When Amazon packages started showing up on Chris’* doorstep last Autumn, he and his wife both assumed the other was buying Christmas presents for the other. But the contents of the packages looked nothing like gifts either of them would want to receive.
“I opened a few boxes addressed to me and found a few items I literally could not identify,” he said. “I still don’t even know what they are.”
There were no extraneous orders in the couple’s Amazon Prime account. When he contacted Amazon, they said he could throw the items away. He counted six packages, containing 10 or 12 items total. One he shared with me turned out to be a heat-activated fan for a wood-burning stove, which retails between $65 and $80 on Amazon. Chris does not have a wood-burning stove.
Eventually, Chris did find evidence of the orders: they were on his credit card bill. Someone had obtained his credit card number and used it to place orders. And then they shipped them to …well, him.
It’s a scam that makes little sense at first glance. Why would someone steal your credit card information just to order items they can’t even use?
But it’s a little more complex than that.
Chris said when he contacted American Express, his credit card issuer, they were able to help him put a few puzzle pieces together: Scammers access old, expired credit card numbers, then test them on Amazon to see if they still work. Eventually, they make bigger purchases, send them to your address, and dispatch a porch pirate to pick up the delivery before you’re able to notice it.
While he doesn’t have proof the hack came from his Amazon account, Chris did have old credit card numbers stored in his account, which American Express advised him to remove.
“It’s a disgustingly clever crime,” said consumer expert Clark Howard. Chris’ experience appears to be a more nefarious version of what’s called brushing. That’s where third-party Amazon sellers trying to boost their ratings ship their product to random people; they can then leave a review for that “verified purchase.” (For more about schemes to boost third-party seller rankings on Amazon, listen to Reply All’s episode “The Magic Store.”)
But that low-level grift doesn’t explain how Chris’ credit card number got swiped.
Say you’ve had an Amazon account for 10 years, and over that period you’ve added five or six different payment options to your account. Those cards, even if they’re expired, can be used against you if your account gets compromised.
That’s because credit cards like to play nice with their retail customers. If a merchant (like Amazon, for instance) has an arrangement with a card issuer (like American Express) and agrees to take on the risk, “they can have a green light to run cards that are no longer technically considered valid,” Howard explained.
“The system is set up knowing there is going to be a certain amount of fraud,” he said. But compare that small amount of risk to the amount of revenue a website can bring in by allowing purchases from customers who have forgotten to update their payment info, and it’s clear why a merchant would take the risk. The only retailers who aren’t as likely to carry that liability are electronics stores, Howard noted. But “People engaging in online fraud usually know which retailers are willing to bear the risk, like Amazon, and which are not,” Howard said.
Once a scammer finds a card that works, they place an order in your name, tracking it every step of the way. The minute it gets dropped on your stoop, the scammer or one of their cronies can saunter past the pick it up. It appears that Chris’s scammers were not very good—or, they were satisfied with the few test orders they had placed enough to move on to bigger and better attempts on his credit card.
Shortly before Christmas, we were able to connect Chris with an Amazon team that said it would investigate the issue, but they haven’t responded to post-holiday follow-up messages. An Amazon spokesperson said by email, “We are investigating this customer’s inquiry about unsolicited packages, as this would violate our policies. We remove sellers in violation of these policies, withhold payments, and work with law enforcement to take appropriate action.”
Meanwhile, Howard offered some tips for preventing this scenario.
Choose one credit card
First, he advises choosing one credit card and one credit card only for making purchases online. It’s easier to track your online purchases if they’re all on one card, and any suspicious activity will stick out more easily. You may miss out on a few rewards, but Howard says the reduced chance of fraud from streamlining your activity is worth it.
The next time you enter that designated card info to make a purchase, delete all the other cards saved in your online account.
Use one-time card numbers
Second, if you want to be even more cautious, consider using a program that provides one-time use credit card numbers every time you buy online. Even if the number gets compromised, it’ll be useless to a fraudster after your initial use. Your bank or credit card issuer might call this a “virtual card” or “virtual card number.” You’ll lose the convenience of having the retailer remember your payment information, but gain financial security.
Think about home security
Finally, think about getting a camera for your front door or wherever packages get left. It doesn’t have to be an expensive, creepy smart doorbell; there are security cameras that cost under $50 that can help you capture evidence of a suspected porch pirate. And that evidence could help law enforcement catch thieves and scammers in your area.
If something’s amiss, speak up quickly
If you suspect you’ve already been targeted by a hacker who’s leaving gifts at your doorstep, it’s crucial to act as quickly as possible. If you notice suspicious account activity more than a week or two after it takes place, Howard warns you may have a more difficult time proving you’re not at fault, and that the activity is in fact fraud. “So many people never open their statements, or they don’t look at their electronic statements,” he said. Contact your card issuer and the retailer as soon as you notice something off.
While American Express couldn’t comment on Chris’s particular experience, a spokesperson sent a statement urging consumers to safeguard their financial information. “If they are ever unsure, they should call their financial institution directly,” the spokesperson said. “We will immediately take appropriate action if we determine it is indeed fraudulent.”
Howard recommends initiating an online chat to notify the retailer you’ve gotten mystery packages so you have a record of your conversation. The retailer may tell you to toss the items, like Amazon told Chris; it may ask that you send the item back with a pre-paid return label.
Once you’ve cleaned up the mess, don’t let your guard down. “Once you’re a mark, it’s probably not going to be the only time they try to hit you,” Howard warned. And the ways scammers infiltrate our financial lives keeps evolving.
“It’ll keep morphing,” he said. “The criminals continually look for weaknesses in our own personal behaviours or corporate systems.” The best advice six months from now could be completely different because scammers have found a different weak spot. “People aren’t going to pay attention until something’s happened to them.”
*Name has been changed for privacy.