How do you protect your clients from formjacking?

Without anyone noticing, a cyber criminal changes the entry fields on your website. When your customer places an order on your website and fills in their payment details, they are sent directly to the criminal. The criminal will take advantage of the name and credit card information of your customer to start buying things for themselves. This sneaky type of cybercrime is called formjacking.

What is formjacking?

Formjacking means a hacker changes the entry fields of a form on a website, so that any information the visitor fills in winds up with the hacker too. Hackers do this by changing the code of the website. They gain access to confidential information, such as credit card details, in this way, often without anyone being any the wiser. Using this information, the hacker can start shopping around themselves.

Hard to detect

It is as good as impossible for a customer to detect formjacking. "And the bad news is that it is really difficult for entrepreneurs as well to spot if their entry fields have been hacked", says Erwin Hasenpflug, cyber specialist at Digital Trust Center. “But you can do a few things, I am happy to say.”

Protect your customers

Hasenpflug gives a few tips to protect your customers from, among other things, formjacking.

  • Make sure your website software, including any plug ins, is up to date. You can do this yourself, for instance once a month, or outsource it to an IT service provider.
  • Limit the number of personal details you ask for and choose payment methods like iDEAL, so that your customers do not have to fill in credit card details.
  • Run a periodical website security test. You can use an automated cyber resilience scan (in Dutch) for this. It will expose any weak spots in your security armour. Or get an ethical hacker to perform a penetration test test (in Dutch). You can ask them to focus on certain security issues, such as formjacking. 
  • Recognise unwanted adjustments to your website code. Perhaps you have some basic knowledge about source code. If you do, you may be able to spot changes yourself. Although: it remains tricky, especially if you have a dynamic website. Discuss the options you have when it comes to checking for formjacking with your IT supplier.

Do you have a cyber question? Send it to kvk.cyber@kvk.nl.