A Guide to E-Skimming/Digital Skimming in eCommerce

Ecommerce is quickly becoming the preferred purchasing method for many consumers, with recently published data revealing over 55% of US customers would rather shop online than in traditional brick-and-mortar stores. This continued growth of the ecommerce industry has led to some experts predicting almost 25% of all retail sales will take place online by 2026.

While many factors have contributed to this increased confidence in online shopping among consumers, improvements made to website security practices have surely played some role. However, with global cyber-attacks increasing by a staggering 125% in 2021 alone, online retailers and ecommerce consumers may not be quite as safe as they previously believed.

Provided ecommerce businesses adhere to strict cybersecurity best practices and commit to regular site maintenance routines, many common cyber-attacks can be mitigated, but some hacking attempts are harder to defend against than others. E-skimming can be a particularly difficult form of cyber crime to identify and address, that is without the advice covered below.

What is e-skimming?

E-skimming is a form of cyber-attack in which malicious code is added to a web page by hackers for the purpose of stealing sensitive information. Also known as digital skimming, these attacks are designed to intercept a customer’s payment card details in real-time as they’re input into a site’s payment gateway, enabling criminals to access the user’s funds.

E-skimming can be particularly dangerous as hackers are able to intercept payment details almost immediately, with consumers unaware of the attack until their cards have been used elsewhere. Additionally, e-skimming attacks can affect well-known and respected websites if hackers locate vulnerabilities in their platforms, negatively impacting the retailer’s reputation.

Common digital skimming tactics

To protect ecommerce sites from e-skimming attacks, it’s important to understand exactly how they work. Typically, hackers will look for any weaknesses present in JavaScript and open source libraries, intending to inject malicious code into vulnerable third-party scripts.

Alternatively, criminals may attempt to take advantage of poorly-configured permissions or repositories to gain access to a website’s source code, or even try to convince an insider to grant access to a site’s source code in return for payment. Regardless of the main attacking method, e-skimming can be hard to spot as the code won’t usually change site functionality.

Common warning signs associated with e-skimming attacks include:

  • Complaints regarding fraudulent activity from customers
  • Noticing a new domain not registered to the targeted site
  • Identifying unverified changes to a site’s JavaScript code

How to prevent e-skimming attacks

While the above warning signs can help ecommerce website owners respond to e-skimming attacks in a timely manner, preventative measures should always be prioritized. By adhering to the following best practices, retailers can deter criminals from utilizing e-skimming tactics.

Use Secure Sockets Layer (SSL) certificates

By securing SSL certificates registered to an ecommerce site, business owners can ensure that all the sensitive information user’s input into hosted forms will be encrypted. This means any client details stored by the site will be unreadable without a corresponding private key.

SSL certificates also protect ecommerce sites from being fraudulently recreated by criminals, as only verifiable websites can be issued a visible SSL certification. This will be illustrated by a small padlock symbol displayed next to the site’s address in the user’s URL bar, alongside a HTTPS prefix before the domain name. Visible SSL certificates also act as an easy way to gain trust with consumers, with almost 70% claiming to avoid sites lacking an SSL certificate.

Enable Card Not Present (CNP) notifications

One of the most effective ways to deter and address e-skimming attacks is for e-commerce retailers to enable CNP notifications for all site-based purchases. CNP transactions occur when a purchase is made remotely without consumers manually entering their details into a payment form. Typically, this is how later purchases will be made using skimmed card data.

E-commerce retailers can defend against CNP fraud by programming checkout pages to ask for as much accurate client data as possible, including factors like expiry dates, card types and account numbers. Customers should also be advised to enable CNP alerts on their end, this way any suspicious transactions can be identified promptly and rejected by cardholders.

Implement network segmentation techniques

E-commerce businesses can reduce the severity of cyber-attacks such as digital skimming by implementing considered network segmentation techniques. In short, this describes the practice of dividing the business’ network into a number of smaller subnetworks, ensuring that even if one data system is compromised, related networks will remain suitably secured.

Utilizing different access control techniques can support this process, protecting each network behind unique credentials and pre-programmed rulesets to reduce the likelihood of hackers gaining entry. For example, access can be restricted to certain devices on verified networks using rule-based models, while mandatory models ensure access attempts are vetted in real-time.

Perform regular payment software updates 

One of the most common ways that hackers infiltrate private networks is via vulnerabilities in outdated software. Recently released data reveals, at present, as many as 95% of websites are running at least one application that’s affected by known vulnerabilities, with only 6% of modern sites found to be running fully updated and properly maintained software solutions.

E-commerce retailers can reduce the risks associated with e-skimming and digital skimming attacks by performing frequent software updates and site maintenance procedures. IT teams must schedule routine checkups for all key software suites, including payment systems, data storage solutions, order management systems and any other third party site applications.

Ensure compliance with PCI DSS standards

PCI DSS standards are designed to help online businesses protect cardholder information from being used fraudulently by cybercriminals. By adhering to the rules laid out in the PCI DSS standard, e-commerce sites can strengthen existing cybersecurity solutions to better identify and deter attempted cyber-attacks, making it harder for criminals to intercept data.

Drawing on information and research published by major payment card companies and cybersecurity experts, the 12 primary requirements for PCI DSS compliance are as follows:

  • Install and maintain firewalls to protect cardholder data
  • Do not use default passwords for internal systems or security applications
  • Protect stored cardholder data using access control solutions
  • Apply encryption to all transmissions of cardholder information
  • Use and frequently update antivirus and fraud prevention software 
  • Restrict access to cardholder data using access control models 
  • Monitor access to all network resources and cardholder information
  • Frequently test all security systems and cybersecurity processes
  • Maintain a considered cybersecurity policy accessible to all personnel

Offer continuous social engineering training

It’s believed as many as 98% of sophisticated cyber-attacks involve some degree of social engineering, whereby cybercriminals trick businesses and consumers into granting access to sensitive information and private systems. E-skimming attacks can also involve an element of social engineering, with fraudulent emails sent to targets containing malware applications. When links in these emails are followed, criminals gain access to private data and networks.

E-commerce businesses must provide internal teams with continuous training regarding new and existing social engineering attacks, deterring staff from opening suspicious messages. It can also be wise to host social engineering and general cybersecurity tips on e-commerce sites to ensure consumers are made aware of important information security best practices. 


With e-commerce and online shopping becoming increasingly popular among consumers, the frequency and severity of sophisticated cyber-attacks are also likely to rise. E-skimming and digital skimming attacks are of particular concern, causing significant financial harm to customers and negatively affecting the reputation of online retailers and e-commerce sites.

By adhering to strict cybersecurity best practices and committing to regular assessments and updates regarding website security, e-commerce businesses can protect cardholder data from digital skimming attacks. Provided businesses follow the guidance laid out above, e-commerce brands and their customers can protect themselves from e-skimming attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *