Here’s a little story of fraud and imagination with a few
important lessons regarding security…
This story starts in a roundabout way with a missing
checkbook. If you are one of those
people who travel a lot, you realize how often you are looking for a missing
item. Several months ago on one of our
many trips between our two houses, a checkbook was misplaced. We looked at Mike’s house, tore apart his car
and had my mom search her house all to no avail.
To this day Mike is convinced that his Dodge Nitro ate the
checkbook and it will eventually turn up, but he took precautions
nonetheless. He reduced the balance in
this account to $400, and he moved recurring transactions to another checking
account. Several months went by, and
there was no sign that anyone had the checkbook.
Last Thursday night while doing some online banking, Mike
discovered that the balance in this checking account was now zero. He looked online
for a copy of the check and instead found two PayPal transactions. He then viewed his PayPal account and
realized that his account initiated these purchases.
Being the helpful wife that I am, I asked if had forgotten
about some purchase he had made recently using PayPal. When he located the payee on these
transactions and went to their web site, he promptly informed me he had not
purchased a prom dress!
Next began a whole weekend of phone calls to the bank to
prohibit transactions on this checking account and to PayPal to report
fraud. Fortunately everyone assured him
that the $400 would be refunded to his account.
Here’s where things really got kind of funky…
Thinking now that this was not about his missing checkbook
but that someone hacked into his PayPal account, Mike wanted to change his
password. Talking with PayPal customer
service early Friday morning, they said they would send him an email with
information regarding these two transactions.
Mike checked throughout the day on Friday, and he didn’t receive their
email. Being slightly paranoid, he
continued to check out things on his computer.
I told him it was just like CSI except he wasn’t using Q-tips!
His next comment was “you won’t believe this, but I found
the email from PayPal in my sent box”. He
also found several other emails that he had not sent. He called Yahoo to discuss a possible mail
problem. During their trouble shooting,
they asked him to check mail filters.
Much to his surprise, Mike found 3 filters directing incoming email from
PayPal, EBay, and the prom dress store to be put into his sent mail folder
instead of inbox. He suddenly realized that someone had hacked
his email to hide these fraudulent transactions!
The plot thickened as he read the emails in his sent box…
The prom dress store sent an email to Mike asking about the shipping address
being different than the billing address.
They asked for some documentation proving the identity of Mike as the
purchaser. The ‘perp’, posing as Mike
and using his email, sent the prom dress store a copy of ‘Mike’s Verizon
bill’. This bill, which we had never
seen before, had Mike’s postal address pasted in, and it included a phone
number that was not Mike’s cell phone number.
So now the real paranoia sets in. Someone has hacked your PayPal account, made
purchases from a store in China and hacked into your email to cover up the
transactions. Mike proceeded to spend
many hours changing passwords on every account possible, deleting email
filters, providing documentation to PayPal and doing more investigation.
Here’s what he found through a whole series of web
searches.
The prom dress store was located in China. The emails sent from
his account included a name and phone number.
The phone number had a Santa Barbara prefix.
The name signed on the email was the same as a past
president of Vietnam, and judging from the number of people with this name, it
was a popular name. Surely all this information was bogus, but coincidentally,
we had just vacationed in Santa Barbara…
So, there is our tale of attempted fraud. Our imaginations went crazy these past few
days. Why buy prom dresses from China? Or was this really a money laundering
company? What is the China connection
anyway? Was it a person or a ‘bot’ that
hacked into Mike’s accounts? Why put
emails into the sent box instead of deleting them? Why include a name and phone number on the
email sent under Mike’s name? Was this a
mistake or by design? Did the use of Mike’s
iPad in Santa Barbara have anything to do with this? Is there anything else we should be worried
about?
Ok, finally the lessons learned from all of this:
1.
Don’t use your email password on any other
account as email may not be secure with mobile devices. Turns out Mike had the
same password for email and PayPal.
Oops!
2.
Change passwords frequently and make them
difficult, especially if the user name is your email address.
3.
Check your online bank and credit card
transactions frequently to insure they are legit.
4.
If you find something suspicious, report it to
your financial institution ASAP which gives you better chance of a refund.
5.
Review whether email filters are in place.
6.
Review your sent emails to make sure you sent
them.
7.
Be slightly paranoid about your computer and
file security.
8.
Don’t be afraid to indulge in a little
international intrigue…
Diane