Federal authorities have a consumer warning for shoppers. Hidden skimming devices (commonly thought to be attached to gas station pumps and ATMs) have gone high-tech.
"It's hard to put really — definite numbers around it. But one thing we know for sure is that millions of credit card numbers have been stolen, even over the course of the past two years," Herb Stapleton, section chief for the FBI's cyber division told CNBC.
This new type of skimming is called e-skimming or Magecart.
Cybercriminals can gain access to your personal and credit card information in a number of ways. They can break into a web server directly or break into a common server that supports many online shopping websites to compromise them all and once a site has been compromised, the shopper can't spot the difference.
"It's nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer," Stapleton said.
Randy Pargman is the senior director for threat hunting and counterintelligence at Binary Defense, an Ohio-based cybersecurity company that monitors companies' computers for signs of attacks.
The company won't disclose its clients but says many are in the retail sector.
More from Invest in You:
Meet the 'financial detective' who has saved NBA players from losing millions of dollars to fraud
How to protect yourself from a security breach
Sometimes it pays to have a credit card with an annual fee. Here's what to look for
Victims of e-skimming include Macy's, Puma's Australian website, Ticketmaster's United Kingdom website and British Airways. The companies did not respond to requests for comment.
"Any retailer that has a significant online presence that accepts online orders is definitely concerned about e-skimming," Pargman said.
For consumers, there are several things you can do to protect yourself when shopping online.
1. Always shop with a credit card instead of a debit card online. This lessens the inconvenience if your card is compromised, Pargman said. Credit card users usually have a lower liability for fraud. In addition, getting money returned to your debit card can take some time.
2. Consider asking your bank or credit card company for a virtual credit card. Not all banks offer it but many do. The virtual credit card is a unique credit card number to be used for specific transactions and for a specific merchant. If this number is compromised, other charges will be declined.
3. Monitor their cards for any unusual activity and report it right away.
While the FBI's Stapleton said e-skimming has been on its radar for nearly seven years, he said the crimes are growing because cybercriminals are sharing the malware online and becoming more sophisticated.
"If we put up a wall," Stapleton said, "they're building a ladder or a tunnel or a way to go around it."
SIGN UP: Money 101 is an 8-week learning course to financial freedom, delivered weekly to your inbox.
CHECK OUT: Get this new ID now, says travel expert: Soon 'that's the ID you're gonna need' to fly via Grow with Acorns+CNBC.
Disclosure: NBCUniversal and Comcast Ventures are investors in Acorns.
