Recently, I accessed the mail account that I normally use for all business and financial transactions and immediately noticed that the junk folder had over 100 emails within it. I was taken aback, because for that particular account, with very rare exception, the junk email folder has essentially remained empty. Upon investigating, I saw that the vast majority of emails therein were notifications of that email address having been used to register on this site or that site and were asking for confirmation, but one in particular jumped out at me thanking me for my recent purchase of a piece of hardware from a well-known and reputable vendor of expensive computer equipment. Upon investigating the text content of the email it certainly looked like a legitimate receipt and so I immediately looked at my bank records to see whether such a charge actually was on one of our credit cards, and it was: in the amount of close to $2000.

I have never experienced fraud like this, so while initiating the process of contesting the charge with my bank, my mind was racing as to what mistake I had made in order for this to happen. For at least the past 15-20 years, the approach I have taken to protect against this type of thing consists in, at least:

• Keeping my work computer and personal computer completely separate whenever possible and practicable. Typically, they are run on different hardware or, at the very least, one is running virtually and the other not.
• I never open emails with links or functionality enabled unless I know them to be from a reputable or familiar entity.
• On my personal computer, I am never signed into any SAAS on any non-incognito browser.
• Every SAAS that I am logged into on an incognito browser is in a one-to-one relationship to the browser brand: i.e. if I am connected to Gmail, then that is in an incognito Chrome browser. If I am also logged into Outlook email, then that would be in an incognito e.g. Edge browser.
  • Given that I only use Edge, Chrome, and Firefox, that limits me to three 'perpetual' logins on a given machine, which is more than I need.
• Every time I do business with an online entity
  • If it's the first time I am using them, I check reviews and ratings for any red flags.
  • I always use a non-incognito browser for all interactions.
  • I always validate that the browser icon indicates that the certificate is valid.
  • I always decline when I am asked whether I want to save my login information.

I don't claim that the above is foolproof, but I do claim that it is an exercise of due diligence. I once had a colleague who either wrote or acquired a piece of software that would detect all saved passwords in browsers, who, when I told him that I never save passwords was incredulous, was even more so when we ran the software on my computer and it indicated that there were zero saved passwords. Most browsers worth their salt have the option to completely disable the saving of passwords, a practice which I heartily recommend.

Nonetheless, despite all of the precautions enumerated above, some entity had gained access to at least my credit card information, and so I proceeded to close every single browser session (incognito included), clear all cookies, caches, etc., and then run a full malware/spyware scan of every drive and file on my computer. A time-consuming process which turned up nothing. So what was it?

Logging on to my work computer and opening an incognito browser there (for even though I had done my best to clear my personal computer setup of complicity in the crime, I was not yet satisfied that it was safe), I logged in to my bank and proceeded to take a closer look at the transactions prior to the fraudulent one. Nothing was out of the ordinary save one: a transaction that occurred with a government-run website wherein I had made a payment. Cross-referencing the timestamp of that transaction with when the junk emails began to appear along with the timing of the fraudulent purchase, I saw that it was all within a couple of hours of having used the same credit card on the government site. At this point, I was reasonably satisfied that I had found the culprit, for the government is notoriously lax when it comes to just about everything except for the extraction of funds from taxpayers. Is it possible there is some other explanation? Of course. One of the basic tenets¹Sadly (purposefully?) absent from just about every 'scientific' program in existence today and for decades. of all science is that no hypothesis can ever be proved: the best that can be achieved is that it has resisted attempts to demonstrate that it is false. Further, we must always be on guard in such situations against falling prey to the post hoc ergo propter hoc informal fallacy. All of that being said and taken into consideration, it'd be hard to argue that the evidence adduced in favor of my conclusion is not at the very least probable.

Now that I had at least some understanding as to what had transpired and probably how it came about, what comes next? The email from the vendor where the fraudulent purchase occurred sent me multiple email updates as to progress, tracking, etc. I mistakenly believed that considering that I had contested the charge less than 24 hours after it took place, that the whole thing would fizzle out, the order would be canceled, nothing would be shipped, I'd see a credit on my bank statement, etc. Wrong.

Less than a week after the order was placed, the hardware was delivered to my home. I'll include the following in my summary at the end of this, but let me state it now as well: if this happens to you, make sure that you tell everyone in your household who can sign for packages to be on the lookout for a package from the particular shipper and vendor, and that if they see that a package matches both to not sign for it, to refuse receipt of it. Doing so, can, in hindsight, prevent a tremendous amount of headache. Again, because I have no experience with these things, I was a bit surprised that it had been delivered at all, so I resolved to drop it off at the nearest shipping facility the next day.

The morning of that next day, the shipping company that had delivered the package the previous day appeared on our doorstep and informed us that they were there to pick up a package that had been delivered fraudulently. I handed over the package to the driver. Hallelujah! It was now over. Wrong.

The next day after the package had been picked up, a representative from the same shipping company came to our house to 'pick up a package that had been ordered fraudulently.' Huhn? One of my kids informed me of this, and I told him to relay to the driver that the package had already been picked up the previous day. Inwardly, I was a bit perplexed, because these shipping companies rarely put a foot wrong, but I didn't give it much thought after that. Their kerfuffle won't affect me, right? Wrong.

When I had initially contested the charge with my bank, I had received a message informing me that they were crediting me for the purchase price of the fraudulent transaction while they reviewed all of the information. A little bit over three weeks after I initially contested the charge, I got a message from the bank saying the matter was 'resolved' and that I had a message waiting for me. Great! No, not so great. It was a message informing me that they would not pay it because the hardware vendor had supplied them with all sorts of information that supported their contention that I had actually purchased it. I looked through it and most of it was correct, but there were some things out of order:

• My previous address appeared in their documentation.
• The IP address used to order the item in question was not an IP address used by my ISP.
• The vendor alleged that they had not received the item in question which I had returned at least two weeks prior.

Thankfully, when the package was picked up, I had

1. Written down the name of the driver, and
2. Made sure that the driver gave me a printout with the tracking number.

Why, even though I had done my part by returning the package, was there an attempt to make me pay for it? If the shipper had lost the package, that's not my fault, right? Right. Taking the tracking number from the printout I had received from the driver, I proceeded to type in the name of the shipping company and 'tracking' or some such so that the widget that typically appears from such a search was available and I typed in the tracking number. To my chagrin, I was informed that the number I had typed in was not a valid tracking number. Of course, my mind raced a bit, checking off all of the evidence which had led me to believe that the driver who had picked up the package was legitimate. Nothing was out of sort. Unless someone had gone to the trouble to acquire a uniform, one of those handheld tracking computers with built-in printer, etc., the pickup had to be legitimate.

Fingers crossed that I hadn't been further scammed by a fake representative of a legitimate shipping company, I then navigated to the shipper's website directly and typed the same tracking number into that and, thankfully!, it worked. Upon looking at the tracking information, the first thing that I noticed and which initially threw me off, was a picture of the package leaning against what appeared to be, judging by all appearances of the door and frame visible in the picture, a fairly dilapidated apartment residence. In the tracking details, I noted that a signature was not required.

At this point, I will save you from all of the gory details of the back-and-forths with the bank. Suffice it to say that it was unpleasant, took more hours of time than I care to recall, and was perhaps more frustrating than it should have been. What follows is first an overview of how I believe the scam works, some of which is speculative, but most of which is based upon evidence, and second, my recommendation of remedial steps that should be taken if you are ever ensnared in something like this.

The Scam

• A criminal gets ahold of your credit card information, email address, and whatever else is necessary to make an unlawful transaction.
  • The email address is also used to 'register' on many websites, in the hope I would guess, that the fraudulent transaction for which your credit card has been used will not be noticed amongst the dozens or hundreds of other spurious emails.
  • Hence, if all of a sudden you get a lot more junk email than normal, you probably should construe it as a sign that you've been hacked financially in some way.
• They use that information to make a fraudulent purchase and somehow, in the midst of that gain access to the tracking number.
  • I believe it is necessary for them to have the tracking information because it seems that the scam is dependent upon them knowing when the package will be delivered so that the next step of the scam can be executed.
• Once the date of the delivery of a package is confirmed, the thief schedules a pickup from your address with the same shipper of that item that will occur the very next day after delivery, with the destination being some nondescript location that is within driving distance of the thief's base of operation.
  • It seems reasonable to state that the thief is not going to have the package they stole shipped to their own residence.
  • Nondescript: even though I'm working from my single anecdotal experience, I believe that it is more plausible for the thief to route the package to a lower-income area than to a higher one due to the fact that there is most likely a correlation between wealth and the incidence of home security cameras.
  • I don't really know how they can pull this off without incriminating themselves, for to schedule a pickup such as this, one would think that some sort of financial transaction must take place. Perhaps the thief uses a different stolen credit card?
• Unlike the original delivery from the vendor that required a signature, the package is delivered to its new location, no signature required so that it can simply be left on a porch or doorstep.
• The thief then steals the package from the residence where it was delivered.

Remedial Steps

• Immediately contest the charge with your bank.
• Even if you've noticed the fraud almost immediately, you should still send an email to the vendor indicating that the purchase was fraudulent. Hopefully, this would be enough to prevent the package from even being shipped in the first place.
• If the purchase somehow ends up being shipped, make sure to tell everyone in your household who can sign for packages to be on the lookout for a package from the particular shipper and vendor, and that if they see that a package matches both to not sign for it, to refuse receipt of it.
• If somehow the item is delivered, make sure to keep all records of dates, times, persons, etc. encountered by you during the return of the item.
• When dealing with your bank, make sure that they are adding every detail that you have into the computer.
  • I had been informing my bank of all of the information I had regarding the who, when, what of how the package was returned, but made the mistake of assuming that they were actually paying attention.
  • Only after three phone calls (and at least two denials of my claim) did they actually write down the information I had been giving them from the get-go.²Having the tracking number from when the package picked up was a critical piece of information.
  • If I had ensured that this happened, it would have saved me a whole lot of time and frustration.

Although I do not have sufficient evidence that this fraud occurred due to a lack of due diligence on my part, and I have good reason to believe that the evidence adduced points to the government website I had given my credit card information to for a single transaction, considering that it is better to be safe than sorry, at this point, I'm using a virtual machine which has the sole purpose of interacting with various financial institutions. Further, I'm investigating the use of single-use credit cards, aka virtual credit cards.

Who is responsible? The answer is that responsibility lies solely with the criminal who planned, initiated, and perpetuated the crime. The typical mindset of today will state that the hardware vendor or the bank bear some share of the blame. I disagree. Unless it can be shown that an actor behaved irresponsibly, negligently, or with malice aforethought, the reality is that this type of thing can happen to anyone at any time and that no matter what safety precautions one puts into place, and whatever due diligence every moral person exercises, those hell bent upon committing crime will find a way.