A few days ago my wife, Crystal, woke up to find an alert notification on her phone from our credit card company. It informed us that an online transaction for over $500 had been processed the previous night at a warehouse store where we are members. She also noticed that she received over 500 emails while we slept. We certainly hadn’t made the purchase so we knew right away that our account had been hacked.
These days, it’s all too common to hear of a new data breach that affects millions of users. It’s just a risk we run in the digital age. Luckily, credit card companies are super easy to work with when fraudulent transactions happen so neither my wife or I were particularly worried, we just went into damage control mode.
“Was this is the only unauthorized purchase made at this store?”
“Were there any other fraudulent purchases made using this card?”
“Are our other cards still secure?”
”We need to change our passwords on the store and card websites.”
“Then we need to contact the card company and the store to let them know about… wait… 500 emails overnight? That’s definitely not normal.”
We cautiously investigated the inbox to see if her email was hacked as well. Almost every email had been received over the course of 3 hours, starting around midnight, with around 30 more trickling in over the next several hours and into the next day. Nearly all of the 500+ emails were subscription confirmations for newsletters (everything from travel and lodging sites to mermaid tails for swimming) but they all seemed to be legitimate. Seemed bizarre but, at least it didn’t look like her email had been hacked. We finally got down to the first email that came through before the barrage started and it was the confirmation of the fraudulent purchase.
Turns out, in addition to the online shopping fraud, we were also victims of what is called “email bombing,” more specifically, “list linking.” Email bombing is a tactic used to fill your inbox with as many emails as possible either to annoy you, bully you, or distract you so you don’t immediately notice a specific email (i.e., a purchase confirmation).
We were lucky to only get 500 emails. Email bombing can bury your inbox in 10’s of thousands of emails! While there is nothing you can do to stop an email bombing, you shouldn’t wait around for it to end. If you find yourself being bombarded by huge amounts of unsolicited emails, there’s a good chance you’ve been hacked. First thing to do is log in to each of your credit cards and check for any unauthorized charges (wouldn’t hurt to change your passwords while you’re there). If you see transactions you don’t remember making, call the number on the back of your card to report the fraud immediately.
Next, log in to any online retailers with which you have accounts (Amazon, Walmart, Target, etc.) and check your order history. Some retailers give you the option to archive your orders and the jerk that hacked your account can use that to “hide” their purchase, so make sure to check the archived orders too. Again, if you see any suspicious transactions, contact customer support for that site right away and change the passwords for these as well. For extra credit, remove your payment methods to make double sure they can’t make another purchase.
After that, all you can do is wait for the incoming emails to stop. Most sites with newsletters understand that email bombing exists so they will send confirmation emails that would require a response from you before you are officially subscribed. For those sites, you will most likely only have to deal with one or two emails total. For many sites though, you are now subscribed to their newsletters. Now it’s time to clean up and there are a couple of ways to go about that. You can either mark each email as spam so any future emails will be sent straight to your spam folder or you can unsubscribe from each individual newsletter by clicking the “unsubscribe” or “manage email preferences” link at the bottom of the emails. If you would prefer the latter, more thorough process of whittling them down, I would seriously suggest some due diligence before clicking anything in the body of the email. A quick Google search of the company or site the email came from to ensure it’s legitimate will go a long way toward avoiding a virus from a site on top of getting hacked.
In the end, our story could have been much worse. It took Crystal a couple hours to sort through the 500+ emails and the retailer refunded the cost of the purchase after only one phone call, but we learned a good lesson. In an era where fraud is so commonplace that credit card companies and online retailers will just issue a refund with few questions asked, because there is little they can do to track down the criminal and where those criminals can run scripts that will autonomously hack into accounts, make fraudulent purchases, and then bury the victim in unsolicited emails to cover their tracks, there’s a simple maxim to follow: if something seems suspicious, it’s worth carefully investigating.
And of course OwnIT is always here if you have any questions or think you might be a victim of online fraud.