Thieves Hacking your Online Accounts
One Sunday afternoon in the early summer, I was sitting on the back porch shopping online on my phone. I ordered cat doors and a few other low priced items from Home Depot. The items arrived later that week and I thought nothing more about it.
The next weekend, again I was sitting on the back porch. I checked my email. First I see an address change email from Home Depot. Then I see an order confirmation from them – but I didn’t order anything or change my address.
The Shopping Scam
I initially think it must be a fake Home Depot email. So I log in to my account to confirm. Surprisingly, I find a brand new order with shipment to a totally different address about 5 miles away. I click in the order and see about $4,000 worth of products including Roombas and electric saws. Interestingly, store pickup at the local Home Depot was designated for part of the order. Guess what that was? The exact same cat doors I ordered the week before.
I cancelled the order, deleted the address change and called Home Depot. They had no interest in what I was telling them. They offered no suggestions or guidance and said since I had cancelled the order, there was nothing else I needed to do. I also called the local store and spoke briefly to the manager. After I started to explain, he asked if he could call me back in 15 minutes. I never heard from him again.
What’s their Hacking Strategy?
They hadn’t charged the items to my account (I don’t keep saved cards on my online profiles) so basically, they said nothing really happened to me. My account was merely a means to an end. They likely charged to a stolen credit card. And probably used an unknowing victim for the address.
Their hope (I assume) was that the order went though and they could steal the delivery off the porch. Then they could re-sell the items.
It would seem that setting some items up for store pickup and re-purchasing items I had bought before served a purpose as well. Likely these steps outsmarted the fraud detection component of the Home Depot site.
The Spam Scam
The plan seems flawed though. Anyone who saw an email about an address change and $4,000 order on their account would do what I did. So here is where it started to get weird. Within 3 minutes of my noticing the emails from Home Depot, I started to be spammed in my inbox. I received thousands of emails. They just kept coming and coming. They were all from different domains and in various languages. I couldn’t block them en masse because they were all different. I went through and marked them all junk. Eventually, after about two days, I got rid of all of them and they stopped coming in.
This seemed coincidental but unrelated to me. Why would I get spammed as part of an effort to use my Home Depot account for purchasing items for resale? I googled it and found the same situation described online. The person stated that the spamming is tied to the theft. The point is to bury the actual emails from Home Depot among all the unsolicited emails. They assume 1) you won’t see the emails in the 3 minutes before they start the spam campaign and 2) you will be so overwhelmed and frustrated by the spamming that you delete everything in the inbox, including the actual Home Depot messages.
What to Do
I don’t know how they hacked my Home Depot account. I was on a secure connection the last time I accessed it the week before. So assuming you can’t stop them from that side, what else can you do? You definitely don’t want these criminals using your account for their illegal activity.
- Be diligent about checking your emails – this can be very hard when you are on multiple distribution lists. This was the only reason I stopped this transaction from going through. If your inbox is out of control, you can always subscribe to a service like Unroll.me. It compiles all of your email subscriptions into a single daily email you can easily review.
- Keep your credit card info to yourself – I wasn’t really at any risk of loss with this transaction because they didn’t use my payment methods to place the order. Don’t save your credit card to online shopping sites for future use.
- Call the seller – if something does happen to you like this, call the seller and report it. While I got no interest from customer service or the store manager, that doesn’t mean other companies would be so indifferent. And if it keeps happening and they get enough calls about it, maybe they will put some safeguards in place.
- File a police report = there was a delivery address added to my account. The police may be able to use that information to see if that person is a victim as well or part of the crime ring.
- Be suspicious – don’t dismiss emails from online shopping sites just because you haven’t ordered anything recently. And if something weird happens – like you get inundated with Spam messages, assume there’s something deeper going on.
- Change your passwords – don’t use the same ones for everything and if you have been hacked on one site or platform, change your passwords on others if you are using the same one.
- Get a doorbell camera in case someone uses your address to have their stolen merchandise delivered. New laws in Texas have steeper punishments for porch pirates and you can catch them in the act with a doorbell camera or CCTV system. We can help – contact us.
Image by Photo Mix from Pixabay