Please explain this fraud
July 19, 2015 3:02 AM Subscribe
A fraudulent order was placed on Apple online store using partners credit card, contact info, and secondary/Apple ID.
Please help use figure out how and why this happened, and what else we need to do to protect ourselves.
Here's what happened to me and my partner:
- 5 days ago we began receiving excessive spam (>19k since then) on a gmail account that we use only for providing to online retailers and as an Apple ID only for using with GameCenter to play two specific games. The name on the Apple ID is a mash-up of our first and last current and prior names. No address or payment info is stored in the Apple ID. The spam was entirely nonsense with no links.
- We removed the gmail account from our iPhones so we would be able to see mail coming in on our primary gmail addresses with the intention of dealing with it when we return home from business travel (partner and I were on travel to different locations but work for the same very large U.S. defense contractor). We cannot access personal email from our work computers and did not have personal computers with us.
- unbeknownst to us, ~3-5 hours after the spam started two unlocked iPhone 6s of different models (different colors and storage, neither are 6plus) were ordered under the Apple ID with my partner's real name, address, phone number, and credit card (none of which are stored in the account), plus a female's name. I'll call her Sarah Smith (not the real name used). We've never met anyone with this name and don't even know if it's a real person's name. Apple sent a confirmation email but it was buried in the pile of spam and we had removed the email from our phones. The next day Apple sent another email saying thank you for providing the additional information and the order can now be shipped. It didn't specify what the additional info was.
- last night, I began cleaning up the spam (selecting the messages and flagging as spam) while my partner researched why the spam might be being sent. He read an article indicating it can be used to hide fraud by burying order confirmation emails, so he immediately began checking our credit card and online banking accounts. About the time he saw a $1500+ charge from the Apple online store on the Amex, I came across the order emails from Apple.
- we logged into the Apple ID and saw the order with my partner's contact info for the billing and shipping address, along with Sarah Smith's name only. We tracked the package and a shipping change had been processed on the day it was to be delivered (3 days ago). No delivery attempts to our home had been made. The package was still being held at a UPS facility.
- We immediately called Apple, UPS, and Amex. Apple initiated a shipping inquiry which they said would take ~24 hours to process. UPS assured us that, unless Sarah has a government issued ID with our address she would not be able to pick it up. She said we could pick it up since we have drivers licenses with our home address even though our names are not Sarah Smith (we haven't done this and don't plan to). UPS will send the package back if it's not picked up in 5 business days from the day the delivery change was processed. Amex canceled the card, is sending a new one, and initiated a fraud investigation on the charge.
- we submitted a report to the Internet Crime Complaint Center. We plan to go to our local police today (no idea if they deal with this kind of thing). We live in the U.S. in one of the largest cities. We are changing our passwords on all related accounts.
- there have been no other suspicious charges on any credit/banking accounts.
Other possibly relevant info:
- partners phone has Apple Pay enabled but the only card linked is my Amex (not his which was used for this fraud).
- we left our car was broken into when on vacation (about 2 weeks ago) and discovered that someone had removed the change from the cup holder and everything from the center console (which wasn't much of anything, certainly nothing with the email/Apple ID and credit card number). Nothing appeared missing from our glove box or other parts of the car. We didn't file a police report since only ~$3 was taken and damage was minimal. We park on a city street in a densely populated residential area.
- partner left his credit card at a restaurant about 2 weeks ago and it was at the restaurant overnight. We've only been to the restaurant twice and haven't provided them an email address or contact info (other than what they can get from credit card processing).
- we are likely victims of this security breach (the one in June). We aren't able to sign up for the free credit monitoring our employer is providing but will as soon as it is available (likely next week).
- we have been able to identify a handful of major online retailers that have all the necessary info (credit card number, this specific email, partners name/address/phone), but typically our online accounts have a mix of this info and other (eg different credit card, my name, etc). Home Depot is one of them, and they have emailed us that our email was compromised but assured us no payment, login, or contact info was compromised.
- we are very careful about not falling for phishing scams. Our employer provides lots of training on operational security (both personal and at work).
The why is really bugging us. Is Sarah a real person and does she think she will be able to pick up the phones? If she's someone local, how hard is it to instigate the spamming? Are these even related or just a coincidence? Why would she input partners contact info and credit card into this Apple ID when it wasn't already there (rather than setting up a separate account to use with this purchase on his card so we wouldn't receive the confirmation emails, or inputting her address for shipping)?
Are there any other authorities we should report this to? Any other actions we should take?
Here's what happened to me and my partner:
- 5 days ago we began receiving excessive spam (>19k since then) on a gmail account that we use only for providing to online retailers and as an Apple ID only for using with GameCenter to play two specific games. The name on the Apple ID is a mash-up of our first and last current and prior names. No address or payment info is stored in the Apple ID. The spam was entirely nonsense with no links.
- We removed the gmail account from our iPhones so we would be able to see mail coming in on our primary gmail addresses with the intention of dealing with it when we return home from business travel (partner and I were on travel to different locations but work for the same very large U.S. defense contractor). We cannot access personal email from our work computers and did not have personal computers with us.
- unbeknownst to us, ~3-5 hours after the spam started two unlocked iPhone 6s of different models (different colors and storage, neither are 6plus) were ordered under the Apple ID with my partner's real name, address, phone number, and credit card (none of which are stored in the account), plus a female's name. I'll call her Sarah Smith (not the real name used). We've never met anyone with this name and don't even know if it's a real person's name. Apple sent a confirmation email but it was buried in the pile of spam and we had removed the email from our phones. The next day Apple sent another email saying thank you for providing the additional information and the order can now be shipped. It didn't specify what the additional info was.
- last night, I began cleaning up the spam (selecting the messages and flagging as spam) while my partner researched why the spam might be being sent. He read an article indicating it can be used to hide fraud by burying order confirmation emails, so he immediately began checking our credit card and online banking accounts. About the time he saw a $1500+ charge from the Apple online store on the Amex, I came across the order emails from Apple.
- we logged into the Apple ID and saw the order with my partner's contact info for the billing and shipping address, along with Sarah Smith's name only. We tracked the package and a shipping change had been processed on the day it was to be delivered (3 days ago). No delivery attempts to our home had been made. The package was still being held at a UPS facility.
- We immediately called Apple, UPS, and Amex. Apple initiated a shipping inquiry which they said would take ~24 hours to process. UPS assured us that, unless Sarah has a government issued ID with our address she would not be able to pick it up. She said we could pick it up since we have drivers licenses with our home address even though our names are not Sarah Smith (we haven't done this and don't plan to). UPS will send the package back if it's not picked up in 5 business days from the day the delivery change was processed. Amex canceled the card, is sending a new one, and initiated a fraud investigation on the charge.
- we submitted a report to the Internet Crime Complaint Center. We plan to go to our local police today (no idea if they deal with this kind of thing). We live in the U.S. in one of the largest cities. We are changing our passwords on all related accounts.
- there have been no other suspicious charges on any credit/banking accounts.
Other possibly relevant info:
- partners phone has Apple Pay enabled but the only card linked is my Amex (not his which was used for this fraud).
- we left our car was broken into when on vacation (about 2 weeks ago) and discovered that someone had removed the change from the cup holder and everything from the center console (which wasn't much of anything, certainly nothing with the email/Apple ID and credit card number). Nothing appeared missing from our glove box or other parts of the car. We didn't file a police report since only ~$3 was taken and damage was minimal. We park on a city street in a densely populated residential area.
- partner left his credit card at a restaurant about 2 weeks ago and it was at the restaurant overnight. We've only been to the restaurant twice and haven't provided them an email address or contact info (other than what they can get from credit card processing).
- we are likely victims of this security breach (the one in June). We aren't able to sign up for the free credit monitoring our employer is providing but will as soon as it is available (likely next week).
- we have been able to identify a handful of major online retailers that have all the necessary info (credit card number, this specific email, partners name/address/phone), but typically our online accounts have a mix of this info and other (eg different credit card, my name, etc). Home Depot is one of them, and they have emailed us that our email was compromised but assured us no payment, login, or contact info was compromised.
- we are very careful about not falling for phishing scams. Our employer provides lots of training on operational security (both personal and at work).
The why is really bugging us. Is Sarah a real person and does she think she will be able to pick up the phones? If she's someone local, how hard is it to instigate the spamming? Are these even related or just a coincidence? Why would she input partners contact info and credit card into this Apple ID when it wasn't already there (rather than setting up a separate account to use with this purchase on his card so we wouldn't receive the confirmation emails, or inputting her address for shipping)?
Are there any other authorities we should report this to? Any other actions we should take?
Most likely you have fallen victim to a Phishing scam to an email that looked as it it came from Apple / iCloud etc therewith giving away your username and password to the criminals.
The best way to prevent this is to enable 2 Step Verification / Authentication where ever you can!
posted by Mac-Expert at 8:44 AM on July 19, 2015 [2 favorites]
The best way to prevent this is to enable 2 Step Verification / Authentication where ever you can!
posted by Mac-Expert at 8:44 AM on July 19, 2015 [2 favorites]
19k emails in 5 days? that's not just subscribing you toa bunch of lists - that's someone using a dedicated net to target exactly you. wow. i'd be worried there's something else you've missed. i guess you've checked all cards?
i don't think you have much chance of double-guessing how it happened. my partner once made a typo entering her banks name, ended up on an identical looking site (but without https) and entered her username and password. we only picked that up because the attack followed so quickly we could look at the browser history. it's easy to make a small mistake.
what happens if the phones are picked up? if that would harm you, then i would consider picking them up myself and returning them.
apart from two step validation, you may also be able to enable things like sms alerts from your bank for certain transactions.
posted by andrewcooke at 11:21 AM on July 19, 2015
i don't think you have much chance of double-guessing how it happened. my partner once made a typo entering her banks name, ended up on an identical looking site (but without https) and entered her username and password. we only picked that up because the attack followed so quickly we could look at the browser history. it's easy to make a small mistake.
what happens if the phones are picked up? if that would harm you, then i would consider picking them up myself and returning them.
apart from two step validation, you may also be able to enable things like sms alerts from your bank for certain transactions.
posted by andrewcooke at 11:21 AM on July 19, 2015
IMHO, they already have your hubby's credit card and address, and the spam is just to verify you are NOT home to contest the package, and to bury any official mail under a ton of spam.
What will often happen is they will park near your house, and when they see UPS truck pull up they will just run up to your door and "Ah, I've been waiting for this!" and "sign" for the package (UPS and Fedex drivers generally do NOT check ID) and take it back to their car and disappear. Obviously this won't work if you're there.
I'd suspect your husband had his card "cloned" or info stolen previously on his travels and they waited months to make sure the "leak" can't be traced.
posted by kschang at 11:28 AM on July 19, 2015
What will often happen is they will park near your house, and when they see UPS truck pull up they will just run up to your door and "Ah, I've been waiting for this!" and "sign" for the package (UPS and Fedex drivers generally do NOT check ID) and take it back to their car and disappear. Obviously this won't work if you're there.
I'd suspect your husband had his card "cloned" or info stolen previously on his travels and they waited months to make sure the "leak" can't be traced.
posted by kschang at 11:28 AM on July 19, 2015
This thread is closed to new comments.
Since there's a ton of this information floating around now, I'm sure there are plenty of people running scripts to automate such efforts, then farming out real world pickups. The spam overload makes sense for just the reason you mentioned - bury the confirmation emails in a flood of spam, in the hope that you won't pick those few emails out. I'm not familiar with Apple's usual practices with deliveries, but unless someone is required to sign for the delivery, it's easy enough to pick a random drop location that could be monitored from a distance, and the package could be picked up if someone thought no one else was watching.
It looks like you've contacted the right people, though other MeFites might have more ideas on that front. Otherwise, monitor all your cards on a daily basis for a while, and set up filters for your emails. Instead of trying to filter out the spam, you could filter out the known important emails, so you don't miss anything else if there's another torrent of spam.
posted by filthy light thief at 6:44 AM on July 19, 2015 [1 favorite]