Very odd credit card breach

[disneysteve]

My wife got several emails in rapid succession last night from Raise.com. The first thanking her for her purchase. The second with the receipt for said purchase. The third with the code for the $60 Walmart electronic gift card she had purchased. Great, except she hadn't purchased a gift card.

Raise is a legit company and the emails were actually from them. I checked our credit card statement and the charge was there.

So someone got into her account, bought a gift card with our credit card, and that gift card was billed to us and sent to her.

Typically a breach is a charge for some company you've never heard of and you never get anything for it. This was odd since it's a real company and she actually got the card.

I called our credit card company right away and told them we hadn't made the purchase so they flagged it as fraud, blocked the card, and will be sending us a new one.

I have no idea what a hacker got out of the deal if we paid and received the gift card.

 

[TheWizard]

The hacker was planning on stealing it from your mailbox...

 

[disneysteve]

The hacker was planning on stealing it from your mailbox...

It was an electronic gift card, not a physical one.

That would be an awful lot of work though. They'd have to stake out our mailbox waiting for it to arrive, and then get it before we did. That doesn't seem at all practical as crime goes.

 

[ownyourfuture]

It was an electronic gift card, not a physical one.

That would be an awful lot of work though. They'd have to stake out our mailbox waiting for it to arrive, and then get it before we did. That doesn't seem at all practical as crime goes.

Very strange indeed. Might not hurt to keep a closer eye than normal on any other credit card and or bank accounts you may have.

 

[Sojourner]

It was an electronic gift card, not a physical one.

Maybe the hacker has access to your wife's email account, and was going to get the gift card info from there (along with other financial and personal account info)? Seems like a long shot, but otherwise I can't imagine why a bad guy would fraudulently order an e-gift card to be sent to someone else, to an account he has no access to.

 

[Jerry1]

Could be that they were running a test to see if they could use the card. Still, agree, seems like a weird way to steal from someone.

 

[SecretlyFI]

Sounds like they had access to both her credit card info and her email address. Scary and also strange, as you mention, that the e-card was sent to her and not the thief.

 

[disneysteve]

Could be that they were running a test to see if they could use the card. Still, agree, seems like a weird way to steal from someone.

We thought that too. Maybe a test to see if it worked and if we noticed.

 

[braumeister]

So someone got into her account

Apparently someone got into something, and it would certainly worry me. If you haven't done so already, you should at least lock your credit with all the bureaus to prevent them from opening any accounts.

Also look at your recent usage of that credit card. It might give you a clue as to where the card number got stolen.

 

[Chuckanut]

You have your credit bureau information frozen at all three major credit bureaus, Right?

 

[Alan]

I would also change the password on the email address and add 2FA to it if it doesn’t have 2FA already.

A big successful scam in recent years here was to hack into small business email accounts, intercept invoice PDFs going to customers and change the bank details so payments went to the thieves’ bank accounts.

 

[braumeister]

You have your credit bureau information frozen at all three major credit bureaus, Right?

It's worth remembering that there are others besides the big three.

Experian, Equifax, TransUnion, Innovis, NCTUE, ChexSystems, probably more.

It's fairly easy (and free) to freeze your record at all of them.

 

[Chuckanut]

I would also change the password on the email address and add 2FA to it if it doesn’t have 2FA already.

A big successful scam in recent years here was to hack into small business email accounts, intercept invoice PDFs going to customers and change the bank details so payments went to the thieves’ bank accounts.

That reminds me of a story I heard in the per-internet, non-electronic banking days of hand written deposit books.

A group of clever thieves had noticed the generic deposit slips all banks made available in their lobby for customers who forgot or ran out of the slips. Among other information, the depositor had to carefully write in his/her account number. The only big difference than those slips and the ones made out in the customer's name was a special account number encoded on the bottom of the slip, that flagged the deposit so that a human being would enter the account number written in by the depositor.

This group of scoundrels had a bunch of generic deposit slips made up with the account number of an account they had opened at a bank. They spent the morning slipping into bank lobbies and unobtrusively replacing the genuine generic slips with the ones with their personal account number encoded on it. Apparently, it took several days of customer complaints about missing deposit for the bank to figure out what had happened. By that time, the crooks had drained most of the money out of the account. I have no idea if they were ever caught.

 

[Sarah S]

I had a similar thing many years ago. I received something from Blockbuster where I did not have an account. I almost tossed it but opened it and it was a new membership complete with first order. A couple of others things had been already ordered to my address which were able to be stopped. Of course I got a new card and froze credit ( I believe I needed a police report back then). Never figured it out. It seemed so pointless

 

[retire to nature]

I wrote about that someone accessed my credit card account recently. I changed cc, debit card, and email password etc. your post makes me think that it seems like a hacker skill can access cc account.

 

[JohnZip]

This is an example of a combined attack where a change of postal address is submitted at the same time various accounts and credit cards are opened fraudulently in your name.

If the timing is right, the gift cards and/or credit cards are mailed to your address but the postal service delivers them to the alternate address... usually an empty apartment or house. The thief picks up the stuff at the other address and you just think you got no mail. This is a very common ID theft issue.

To avoid this, check out USPS Informed Delivery and put a lock on address changes.
Also, make friends with your mailman because he/she typically sees this route change at the post office.

see also: https://consumer.ftc.gov/features/identity-theft

 

[Sunset]

I had a Menard's CC hacked, except it never left my wallet or house. They did it by getting the CC numbers from a database.
Then made fake new CC with my number and spent over $1,000 at a couple of gas stations.
The CC company claimed to not notice the weird purchases.

 

[kcowan]

Maybe the hacker has access to your wife's email account, and was going to get the gift card info from there (along with other financial and personal account info)? Seems like a long shot, but otherwise I can't imagine why a bad guy would fraudulently order an e-gift card to be sent to someone else, to an account he has no access to.

Maybe they tried to change the ship-to address and it failed?

 

[Sunset]

I know this has nothing to do with OP's issue. But it shows what I consider the carelessness of CC companies.

We just received a new CC for a long departed relative (over a year) and the card has the new feature of: "Your new card is activated and ready for use".

All we had to do was open the envelope

 

[retire to nature]

This is an example of a combined attack where a change of postal address is submitted at the same time various accounts and credit cards are opened fraudulently in your name.

If the timing is right, the gift cards and/or credit cards are mailed to your address but the postal service delivers them to the alternate address... usually an empty apartment or house. The thief picks up the stuff at the other address and you just think you got no mail. This is a very common ID theft issue.

To avoid this, check out USPS Informed Delivery and put a lock on address changes.
Also, make friends with your mailman because he/she typically sees this route change at the post office.

see also: https://consumer.ftc.gov/features/identity-theft

Recently, I had many alert situation and found somebody was using my address to open phone account. Also, I got a court letter to my address but for somebody else. Next door was sold recently, I thought some mistake were there or so, and didnt think about seriously at the beginning. But when I looked up, a LLC bought the house. And later I had the cc account access event. So I reported USPS the two ppl using my address, USPS is supposed to call me back, but nothing happened.

 

[JoeWras]

I got a snail mail yesterday from a small company I do business with telling me my credit card and address information could have been stolen. It is kind of rare these days to get such an admission.

The mail was specific about dates, and sure enough, the date they noticed "suspicious activity" was the date my card was used in an unauthorized manor. I was sure it was a different small company I used around that time and it turns out I was wrong.

Here's the thing: the last time I did business with the problem company was 7 months before the breech.

It just shows how impossible it is to narrow down the source of these hacks. This was a rare case where I could see the smoking gun point to the source.