Going phishing – with a twist
Yet, despite all that, $90 in fraudulent purchases were charged to my credit card this week. My theories - and, yes, they're just that, theories - about how that happened scare me because it appears that the bad guys could be taking advantage of behaviors many of us have adopted to prevent them from stealing our money.
It started Thursday morning, when I received an email alerting me to a $281 "purchase"of two pairs of size 30 pants - I usually spread in the winter, but not that much - from a retailer I've never heard of. The email was sent to my work address, which is not in any way connected to any credit card. Neither is that email discoverable by scraping public data. It appears that someone's database was breached. I know it was not retailer whose domain was on the reply address on the email because I've never shopped there. I have my suspicions as to whose data were stolen, and I have unsubscribed from that service.
When I received the email, I DID NOT click on any links. I DID NOT download any executables - numerous posters on the retailer's Facebook page were quick to assume that. It's an unfortunate human inclination when others are in trouble. Instead of thinking, "there but for the grace of God go I," there's a smug, "thank God I'm not an idiot" reaction.
What I did do is what I always do: Googled the retailer. I then clicked on the retailer's site. I'm still wondering if there was a clickjack on the site that was able to log keystrokes when I surfed later in the day, but the retailer hasn't answered that question. I don't think the person running their Facebook account knows enough to even know how to ask their IT department. Since he or she at one point attributed my problem to my email having been hacked, I doubt it.
Later in the day, I clicked on my Amazon account. Mid-afternoon, Amazon notified me that my credit card number had been used to open another account, which had made three purchases. I called my bank and cancelled the card. The bank's fraud department said that yes, it is possible for the bad guys to phish by placing a clickjack on a legitimate site.
Now, this is where this situation should concern everyone: It appears that there's a possibility that this scheme took advantage of behavior people have learned to PREVENT fraud, scams and phishing: Googling the retailer. I'm going to have to change that behavior, but I'm not sure yet what I should do instead.
No, of course I'm not certain that the fraudulent purchases were connected to the original email. But I'm not a big believer in coincidence, and when I do only one thing in a given day that I don't ordinarily do - visit a particular retailer's site - and wind up with credit card fraud, I think any reasonable person would be suspicious.
Copyright Debra Legg 2012. All rights reserved.