Building upshot

About us

Latest Insurance News


Formjacking explained – Cyber risks and liabilities update

Cyber-risks and liabilities – Formjacking

As businesses increasingly rely on online transactions, cybercriminals have developed a scheme to exploit this process and steal sensitive information. This growing cyber-threat, known as formjacking, poses significant risks to businesses; it is difficult to prevent and can lead to major financial losses and reputational damage. This article provides more information on formjacking and offers tips on how to mitigate its risks.

What Is Formjacking?

Formjacking is a cyber-attack in which a threat ‘actor’ injects malicious JavaScript into a website, often one that contains an online payment form. Once the targeted page has been compromised, the added code allows the hacker to collect sensitive data, such as credit card numbers, addresses and phone numbers. This data is sent to the cyber-attacker’s domain after unsuspecting users enter their information and click “submit” to complete a transaction.

Malicious actors can then use the stolen data in identity theft schemes, payment card fraud scams and account takeover attacks or sell it to other criminals. Stolen information can also be used to create fraudulent accounts to distribute malware. The hacker’s code may be loaded through various methods, such as by exploiting a vulnerability in a business’s website, employing a phishing scam in which the cyber-intruder gains access to an organisation’s checkout page, or compromising a third party’s app or JavaScript used by a business.

The Risks of Formjacking to Organisations

Formjacking attacks can have severe financial consequences, including regulatory fines and penalties, as well as expenses related to remediation. Moreover, formjacking can damage an organisation’s reputation, as clients, vendors and other partners may lose their trust in the business due to cyber-security incidents. Formjacking is challenging to detect because the malicious code frequently changes, making it difficult for external scanners and firewalls to catch it. What’s more, there are no apparent signs of formjacking, and the intended transaction is not affected, making it difficult to identify and stop the scam. As a result, formjacking attacks can go unnoticed for a long time.

Mitigating the Risk of Formjacking

Although detecting malicious formjacking code and preventing attacks can be difficult, there are several measures businesses can take to identify potential issues and reduce the risk of it happening. Consider the following strategies:

  • Practice cyber-hygiene by keeping software, patches and extensions up to date. Establishing a content security policy and using firewalls and sub-resource integrity tags can also help prevent the injection of malicious data onto business websites and protect data. Additionally, complying with security standards and educating IT staff on the threats of formjacking are essential.
  • Scan and audit website code regularly to check its integrity. Monitoring and analysing web logs and JavaScript behaviour can help detect malicious activity, and checking where a browser is sending data is also key in stopping formjacking attacks.
  • Utilise cyber-defence techniques such as obfuscating JavaScript, which can make code more difficult for cyber attackers to understand. Implementing network segmentation can also limit network exposures and malicious actors’ lateral movement capabilities. An intrusion detection and prevention system can also help monitor potential threats and identify cyber-intruders.
  • Implement ongoing cyber-security measures, such as thoroughly testing websites before they are publicly launched, executing penetration testing to discover vulnerabilities, and monitoring the supply chain to ensure vendors whose code is being used follow cyber-security best practices.

Layering defences can also reduce an organisation’s vulnerability, and companies should consider leveraging artificial intelligence to help detect suspicious behaviour.


Formjacking is a cyber-threat that can significantly impact an organisation’s finances, operations and reputation. Because of this, companies should take steps to mitigate the risks associated with it.

Contact us today for more risk management guidance and insurance solutions.

Information provided by Zywave and contributed by Lisa Langley, Cert CII, Team Leader, Professional Risks, Cox Mahon Ltd.

This Cyber-risks & Liabilities document is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2024 Zywave, Inc. All rights reserved.