Chewy Scam

SumDay

SumDay

Thinks s/he gets paid by the post
Joined
Aug 9, 2012
Messages
1,862
Interesting new scam. If you don't have pets, Chewy is an online petfood, toy & drug provider for our furry friends. We've used them for years. I'll provide the Cliff notes for those not wanting to read the whole sordid story.

Cliff Notes: Some unscrupulous Ebay sellers are selling pet food on eBay. As soon as they get the order, they hack into Chewy and charge it to some unsuspecting fool's account and then have it drop shipped to the buyer, at zero cost to the eBay seller. They are selling at a discounted price, and get 100% profit.

Long story: Last week, my email began blowing up with notices from Chewy, asking if I wanted to change my address, then another asking if I wanted to change my password, then another address change. I had over a dozen like this in rapid succession, so I called Chewy. Their fraud department was already on it, as was my credit card company. One of the attempted shipping addresses was in Ralls, TX, so I called their police department. It's a tiny town, and the sheriff is neighbors with the occupant. (can't make this stuff up). Turns out her husband passed away last week, so she was afraid his identity had been hacked. To keep this long story short, she had ordered cat food from Ebay, and this Ebay seller is selling pet food at a discounted price, hacking into Chewy accounts to place orders, and having it shipped to the buyer. He gets the money, and Chewy is out the pet food. So, keep those passwords unique and hard to guess. The end of my cautionary tail (pun intended). What people won't do to get a job...
 
Last edited:
Interesting scam. I would hope Chewy would work with the victim's credit card company and could trace the money transfers back to the ebay seller and find out who the scammer is quite quickly.
 
Qs Laptop said:
Interesting scam. I would hope Chewy would work with the victim's credit card company and could trace the money transfers back to the ebay seller and find out who the scammer is quite quickly.
Click to expand...

I suggested this to Chewy after I spoke with the unsuspecting eBay buyer. They are very tight lipped about how they're handling this. Apparently they were hacked in June and have hired a new tech security firm to beef things up. I have an auto-subscribe delivery set up with them, and will be changing that to an as needed order so I don't have to store my card # with them.

I found a thread in Reddit discussing this very issue, and as one rotten seller is caught, two more pop up.
 
SumDay said:
I found a thread in Reddit discussing this very issue, and as one rotten seller is caught, two more pop up.
Click to expand...

Yes, I presume these scammers sell their knowledge of how to do this to other scammers.
 
The scammers probably access Chewy accounts because users re-use passwords on different sites. Despite my harping on it, DW reuses passwords. So far, not hacked, but it wouldn't surprise me if it happens.
 
This confirms my intuition that storing credit card numbers with retailers is not a great idea. I avoid it where possible and this reinforces my decision. Thanks for the good info.
 
Thanks for the information. I use chewy automatic ordering.
 
Good info. I strengthened my password and deleted my cc info with them. I hardly ever use them anymore. Wanted to delete my acct but couldn't find a way to do so.
 
We are on auto ship with a virtual cc number and a unique password
 
My guess is that nothing is done. It is a 'small dollar' crime individually... so unless they were able to find some large criminal it will just be written off..


And the newer prosecutors do not want to do small crime anyhow.. so even if they knew who it was still nothing...


The question is who takes the loss...
 
MBAustin said:
This confirms my intuition that storing credit card numbers with retailers is not a great idea. I avoid it where possible and this reinforces my decision. Thanks for the good info.
Click to expand...

The workaround I use for storing cc numbers is to use a "virtual card number" that is only good at that one retailer. Capital One offers it, I don't know if any others do. On one occasion someone did try to use one of those numbers at a different site, and it failed of course, so I simply canceled that "virtual card".
 
Walt34 said:
The workaround I use for storing cc numbers is to use a "virtual card number" that is only good at that one retailer. Capital One offers it, I don't know if any others do. On one occasion someone did try to use one of those numbers at a different site, and it failed of course, so I simply canceled that "virtual card".
Click to expand...



+1

I use the Cap One system also.
 
I'm not really clear on how the scam works, but it seems most likely the incident Chewy mentioned to the OP over the phone was some sort of breach which disclosed Chewy's customers' information.


In other words, I doubt they guessed the password, either using brute force or by hacking some other site and trying the same password on Chewy. Far more likely they started with information stolen from Chewy.


If this is the case, changing your Chewy password and removing any stored credit card information would be a good first step, but it's sort of closing the barn door after the horse has bolted. If CC information was stolen then new card numbers should be issued to the victims. This could get costly for the merchant and Chewy may be reluctant to admit the extent of the breach.
 
CaptTom said:
If this is the case, changing your Chewy password and removing any stored credit card information would be a good first step, but it's sort of closing the barn door after the horse has bolted. If CC information was stolen then new card numbers should be issued to the victims. This could get costly for the merchant and Chewy may be reluctant to admit the extent of the breach.
Click to expand...

Is it? Out of probably excess caution I changed my pw and my virtual card number is locked to Chewey. I think any current threat is resolved although it would be nice if more merchants had 2 factor of some sort.
 
In any event it seems Chewy could easily detect a large number of orders for various customers originating from a single (or small group) of PCs. If I change Browsers I usually require additional authentication to log into most accounts. My guess is that this is a tiny problem and Chewy is thinking it will blow over. Spread the losses to all the other customers. Ebay could stop this instantly.
 
My local newspaper recently warned of a growing "chage-of-address fraud." Fraudsters were submitting fake change of address forms to the post office (which is supposed to verify identities, but sometimes slip up - I suppose someone could find a discarded bill or similar) and then have mail, including sensitive personal info, sent to the new address. The article said that the Post Office's "Informed Delivery" was a good check on this, and I signed up.
 
Yes, I can no longer make temporary change of address or hold mail without signing in to my informed delivery account.
 
Our adult daughter filled out a change of address and USPS sent a mailed alert to the old address. Seemed like a good precaution
 
RetMD21 said:
Our adult daughter filled out a change of address and USPS sent a mailed alert to the old address. Seemed like a good precaution
Click to expand...



That’s the way it has always worked AFAIK. I don’t recall needing to show ID. I’m aboit tp find out.
 
jazz4cash said:
That’s the way it has always worked AFAIK. I don’t recall needing to show ID. I’m aboit tp find out.
Click to expand...

So why are they saying fraud is growing if the confirmation mailing is in place? I have informed delivery anyway, just because it is convenient.
 
RetMD21 said:
So why are they saying fraud is growing if the confirmation mailing is in place? I have informed delivery anyway, just because it is convenient.
Click to expand...

I guess it doesn’t prevent it, just informs someone that their address has been changed. Someone can’t change my address online without signing in via informed delivery login, but they could still submit the paper form. I don’t know how the post office handles that case.

I notice most of my neighbors still use paper forms for dealing with the post office even though online methods have been available for a very long time.
 
I noticed that Chewy won't show you a full cc number so a miscreant must have access to your account to do this. I don't know if they were hacked but I have reclosed the barn door
 
You must log in or register to reply here.

Similar threads

easysurfer
I've Called It Quits From Selling on Ebay
2 3
Replies
50
Views
5K
COcheesehead
C
easysurfer
Ebay Order - Well, that was fast!
Replies
1
Views
434
Sue J
S
aja8888
Show off your dog..or other pet..and how well he/she is treated (and fed)!
2 3
Replies
65
Views
2K
Venturer
Venturer
jollystomper
Financial Advice Columnist falls for $50K scam
4 5 6
Replies
134
Views
11K
Koolau
Koolau
Chuckanut
Wendy's to add surge pricing to menu items.
6 7 8
Replies
179
Views
6K
MuirWannabe
MuirWannabe

Latest posts

Back
Top Bottom