I want to share my experience so others can be aware of what was, at least for me, something new.
I checked my email only to find that in the space of an hour, my inbox had been besieged by literally (yes, literally) hundreds of messages welcoming me or confirming registration to a panoply of websites, forums, online stores, etc. It was quite an array, from the Helsinki Rugby Club to the Hush Puppies store to the Let’s Talk Pigeons forum to the Akron Police Benevolent Society. I couldn’t figure out what the heck was going on or how this benefited anyone. So I started sending them to spam one by one (not opening them).
Lo and behold, buried way down in the list were notifications from eBay about several purchases and my pending change in my email address, which would take effect if I didn’t object. Needless to say, I hadn’t done any of that. Sure enough, charges were pending via Ebay/Paypal on my credit card. I cancelled my card, reported everything to everyone, changed all passwords, etc.
So I guess the modus operandi is to flood someone’s inbox with so many messages that clues to what’s really happening go unnoticed. Meanwhile, I hope the pigeon lovers aren’t waiting impatiently for my contribution to their forum!
Just did a little googling and saw that a few years ago this technique was reported and dubbed “distributed spam distraction”, but it was rare at the time. Advice given by experts was to ignore the email flood (there could be thousands (!) sent in the course of a day) and simply go straight to your credit card, bank, etc. to freeze accounts, change passwords, etc. Of course that doesn’t solve the problem of missing real messages that arrive in the midst of the flood.
@MommaJ - timely post. My S had a weird hack about a month ago. He got a ton of spam emails but just deleted them. He luckily had his debit card set up that whenever money was devoted from his account he received a text message. One day at work he recieved a text that over $2000 had been deducted from his account. He checked his bank account and email and found out he had ordered a computer from eBay. Which obviously he had not. He contacted his bank and they said they would investigate and he contacted the EBay seller. He noticed that the “buyer” had requested that the computer be sent UPS. The computer had been sent to my S address. He learned that with UPS if you know the tracking number you can redirect the package. The clerk at UPS confirmed that if someone knew your tracking number they could scam you. I guess they have the packages sent to a empty house and by tracking they know when to pick it up.That way getting around the policy of EBay only shipping to the billing address. Because my S had the text notifications for his checking account he was able to act fast and go online to UPS and lock out anyone from changing the delivery address. He got the computer and returned it to the seller.
He changed all his passwords, got a new debit card and learned that he should be using his credit card not debit for online ordering. He still isn’t sure how it all happened. He did get his money back.
Wow, what a story @mom60. It seems like we all have to be incredibly vigilant these days.
Just to add some info to my tale:The four electronics purchases charged to my Paypal account were to be sent to 641 Dowd Ave. in Elizabeth, NJ, which turns out to be the location of Meest America, a shipping company that forwards shipments to former USSR republics, most frequently to the Ukraine. I found lots of online skepticism, and some defenses, about the legitimacy of this company’s activities. All very intriguing. I assume if the multiple small sales had gone through without a problem, the next step would have been another blast of emails and then charging something very big to my Paypal account and having it shipped overseas.
Unfortunately, one of the eBay sellers had already shipped his item before eBay had a chance to notify him (or before he noticed the notification) of the fraudulent nature of the transaction. Not sure who bears the ultimate liability, the seller, eBay, Paypal or the credit card company, but I do know I’m in the clear. I guess the lesson for anyone who sells on eBay is to let a transaction percolate for a few days before shipping so any issues can surface. And all eBay sellers should be very leery of sending small items to that NJ address. Since it would make no sense for any buyer to pay the cost of shipping a $20 item internationally, any such sale is likely part of a larger scam operation, and the seller may never get paid.
@toledo, will the seller who thought he was selling me a $20 piece of electronic equipment and shipped it to the NJ address now be out the money even though he did nothing wrong, or are sellers protected in this kind of scenario? Somebody has to lose here, and I’m interested in how this sort of thing shakes out. Ideally the forwarding company would be required to send the item back to the seller before shipping it overseas, but it’s hard to imagine so much follow-up for such a small amount.
I think PayPal is out the money. Someone on the eBay forum said you must have accessed eBay/PayPal through wifi in a public place. I hope not because I do that a lot. Do you have any idea how someone got your password?
I’ve never done that ever! I’m a semi-retired dinosaur who doesn’t go online outside of my home except on my iPhone via Verizon’s network, and I do that just to check email or look stuff up, never to do any kind of transaction. In fact, the last time I bought anything on eBay or used Paypal was December 1 of last year, and it was done via my home desktop computer. So I have no clue how my password was accessed, and I’m feeling mighty insecure. But it seems every day we hear of another entity’s records being hacked, so who knows how safe Ebay or PayPal keeps personal data, and if either would disclose any problem.
Wow, thanks, MommaJ. I think I am the (un)happy target of this type of distraction scam right now. Someone desperately seems to want my Facebook account, for that was the first thing to which an attempt at change was made. It is the only thing attached to my email at all, as I opened that email account just to talk to my five Facebook friends.
I am apparently signed up for all kinds of services and have registered children in church programs, qualified for Spotify premium, been told that the profile picture I submitted for the dating website violated the acceptable terms of use, etc.
I changed the Facebook password (and think I put a lock on future changes, but I’m not sure) and continually watch for the craziness to come in, but I have been baffled. I’ve had that email account for about four years, and rarely use it, and then all of a sudden it has become a hotbed of (scurrilous) activity.
There’s a difference between spoofing and hacking. People often think they’ve been hacked when they’ve only been spoofed. Facebook and email accounts can be easily spoofed, making it LOOK like a password has been stolen, when actually only a duplicate account has been set up, copying your name, and in the case of Facebook also your picture, trying to get other people and companies to go along, to THINK they’re dealing with you. It works too often, and there’s little to nothing we can do about it. Credit and debit card info IS stolen, and we’re helpless there too, except that debit cards should be used ONLY at an ATM. Be certain the lock symbol is showing in the browser when entering sensitive info over a public WiFi network. I agree about getting a message when ANY financial transaction occurs; it takes time to set up, and results in lots of messages!
Thanks for the heads up! I have never heard of this, and I can see how it could work. I get so much spam every day it would be hard for me to tell the difference. Just kidding, I do get a lot, but I think I would notice the difference, plus I scan through all of my email headings every day and would notice anything coming from my real bank, or ebay or paypal… I think. Of course I get a lot of fake emails from “banks” where I don’t have accounts. Might change some passwords tomorrow, just for fun.
Because we’re not protected from fraudulent charges if the account number is stolen, like we are with credit cards. Your checking account can be drained with no recourse.
