The idea
The name comes from the physical version. A skimmer is a device slipped onto a cash machine or a card terminal that reads your card while the machine still works exactly as it should.
The web version does the same job in software. Code is added to a real shop's checkout page. When you fill in the form, it copies what you type and sends a second copy somewhere else.
It is not a fake shop. It is a real shop with something extra running on it.
Why it goes unnoticed for so long
This is what makes it different from most scams, and worth understanding.
Nothing visibly changes. The checkout looks right, because it is the right checkout. The address bar is correct, because it is the correct site. The padlock is there, because the connection genuinely is encrypted. Encryption protects the data in transit. It does nothing about code running on the page itself.
Most importantly, your order goes through. You get the confirmation email. The goods arrive. There is nothing to complain about, so nobody complains, and the code keeps running. The shop owner finds out much later, usually when a card company works backwards from a pattern of fraud and points at them.
How it usually gets there
Rarely by someone breaking into the shop directly. Far more often through something the shop chose to load.
A typical checkout page pulls in scripts from several other companies. Analytics, chat widgets, reviews, tag managers, payment helpers, ad pixels. Each one is code from someone else running with full access to your page, including your forms.
Compromise one of those suppliers and you reach every site that includes it. The shop did nothing wrong that day. It just trusted a script that was trustworthy last week.
What site owners should do about it
The defence is to stop assuming that whatever loads on your page belongs there.
- →Set a Content Security Policy. This is the main one. It tells the browser exactly which sources are allowed to run code and where data may be sent, so injected code has nowhere to load from and nowhere to send to.
- →Audit your third-party scripts. Every one is a way in. Remove the ones you are not using. Most checkouts carry scripts nobody remembers adding.
- →Keep card details off your page entirely. A hosted payment field from your processor means the sensitive input is not yours to leak. This is also the shortest path through PCI DSS.
- →Watch for change. You want to know when the code on your checkout is not what you shipped.
- →Publish a security.txt. Researchers do find these. Give them somewhere to report it.
What shoppers can do
Honestly, not much by looking. That is the uncomfortable part, and it is worth being straight about it. You cannot see this one, and no amount of checking the padlock will help.
So the defence is in how you pay rather than what you spot. Use a method that puts someone between you and the loss. A credit card gives you chargeback rights. A payment wallet or a virtual card number means the shop's page never sees your real card at all.
Then check your statements. Skimmed details are often tested with something small before anything large. And if something does go wrong, our guide on what to do if you have been scammed online covers the order to do things in.
The wider signals still matter for deciding whether to shop somewhere at all. A free check will show you whether a site is looked after, and a shop that has its headers in order is a shop paying attention.
We have step by step instructions for every major platform, including the ones that will not let you.
See how to add a CSP