Yesterday, I woke up and checked my phone, and I saw a text message from PayPal notifying me of a $200 payment to walmart.com. I was pretty sure that I had not visited walmart.com and purchased anything while I was sleeping, these purchases were made at 5:02 am, a full two hours before I woke up.
The first thing I did was check my Paypal account, and indeed there was a $200 charge from Walmart. The second thing I did was log into my Walmart online account, and indeed there were two $100 Google Play Store gift card purchases. Fortunately, I was on it very quickly, so I managed to cancel the order, and the $200 was refunded to my credit card. After this, I immediately changed the password, as I had not used the Walmart account for quite some time and it was using an old compromised password.
I did wonder why I never received an email notification of this purchase, so I checked my Gmail and nothing was in my inbox, then I checked my trash mail folder and to my surprise I find a bunch of Emails from BestBuy.com notifying me of multiple purchases of Google Play Store gift cards. The fact that these were in my trash mail folder indicated that my Email had also been compromised.
This was not your average fraud, whoever did it was smart enough to set up rules in my Gmail, so the purchase notification Emails skipped my inbox, going straight into the trash folder, meaning I did not get a notification on my phone. I never did find the Email from Walmart, so I guess they must have deleted this from my trash folder before I got in and changed my password, which was randomly generated by LastPass using 16 characters, a mixture of upper, lower case, numbers and special characters. This is concerning as it wasn’t a password that could be guessed, even I could not remember it without LastPass.
In addition to changing my password, I also enabled 2-factor authentication on my Google account, for an extra layer of protection, meaning any future fraudster would need to have direct access to my phone for the second layer of the authentication. I feel kinda stupid, I should have enabled 2-factor a long time ago, but I thought that it was an inconvenience and that I was safe with a strong password, so felt it unnecessary. I also enabled 2-factor on the other accounts that I know to have been compromised.
The BestBuy.com purchases seemed to have gone through and I see the code that was sent to my Email address, although now 24 hours later I don’t see any charges on my Best Buy credit card, to which the Play Store purchases were charged. So I wonder if I caught it before the fraudster had time to redeem the Google Play Store digital codes. I will have to keep an eye on it and take appropriate action if the $150 charge does appear in the recent activity section of the Best Buy credit card online portal.
Speaking of Best Buy, I called them up to see if I could do anything about these fraudulent purchases, and the representative claimed that they could not find my details, neither my name, Email address, phone number or address, so they could not help me, telling me to file a police report. And yes, this was the correct number I called, unless the fraudster managed to compromise the Best Buy website.
Finally, I went through all my online accounts that I actively use and have payment cards attached and changed the passwords, with the help of the LastPass security dashboard and every one of my accounts now has a unique, randomized password using upper, lower case, numbers, and special characters.
The moral of the story, take your online security seriously, use a strong password, and 2-factor authentication whenever possible. If it was not for PayPal sending me a text message, I probably would not have noticed due to the Gmail rules making Email notifications from Walmart and Best Buy skip my inbox, meaning the fraudster could have kept using my Email address, sending notifications to my trash folder, then permanently deleting the evidence once the fraudulent transactions had been completed.