The internet is a minefield of identity theft threats: phishing emails, malware, and unsecure and spoof websites, just to name a few. Now, there's formjacking, a relatively new threat targeting your credit card and other personal information. And it can even happen on websites that appear to be legitimate and secure.
Here's what you need to know about formjacking, how it can affect you and what you can do to protect your information.
What Is Formjacking?
Formjacking is a cybercrime that can occur when hackers insert malicious code to collect data from website forms -- for example, a payment form you fill out to make a purchase online.
"This includes forms where a Social Security number might be entered, allowing a criminal to open new accounts," says Robert Siciliano, CEO of online security resources Credit Parent and Safr.me, "or forms where a credit card number is entered, allowing criminals to take over existing accounts."
Once you submit your information, the malicious code collects it and transfers it to the cybercriminal's servers. From there, your information can be sold and used to commit fraud.
Where Does Formjacking Happen?
Sticking to trustworthy websites is a good security practice, but it won't save you from formjacking. This crime can compromise even legitimate websites. According to the 2019 Symantec Internet Security Threat Report, an average of more than 4,800 new websites were compromised with formjacking code every month in 2018.
Those affected include household names like British Airways, Ticketmaster and Macy's, but it's typically small and midsize retailers that hackers target.
[Read: Best Cash Back Credit Cards.]
In many cases, a third-party form, such as a chatbot or customer review widget, can be the target instead of the main website. With British Airways, for instance, it was the payment processing gateway for the airline that was attacked, not the airline's website itself.
Whatever the method, formjacking can put your sensitive information and peace of mind at risk.
How Can Formjacking Affect You?
It's virtually impossible to tell whether your information has been stolen via formjacking because there's no change to your checkout experience when you're shopping online. That means you likely won't find out that your information has been compromised until after the fact.
How formjacking can affect you depends on the type of information the identity thief collects. "There's some data that can ruin your day, and there's some that can ruin your life," says Alex Hamerstone, practice lead of governance, risk and compliance for TrustedSec cybersecurity consultants.
These are some of the data points formjacking criminals may target and what can happen when the information falls into the wrong hands.
Credit card details. If someone manages to steal your credit card information, the threat is relatively low. Your credit card company may spot unauthorized transactions before you do, or you can report fraud and let the issuer take it from there.
"If someone gets my credit card, I don't really care because I'm not responsible," says Hamerstone. "They'll ship me a new credit card, and I'll get on with my life."
Many credit card issuers offer zero-liability fraud protection and will remove suspected fraudulent charges from your account while they run their investigation, so losing money isn't a major concern.
Your card issuer will typically send you a new card with a different number, which can be a pain if you've stored the old number for automatic payments. If you have any recurring charges on the card, you'll need to update your card information to avoid missing payments.
Address or phone number. People can't steal your identity with just your address or phone number. However, identity thieves can use them as a gateway to get more valuable information.
For example, they can use it to search a publicly available database to see if they can find more information about you. Also, when you call banks and other companies, they often ask you to confirm your name, address and phone number to verify your identity before giving out sensitive information about your accounts.
Finally, with your current address in hand, criminals could target you for address fraud. Address fraud occurs when thieves are able to change your address through the U.S. Postal Service, redirecting all of your mail -- which could potentially include personally identifiable information -- to an address of their choice.
[Read: Best Rewards Credit Cards.]
Social Security number. Formjacking primarily targets payment information, but it is possible for hackers to get your Social Security number if you enter it into a compromised form online.
Your Social Security number can be used to open new accounts, file a fraudulent tax return, submit false health insurance claims and more. Losing your Social Security number to an identity thief can be catastrophic, and it could take months or even years to recover fully.
How Can You Protect Your Credit Card and Other Information from Formjacking?
Because the websites you use and their third-party partners are often the target, there's not a lot you can do to prevent your information from being stolen. Websites should take steps to keep your data secure, but failures happen.
While you might not be able to stop formjacking before it starts, you can take steps to safeguard your personal information.
Always use credit cards when shopping online. When someone uses your credit card fraudulently, it's really the credit card company's money they're using, not yours. As long as you report the unauthorized activity before you make your monthly payment, no money ever comes out of your checking account.
That's not the case, however, when you use a debit card, which is tied directly to your checking account balance. While your bank may restore the stolen money while it investigates the fraud, it may not happen immediately, which can cause problems if you have payments coming up and don't have enough to cover them.
If your issuer offers virtual credit card numbers for online shopping, consider using those instead of your main account number. That way, your actual account number is protected.
Freeze your credit reports. Freezing your credit reports with all three credit reporting agencies prohibits anyone from viewing them, including creditors. So if thieves use your Social Security number to apply for a credit card or loan in your name, they won't have a chance to complete the underwriting process.
The only drawback is that if you want to apply for credit in the future, you'll need to request that the freezes be lifted with each credit bureau.
Another option is a fraud alert, which requires creditors to contact you to verify your identity before approving an application.
[Read: Best Low-Interest Credit Cards.]
Monitor accounts online. It's generally a good idea to check your monthly statement. But if someone has your credit card information, a lot of damage can happen in a month.
Don't wait for your statements. Check your accounts online regularly to make sure you recognize all of the most recent transactions. If that's too time-consuming, consider using an expense tracker app like Mint or You Need a Budget. Some of these apps have a direct import feature, which keeps you updated on all of your transactions across every account in one place.
"At a minimum, consumers should set up push notifications (on their phones) to be made aware of all credit card charges in real time," says Siciliano.
Set up electronic statements. To avoid the threat of mail fraud, set up electronic statements with all of your financial accounts. The same goes for any other account where you may receive mail containing sensitive information.
Also, consider opting out of preapproval offers for credit cards and other credit accounts. That way, if someone manages to redirect your mail, there's less of a risk they'll receive anything that could be used for fraud.
More From US News & World Report