Given how long I’ve been working for a tech website, it’s embarrassing to admit my card was recently used for a fraudulent purchase on Amazon. Here’s what happened, how I fixed it quickly, and what you can learn from my slip-up.

The Phony Purchase

One day as I finished working, I got an email that my Amazon Prime credit card had been charged $250. I initially wondered if something I had pre-purchased was just now shipping, but I checked Amazon’s Your Orders page (including the Not Yet Shipped and Digital Orders tabs) and saw nothing out of the ordinary.

My next thought was whether my wife had ordered something. We use the Amazon Family feature, so my Amazon card is set as the default for purchases on her account. But she hadn’t mentioned she planned to buy anything, and I knew she wouldn’t purchase anything that large without mentioning it.

To gather more info, I opened her Amazon account in a separate Chrome profile window. Sure enough, the only item in her Orders was a $250 Razer Gold digital gift card, sent to an email address I didn’t recognize. There was no option to cancel it or take other quick action, so I jumped over to her Gmail inbox to see what else I could find.

The Attacker Covers His Tracks

As expected, there were several emails from Amazon in my wife’s email account, but of more immediate concern were the dozens of other messages flooding in. I watched as tons of confirmation emails from random services like Remind, Kayak, and Clipdrop came in.

This made me think someone had access to her Google account, so I immediately changed her Google password. Your email account is one of the worst you can lose, since anyone with access to it can reset the passwords for all your accounts that log in with it.

Related

Here’s What Happens if You Lose Your Google Account—and How to Prepare for It

For most folks, losing access to a Google Account would be a devastating experience.

Thankfully, her Google account wasn’t breached. Instead, I realized the person who had broken into her Amazon account was flooding her email inbox in hopes that she wouldn’t see the confirmation messages from Amazon. They also tried tons of signups for various university newsletters, though those went straight to spam.

Once I knew what was up, I checked the multiple Amazon messages in her inbox. Alongside the $250 charge that went through, there was a receipt for a $100 gift card 15 minutes later—that order didn’t appear in her Amazon history or anywhere else. Amazon also sent an email asking to verify the account because of suspicious payment activity. A third set of emails said there was a problem processing the order and that it was canceled.

I changed her Amazon password to prevent further incidents. Because the charge still appeared on my card despite the note about it being canceled, I contacted Amazon support immediately. I wanted to let them know so I was certain the charge would be reversed. Her account wouldn’t let me contact support for some reason (perhaps because they suspected fraud), so I reached out on my account.

Related

A Scammer Tried to Get Me With a Fake Test Transaction: Here’s How I Dodged Them

This scam isn’t the most complex, but it could easily catch you out.

I explained what happened, and the rep told me I would get a refund soon and didn’t need to do anything else. I didn’t have to go through the process of contacting the bank, thankfully.

As an extra step, I reached out to Razer Gold support to provide the email the fraudster used. I summarized the story and hoped they could ban the account with that address. Unfortunately, they misunderstood what I said, and my ticket was closed before I could clarify. Likely, the person had long since redeemed the gift card anyway, so justice isn’t possible here.

This Breach Was My Fault…

There’s virtually no chance this breach would have happened on my own Amazon account, as I use a random strong password and two-factor authentication. This occurred because I was slow to upgrade my wife’s account security.

We got married earlier this year, and it was on my list of tasks to add her to my family password manager account and help her redo her weak passwords. But we had so much else going on that we hadn’t done it yet. This incident served as the impetus for us to strengthen her passwords so it wouldn’t happen again.

Learn from my lack of urgency: if you’ve been putting off moving to a password manager, you should take the next available opportunity to. It can be a bit tedious to set up, so don’t rush it. You don’t need to change every password at once; focus on high-value accounts like anything that has your cards saved, and social media where someone could impersonate you. Once you’re done, you’ll never have to worry about recalling a password again.

…but I Was Prepared

I was alerted to the crooked charge because I have alerts set up for all my credit cards, and I highly recommend you do this too. Bank apps for all major credit and debit cards should have an option to send you an email, phone notification, or both when there’s a charge. I have this theshold set to a very low amount, since card thieves often test small purchases before attempting a huge one.

Failing that, I also use YNAB for budgeting (though there are cheaper alternatives), and that helps me keep track of expenses. If anything unauthorized got through, I’d recognize it when I categorize my recent spending.

While this is the first time illegitimate card usage was my fault, it’s not the first time it happened to one of my cards. A few months ago, someone used another card of mine to spend nearly $1,000 at a sports optics retailer. And just a few days ago, I got an alert that a secondary debit card I’ve never used was flagged for making a small purchase on Amazon Brazil.

Card fraud can happen to anyone, so it’s wise to be as prepared as possible. This is another good reason to use credit cards instead of debit cards online: if money is taken, it’s the bank’s cash, not yours. Using a disposable credit card number is even stronger.

Looking back, it’s odd that Amazon allowed this—her Amazon account was relatively new, so buying a digital gift card for another email address as its first purchase is strange. Despite the emails saying the orders were canceled, my card history shows that the $250 went through and then was refunded.

Also, unfortunately, Amazon doesn’t let you check the login history for your account like many services do. In comparison, I recently checked the history for my Microsoft account, and there have been dozens of attempts (just this week) to break in from Ecuador, Argentina, Vietnam, Ukraine, Taiwan, and many other countries.

That’s scary to see, but given the strength of my password and use of 2FA, I don’t have anything to worry about. My email address (and probably yours) is in the wild thanks to breaches, so anyone who finds it can try logging into various accounts.

Protect Yourself Against Breaches

I’ve laid out the scenario that happened to me so you don’t fall victim to a similar scheme; knowing what’s coming before it happens is a great way to stay secure online.

Use a password manager to store strong, unique passwords for all accounts. Set up alerts for your cards so you don’t find out about unauthorized usage days or weeks later. Change your password and sign out of all accounts if you suspect something is off. And make sure you have recovery methods on all your accounts so getting back into them isn’t a hassle if someone takes over—like getting back into your Google account.