Key takeaways
Malicious code is being injected into legitimate e-commerce checkout pages, silently stealing payment details without any warning signs for shoppers or retailers.
More than 11,000 e-commerce sites were newly infected this year, making it the highest annual total ever recorded.
Compromised third-party scripts on checkout pages can capture full card numbers, CVVs, expiry dates, and personal details the moment the page loads.
Criminals quickly move harvested data to the dark web, where it’s used for fraudulent purchases, account takeovers, and other fast-moving cybercrime.
Using virtual or tokenised payments, avoiding saved card details, blocking malicious scripts, watching for suspicious browser behaviour, and checking statements regularly are your best defences.
We’ve all become comfortable shopping online, maybe too comfortable.
Click, add to cart, tap the card, done.
But what if your payment details were stolen even before you pressed the “Submit” button?
That’s not a theoretical scenario. It’s happening right now, quietly, invisibly, on perfectly legitimate websites Australians shop on every day.
And it’s part of a fast-growing threat that could cost consumers and investors far more than a few fraudulent charges.
Let me explain what’s going on and, more importantly, how you can protect your financial life.
The rise of e-skimming: the digital equivalent of an ATM skimmer
VPN providers like NordVPN are sounding the alarm on a sharp rise in e-skimming: a malicious JavaScript code secretly injected into genuine e-commerce sites.
Think of those physical skimming devices that criminals once attached to ATMs.
Now imagine the same idea, but woven invisibly into a checkout page. No pop-ups. No glitches. No clues for you or even the retailer.
And the scale is staggering.
The Annual Payment Fraud Intelligence Report shows e-skimming activity nearly tripled in 2024, infecting more than 11,000 online stores , the highest ever recorded.
This isn’t amateur hacking. It’s industrial-scale theft.
How the theft happens before you ever complete the purchase
Modern checkout pages are surprisingly messy.
They’re cobbled together from dozens of external scripts: analytics tags, payment processors, marketing trackers, UX tools, and testing libraries.
These third-party vendors are trusted… but rarely monitored closely.
That’s where the opportunity lies.
If even one vendor in that chain is compromised, outdated, or poorly secured, malicious code can hitch a ride.
It runs in your browser the moment the page loads, quietly copying:
-
Card numbers
-
CVVs
-
Expiry dates
-
Email addresses
-
Names
-
Billing details
…sometimes before you’ve even submitted the form.
And once harvested, those details hit the dark-web economy almost instantly.
NordVPN’s research shows stolen cards sell for the price of a movie ticket, around $9.
From there they’re used for carding, account takeovers, chatbot-driven fraud, or rapid-fire purchases, often within hours.
The bigger problem: retailers often can’t even see the threat
As NordVPN’s CTO Marijus Briedis explains, merchants often have no visibility over the scripts running in customers’ browsers.
The malicious code blends in, hides in legitimate scripts, and disappears without leaving a footprint.
Even sophisticated retailers struggle to notice. So relying on them alone isn’t enough.
You need to take responsibility for protecting your own financial environment, just as you would with asset protection, estate planning, or wealth-building structures.
Why this should matter to Australian consumers and investors
When you’re building wealth, whether through property, shares, or business, you need your defensive strategies to be just as strong as your growth strategies.
Your financial systems, identity security, and digital hygiene are part of that defence.
A compromised card is inconvenient. A compromised identity is costly. A compromised digital footprint is dangerous, especially when you’re active across multiple banks, lenders, service providers, and online accounts.
As we head into Australia’s peak summer shopping period, retail spending is expected to exceed $70 billion, and this is exactly when cyber-criminals ramp up.
How to protect yourself: practical steps that actually work
Here are the most effective safeguards recommended by cybersecurity experts, adapted for the way Australians shop and bank:
1. Use virtual or single-use cards
Many Australian banks now offer digital-only cards or single-use numbers.
Apple Pay and Google Pay also use tokenised payments, meaning your real card number is never exposed.
2. Avoid storing your card details anywhere
Even on “trusted” sites. And switch off your browser’s autofill for payment fields.
3. Add a security layer that blocks malicious scripts
There are tools that can prevent the script from loading in the first place, long before your details are touched.
4. Watch for unusual browser extensions or odd checkout behaviour
Strange delays, unexpected fields, or new pop-ups are red flags.
5. Monitor your bank statements like a hawk
Review weekly, not monthly. Fraudsters often test cards with small transactions first.
The bottom line
In a world where you can invest, bank, refinance, and even buy property online, protecting your financial identity is as important as choosing the right assets.
E-skimming may be silent, but its impacts are loud, from financial loss to identity theft to weeks of disruption.
Staying vigilant isn’t paranoid. It’s part of modern wealth protection.
And as with all smart financial strategies, the best defence is the one you implement before you need it.
