Holiday Shoppers Face E-Skimming Threat as Fraud Rates Surge

As holiday shopping kicks into high gear, experts are raising alarms about an emerging threat known as e-skimming. This tactic involves malicious JavaScript code that is injected into legitimate e-commerce sites, allowing cybercriminals to steal customers’ payment details during the checkout process. The Annual Payment Fraud Intelligence Report reveals that e-skimming is becoming increasingly prevalent, with incidents nearly tripling in 2024 compared to the previous year.

According to the report, over 11,000 unique e-commerce domains were newly infected this year, marking a record high. “Attackers implant JavaScript skimmers that run silently in your browser, capturing full card numbers, names, CVVs, email addresses, expiry dates, and other sensitive data in real time,” explains Marijus Briedis, Chief Technology Officer at NordVPN. This silent theft occurs without any warning, leaving shoppers unaware that their personal information is being compromised.

Understanding the E-Skimming Threat

What makes e-skimming particularly dangerous is its stealthy nature. Shoppers may browse and complete purchases without realizing that their data is being collected in the background. The Annual Payment Fraud Intelligence Report highlights that e-skimming is among the most effective methods for data theft. The rise in activity is largely attributed to the complex nature of modern checkout pages, which incorporate a mix of external code from various vendors.

These vendors, often trusted by merchants, include analytics tags, payment widgets, and marketing trackers. Unfortunately, this supply chain creates vulnerabilities. Malicious code can be disguised as legitimate scripts and run locally in customers’ browsers without detection. A single compromised vendor or outdated plugin can spread a skimmer to all stores utilizing that service, allowing the code to remain dormant or activate at specific times to capture sensitive data.

Once the attackers collect the stolen information, it enters a fast-moving underground economy. Stolen credentials are frequently sold on dark web marketplaces, where recent research from NordVPN indicates that payment card details can be purchased for as little as $9. Buyers often use these cards for quick fraudulent transactions, account takeovers, or other illicit activities shortly after the theft.

Protecting Yourself During Online Shopping

To safeguard against such threats, Briedis recommends several precautions for online shoppers. Utilizing a virtual or single-use card can help protect real card numbers during transactions. Payment services like Apple Pay and Google Pay offer tokenized payments that enhance security.

Consumers should avoid saving card details on websites, even those they trust, and disable browser autofill for payment fields. Installing a security tool that blocks malicious scripts and trackers in real-time, such as Threat Protection Pro, can further enhance protection.

It is also vital for shoppers to remain vigilant for any unusual browser extensions or unexpected pop-ups during the checkout process. Regularly reviewing bank statements for unfamiliar transactions can help catch any unauthorized charges early.

As the holiday season approaches, awareness of e-skimming and other online threats is crucial for consumers. By taking proactive measures, shoppers can enjoy a safer online shopping experience while minimizing the risk of becoming victims of this growing form of cybercrime.