What is Customer Journey Hijacking and How Can eCommerce Sites Prevent It?

April 14, 2021 - Ensighten
  • What is customer journey hijacking? It's when third-party code is used against you to divert customers away from your site.
  • Preventing it is difficult — existing IT security has no ability to control it as it happens on the client side, within the browser. 
  • How can you prevent customer journey hijacking with client-side web security?


Advertising is a lucrative business – in 2019, online advertising within the United States generated $124.6 billion in revenue, almost $20 billion more than the previous year. For a brand, advertising can be essential to their business, but today’s advertising is more than just simple impressions – it is about managing the entire customer journey.


[Download our 15-minute Guide to Web Skimming Protection]

We live in a world of data
; everything we look at, touch or interact with generates data, which is captured by someone or something to be used for a myriad of purposes. Search the web for sneakers and watch as your social media feeds fill up with advertisements. However, these ads are different than they used to be – they are now tailored to you by using different bits of information that you have unknowingly provided.

When you shop online today, every step from your first page view to the thank you page following your financial transaction forms part of a journey, with each part being an opportunity for the vendor to upsell you or offer you something else.  

But with all the benefits and advantages that having access to a customer journey brings for a business, as with everything, there is always a criminal element looking to take advantage. 


What is journey hijacking?

Journey hijacking put simply is the process of injecting something into the customer journey from which the entity injecting it causes unwanted behavior. Consider the following example: 

journey-hijacking-5So how did this happen? 

Quite simply, Jane had a rogue browser plugin that injected ads into certain websites – in this case the website of Top Outdoor Gear. When Jane added the boots that she picked out to her shopping cart, the rogue plugin injected an enticing ad into her journey, which then redirected her to another site – a site that was set up to look just like that of Top Outdoor Gear. 

The way in which this rogue browser plugin works is straight forward – it injects JavaScript into a website that loads an advertisement from a remote location. The reality is that this plugin injects just around two to three lines of code, which is all that it takes to hijack a customer journey. 

Customer journey hijacking is a serious problem for ecommerce websites as it is almost impossible for them to control such attacks using regular IT security. Journey hijacking typically happens through rogue browser plugins or exploited third-party libraries – and while arguably the business is not responsible for the financial loss and subsequent recovery problem of the customer, they did lose a customer and brand damage does often occur. 


Preventing journey hijacking

As highlighted, preventing journey hijacking is difficult – existing IT security has no ability to control it as it all happens at the client side within the browser. The only real way to protect customers against this attack is to utilize client-side website security. 

Client-side website security is essentially code which is delivered alongside your own website code to a user’s browser and works to make sure that the sites content is not being manipulated. Because this security code is delivered to the user’s browser, it can detect if something like a rogue browser plugin is attempting to inject an advertisement, remote script or even steal customer data. Think of it as agentless security which is delivered and activated in real time. 

Ensighten’s client-side website security is the industry leading solution at preventing client-side attacks, including web skimming, CSS injection, malicious ad injection and journey hijacking. Ensighten provides a cloud-based security platform which allows for simple configuration and application, comprehensive visibility and reporting and a full feedback loop based on metrics analyzed by automated threat intelligence.




Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Ad injection guide

Learn more about journey hijacking and how you can protect your website to ensure you are not losing revenue to cybercriminals

Read Now

Website security checklist

Learn about the most common cyberattack methods including ad injection and the steps you must take to mitigate the risks

Read Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against journey hijacking

Book Now