways that a hacker may obtain your private information is by using key loggers or spoofing websites and email accounts. However, another popular way for hackers to steal an individual’s personal data is through the user’s web browser while they’re entering sensitive information on existing company forms. These existing company forms include but are not limited to:

  • Order forms
  • Login pages
  • Registration pages

Prevention tips for formjacking attacks

  • Make sure your web browser is up-to-date with all the latest security patches and updates
  • Only fill out online forms once you have made sure that there is a secure connection between your computer and company’s server which uses HTTPS encryption
  • Always look for “https” in the web address bar of the browser before entering any personal information
  • Refrain from clicking on links that appear suspicious
  • Always pay attention to the URL, if it is not a website that you are familiar with then don’t enter any of your personal information
  • Protect your Wi-Fi connected device by setting up a password for it or using WPA2 encryption

How to protect your customers from formjacking when you’re a website owner

  • The first step is to make sure your site uses HTTPS encryption. The “S” at the end of https stands for “secure”.
  • Every single one of your forms should be secure as well, which means that all form action and form fields should be using SSL encryption. Hackers can use an unsecured form to steal data from your customers if they are not careful when entering their information.
  • Make sure your contact forms and other similar types of online forms do not ask for sensitive data that is unnecessary in order to complete a transaction or request
  • Use CAPTCHA on registration, login and checkout pages to protect against automated spam submissions.
  • Have a company policy manual which states what actions should be taken whenever customers report phishing emails or if their accounts have been hacked. Make sure employees understand their role in protecting your customers from fraud
  • Inform customers about upcoming changes to your online forms which may affect the information they submit after an update.

Each website should provide their customers with a secure and positive customer service experience at all times. Never leave your site’s security up to chance, implement these tips into your site’s daily operations in order to protect both you and your customer.

The most common forms that are hacked by hackers

  • Login pages
  • Password reset form
  • Registration page
  • Order forms
  • Online payment systems (e.g. Paypal)

Examples of formjacking attacks

The most common example of formjacking is when a hacker accesses your personal social media account without permission. The hacker then changes the password to lock out the original owner while they wait for an unsuspecting user to share their login information on a fake version of the site.

Another example would be hackers spoofing websites in order to hijack users’ login credentials or steal credit card details. This type of attack often occurs after scammers send phishing emails which appear to be from companies that are well-known and widely trusted.

Frequently asked questions about formjacking

What is formjacking?

Formjacking is when a hacker modifies an online form (e.g. login page) that usually asks you for your sensitive information so they can obtain it instead of the intended website owner or site administrator.

How does this affect me?

If you are a victim of formjacking then hackers may get your name, email address, phone number, address, birthday and credit card information. They may also get access to other personal information such as your social security number or driver’s license details.

How do I protect myself from formjacking?

This can be difficult to avoid but here are a few prevention tips: make sure that your web browser is up-to-date with all of the latest patches & updates; look for “https” in the URL bar when entering sensitive information on an online form; refrain from clicking on links sent to you via email and if it isn’t a website that you recognize then don’t enter any financial details or personal data. Also look out for https in the URL bar before submitting any sensitive information.

How does it happen?

Many companies neglect to update their software and run outdated versions of them which can leave a website susceptible to attack. Hackers exploit these vulnerabilities to steal sensitive information or inject code onto the user’s device

What is the most common form that hackers target?

Login pages, password reset forms and registration pages are very commonly hacked by online criminals due to the fact that they hold valuable data about an individual such as passwords, social security numbers, home address and phone number – which all add up to a lot of money for cybercriminals who sell this data on underground boards on the darknet

Who has been targeted by formjacking attacks in the past?

Some examples include LinkedIn, Amazon, Kogan Mobile and Facebook.

What can I do if my personal information has been compromised?

If you are a victim of formjacking then contact the website owner of the site where you were submitting your sensitive data immediately to check to see if they have experienced an attack on their web servers and reset your password if it was linked to that particular website. Also, make sure that you change it on all of your other accounts and websites as well to be safe.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.