eChecks and Credit Charges – I Didn’t Authorize That!

by Robin Laudanski
September 14, 2007

How would you feel if this happened to you?

You are sitting having a nice meal and your phone rings, it’s your credit card company and they are asking you about a transaction that was just made on your credit card because it is outside of your normal spending pattern. Not only did you not authorize the transaction, but if your credit card isn’t American Express you now have to jump through half a dozen hoops and dance around in circles for a few weeks to get them to credit you back if the charge does not get refunded.

You are checking your inbox and discover there is an email in there thanking you for a donation. A donation you not only didn’t make, but it was made to a person or website you know nothing about. The thank you includes the transaction which was done through PayPal. You reply to the email saying “I didn’t authorize this” and hope PayPal is going to step in and investigate.

You are checking your online banking and notice there was an eCheck written to someone or website you don’t know. You call up your bank and tell them you didn’t do it and an investigation is launched into your account activity, it will take weeks before the money is returned to your account if it gets returned at all.

You make a purchase on eBay, only to be informed by eBay later that the auction was removed because there was something wrong with it. You have already sent your money for the item. You send an email asking for a refund of the removed auction item, only to get a reply back stating “we don’t sell anything on eBay”.

Does it sound scary? The truth is since the DDoS attack against us began, a number of people have been victimized in these exact ways. Unfortunately they are not the only people who are. CastleCops has been targeted as the recipients of these fraudulent charges through PayPal. When I first noticed something was wrong I contacted PayPal and asked them to initiate an investigation into our PayPal account. I explained that I believed most if not all of the transactions we’d received within a very short period of time were fraudulent in nature. As a result our account was frozen so we could not receive any donations until it was determined that we were also a victim. The important thing to remember here is that the issue is not with PayPal, they are actually a victim as well because they now have to check our account and probably several others as a result of these fraudulent transactions. The problem is a number of people have had their personal information stolen and used to target us in an attempt to discredit what CastleCops and its volunteers do.

Until this happened to us I had never heard of anyone being targeted as the recipient of fraudulent charges. Given it has happened I hope other organizations which fight against Criminal activity on the Net might want to take a look at their accounts to ensure the current transactions are legitimate. If any of them find transactions which aren’t they are free to contact me if they would like some help in getting their accounts resolved.

The point of this article is to address what you as consumers can do if you find your information is being used for fraudulent charges. To begin with please don’t assume that the people who received the payment are involved with the fraud, they are probably also a victim. If you try to work with them rather then cussing them out, sending hate mail etc you will probably get a lot further. Next contact your bank, credit card company, PayPal etc to tell them you did not authorize the transaction, so an investigation will be started on their end. If you get any new information (police report number etc) keep them informed. Call up your local Police Department and tell them you need to file a Police report. Having a police report filed will allow you to extend the normal 90 day fraud alert to a 7 year fraud alert. Often the Police will come out to wherever you are so you don’t need to make a trip to them. It will probably take a day or so to get the report number. Do not wait for the report number get on the phone with one of the credit reporting agencies and have a fraud alert put on. You can tell them you have filed a Police report and are waiting for the number. They will share the information about the fraud alert with the other credit bureaus so you don’t need to call each one. Be sure to update them with the report number once you get it. It is entirely possible that your information has been compromised due to malicious software on your computer or through phishing. Please ensure your Anti-Virus is up to date, keeping a 3 year old copy of a piece of trial software as your AV is asking for some serious trouble. Please either post a HJT log in one of the only help forums, or take your system into a computer shop to have them look at it to ensure there are no keyloggers, rootkits or other nasty code lurking in the hidden regions of your system. If it is going to take you some time to clean your system either use someone else’s which you know is clean or ask your bank, credit card company etc to change your login information for you. If you suspect it might have been through phishing and you have the email still, please send it to PIRT.

• Don’t assume
• Contact the financial institution involved.
• File a police report
• Get a fraud alert
• Check your system

If the people who received the money are not involved with the fraud, I’m certain they will have no problem with issuing a credit. It may take several days. In our case some of the transactions were refunded directly and some of them are going through the process of the PayPal investigation. In all cases I hope that if PayPal or Law Enforcement contacts the people who have been victimized they will talk to them. They need to talk you to in order to catch the miscreants behind the fraud. Silence is a criminal’s friend.