As holiday shopping peaks, experts warn about e-skimming — malicious JavaScript code injected into legitimate e-commerce sites to steal customers’ payment data during checkout. This is the online equivalent of physical skimming devices found on ATMs or gas pumps.
What makes e-skimming particularly dangerous is its invisibility. Shoppers continue browsing unaware, and businesses often have no immediate indication that data is being collected in the background.
According to The Annual Payment Fraud Intelligence Report, e-skimming is one of the most effective methods of data theft. E-skimming activity nearly tripled in 2024 compared to 2023, with more than 11,000 unique e-commerce domains newly infected, marking the highest annual total on record.
“Attackers implant JavaScript skimmers that run silently in your browser, capturing full card numbers, CVVs, names, email addresses, expiry dates, and other sensitive data in real time, sometimes even before you finish the purchase,” said Marijus Briedis, CTO at NordVPN. “You can shop on a legitimate site and still have your details siphoned with no pop-up, no warning — just silent theft.”
Modern checkout pages load a mix of outside code — including analytics tags, payment widgets, marketing trackers, UX libraries, and A/B-testing tools. These vendors are trusted but rarely watched closely. That supply chain creates an opening for e-skimming — malicious code is delivered through the site like any normal script, and once the page loads, it runs locally in the shopper’s browser.
A single compromised vendor or outdated plugin can quietly spread a skimmer to every store that relies on it. Once present, the code blends in with legitimate scripts, allowing it to remain dormant or activate only for specific regions or hours to capture data. Theft can even occur before a customer presses the “Submit” button.
Once harvested, the data usually enters a fast-moving underground economy. Attackers typically sell stolen credentials on dark web marketplaces, and as recent NordVPN research shows, those payment cards sell for as little as movie tickets — approximately $9. Buyers then use them for carding and making fast, fraudulent purchases, credential stuffing, account takeover, or gift card laundering — often within hours of the theft.
“E-skimming succeeds by hiding inside the scripts stores rely on to function,” said Briedis. “Many merchants don’t have full visibility or control over those scripts that run in customers’ browsers, so injected code can run silently, steal full credit card details, and vanish without a trace.”
Briedis offered key precautions every shopper should follow to stay safe while shopping online:
- Use a virtual or single-use card, a payment service that doesn’t expose your real card number, or tokenized payments (Apple Pay, Google Pay, etc.).
- Never save card details on websites, even trusted ones, and turn off browser autofill for payment fields.
- Install a security tool that blocks malicious scripts and trackers in real time, such as Threat Protection Pro.
- Be alert for unusual browser extensions or unexpected pop-ups at checkout.
- Regularly review your bank statements for unfamiliar transactions.