Types of fraud in business: a quick guide to web skimming

Digital skimming happens when a fraudster embeds a piece of malicious JavaScript code into the payment pages of an e-commerce website. Andy May, our Fraud Awareness Analyst, shares some best practice considerations for managing this business risk.

Security controls were often hastily put in place as businesses explored new ways to reach customers. The problem is many of these often fall short of accepted security standards, giving fraudsters the opportunity to target websites directly.

What is digital skimming?

Also known as web skimming, this is when a fraudster embeds a piece of malicious JavaScript code into the payment pages on an e-commerce website, effectively turning a legitimate website into a phishing page. It is like a digital version of ATM fraud, where criminals fit devices to cash machines in order to read the card data.

Web skimming scripts are designed to retrieve customer payment information such as card details. But fraudsters can also target websites to steal customer details and passwords.

It is considered a growing risk because fraudsters do not necessarily need cyber expertise to target a business in this way. If someone wants to buy a web skimming package, there are several dark-net marketplaces focused on the buying and selling of compromised servers.

Fraudsters continue to develop new techniques and tools

Our Fraud Threat Intelligence team have observed advancements including: 

  • the ability to obscure code to bypass static malware scanners
  • hiding scripts in favicon image data to avoid detection
  • masquerading fraudster-controlled domains as legitimate services
  • impersonating Facebook API pages.

Fraudsters are indiscriminate in the type of business they target. Increased reporting of web skimming campaigns shows that this kind of attack method is growing in popularity. And, as fraudsters are not targeting one specific group of businesses, it makes their next move unpredictable.

There could even be businesses that have been compromised and are unaware. Unlike some virus and malware, which can slow systems down, web skimming can run silently in the background. 


Be alert to risks and mitigate against a web skimming attack

There are several best practice considerations a business can follow to manage their website securely and minimise the risk of these types of attacks.

Guidance includes:

  1. Ensure operating systems, network software and antivirus software are updated to the latest version, and use of any outdated systems is discontinued.
  2. Hold discussions with your e-commerce platform providers to ensure they are regularly scanning the platform for malicious code, and review website logs for any irregularities.
  3. Regularly revise passwords and do not use the same one across multiple accounts.
  4. Use multi-factor authentication where possible, in your business and in the customer payment journey.
  5. Segregate payment system processing from other network applications to avoid the risk of widespread intrusion, should a breach occur.
  6. Use firewalls and employ prevention and detection systems where possible, to monitor for web skimming attacks.
  7. Limit network remote access where possible and continue to monitor for unusual activity.
  8. Back up your systems regularly and test that they restore correctly.

Search Insights for more articles on protecting your business, such as ‘How to manage cyber risks across your supply chain

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top