Thousands of online shoppers have potentially had their bank details "skimmed" on the checkout page of small business websites, GCHQ has warned.
The agency’s National Cyber Security Centre (NCSC), said it had uncovered more than 4,000 incidents where business websites have been unknowingly leaking customers' financial details to hackers.
The NCSC warned that the scam was happening mainly on the websites of smaller businesses where cyber criminals were able to exploit "vulnerabilities" in the software.
The warning comes ahead of this year’s Black Friday sales event – with Brits tipped to spend £9billion online over four days.
The NCSC is urging small businesses to ensure their payment software is up to date to make it harder for hackers to infiltrate.
Steve Barclay, Chancellor of the Duchy of Lancaster, said: "On Black Friday and Cyber Monday [Nov 29] the hackers will be out to steal shoppers' cash and damage the reputations of businesses by making their websites into cyber traps."
Skimming was traditionally the term given to cash machine fraud - where criminals fit ATMs with devices that can read victims' credit cards.
The criminals then use the card details and pin numbers to make purchases on the victims' accounts.
In the online version, hackers infiltrate businesses' software so they can see the card details that shoppers put in on the checkout page.
The NCSC said it had seen an increase in this type of scam since the pandemic, and had uncovered 4,151 cases since April last year.
It said that in most cases scammers had infiltrated the websites via a known vulnerability in a popular e-commerce software.
Sarah Lyons, deputy director for economy and society at NCSC, said: "I would urge all business owners to follow our guidance and make sure their software is up to date."
Graham Wynn, of the British Retail Consortium, added: "The cyber resilience toolkit for retail, produced in partnership with NCSC, is available on the British Retail Consortium's website for retailers to consult and boost cyber defences."
GCHQ says shoppers should be selective when shopping online and never share any more information than necessary.
If you regularly shop online, make a habit of checking your bank statements for unauthorised payments.
Where possible also aim to use a secure third party payment method such as PayPal or Apple Pay.
If you’re concerned that your details have been compromised, report it to Action Fraud immediately. Change your passwords and where your bank details have been exposed, notify your bank.
Consumer website Haveibeenpwned.com can also help identify whether your personal details have been shared online.
