You just found out your credit or debit card info has been used by someone else to make a fraudulent purchase. There are so many different people you can call, each involved in some aspect of this theft. There’s your bank that issued the card, the credit card network the issuer uses for that card, the retailer or website that processed the payment, the police, the FBI… Do you need to call all of these or just one or two? What if you think your incident might be a sign of a larger breach?
Recently, a couple of Consumerist readers wrote in to share experiences with online fraud — an experience familiar to many, but still upsetting every time it happens to you.
Cyber Crime Woes
In the first case, reader Peter paid a parking meter near his local Target store using a credit card that he’d otherwise used exclusively at the retailer. He also use the card to make a purchase inside the store. Later that day, he noticed fraudulent online purchases pending on this account, including one at Target.com.
He alerted his bank, Wells Fargo, and they took care of it on their end, but it made him wonder if Target had been compromised, considering the perpetrators would have needed access to the CVV number (that three-digit number printed on the back of the card) and the billing address on file with the company.
Another reader, Ken, had similar concerns about a larger breach when his Walmart-branded card was used to try to purchase two expensive smartphones using the information stored in his Sam’s Club account.
Ken only became aware of the issue when he was notified by email that Sam’s Club had canceled the first of two orders because the item was out of stock. His card wasn’t successfully charged as a result.
He too, was worried that Sam’s Club had suffered a data breach, possibly exposing his personal information. But when he brought his concerns to the company, he says they would only provide a mailing address to communicate with the corporate office.
So Was There A Breach?
We spoke with reps for both Target and Sam’s Club, who each claimed that these incidents were not indicative of a larger data breach.
A Sam’s Club spokeswoman said that situations like Ken’s “are usually a result a customer’s username and password being acquired by a third party in ways unrelated to Walmart or Sam’s Club, for example through phishing, malware or a breach of another company’s system.”
Who Do You Notify First?
Peter did the right thing by contacting his bank about the unauthorized transactions, according to Will Bales, a special agent in the Federal Bureau of Investigation’s Cyber Division. He told Consumerist that people with compromised cards should first contact the bank or financial institution that issued their card to ensure they won’t be liable for any fraudulent activity.
And do it quickly. While the law limits consumers’ liability on fraudulent credit and debit card transactions, the card issuer must be told immediately. Waiting more than few days to report a fraudulent debit card transaction can significantly increase the amount of the fraud you’re liable for.
Target and Sam’s Club agree.
“If a guest suspects fraudulent purchases, he or she should immediately report it to the card-issuing bank,” a Target spokeswoman told Consumerist. “It is the responsibility of the credit card company to investigate any case of a potential fraudulent purchase. Target fully cooperates with these types of investigations and provides all requested documentation.”
The Sam’s Club spokeswoman also urged members to file a dispute with their financial institution as well, adding, “We can also work with the member to provide a copy of the receipt of any transactional details needed to dispute the charges.”
Should I Tell The FBI?
After you’ve squared things away with your bank, you can also bring the issue to the attention to any retailers involved, though they will likely point you, again, toward your banking or financial institution, and may offer other advice like changing your password.
Bales suggests wronged consumers should also file a complaint with the FBI’s Internet Crimes Complaint Center, known as IC3.
Once a complaint has been submitted, what happens next depends on what kind of information the FBI receives, Bales explains, but don’t expect to turn on the news in two days and see an FBI strike force knocking down the doors of the ID thieves who used your card info to buy a pizza.
“In an ideal world we’d like to hit the ground running as quickly as we can, but due to the statutes and our legal system, we like to get several similar cases that we may believe to be the same subject behind the fraud,” Bales tells Consumerist. “With multiple complaints we develop a better picture and a better understanding, that will further our investigation.”
Consumers can also file a police report if they have local law enforcement they’re comfortable working with, Bales suggests. Local police will have information gathered on some of these cases, and the FBI often works with departments on bigger schemes that are out there, “so we can bring down the groups that have been doing this, whether in individual cities or on a nationwide basis,” he says.
There’s the option of calling up your local FBI field office as well, so you can speak with a human being on the phone, Bales notes, promising that there are people ready to listen.
“We understand the frustration that some people feel whether they’ve lost $30 or $3,000,” he says. “Sometimes they don’t feel that justice is acting quite as quickly as they’d like, but we’re perfectly fine with them inquiring,” and if possible, let them know authorities are conducting a larger investigation.
But Will My One Complaint Even Matter?
Given the size of some data breaches, affecting more than 100 million people in certain cases, you might think one little complaint against a stranger won’t change anything or identify a larger breach, but you’d be wrong, Bales says.
“Sometimes you don’t know something is a problem until you start seeing that bigger picture,” he says. “We start seeing, ‘Wait a second, these are all connected!’ — and by all we’re talking about hundreds or maybe thousands of complaints… That leads us to start asking some different questions.”
Oftentimes companies will contact the FBI themselves after they’ve done their due diligence, so when it comes to identifying big breaches, “it’s a little bit of both.”
When To Take Extra Steps
Christina Tetreault, staff attorney for Consumers Union, says as long as it’s just your payment information that’s been compromised — and not a breach that involves more personally identifying information like your Social Security number or date of birth — you shouldn’t suffer financially in these cases.
“Thanks to strong protections under federal law, your financial losses due to fraud on a credit or debit card are limited. Moreover, if just the card number was stolen, your larger exposure to fraud is pretty limited,” she explains. “As long as you take some simple steps to make sure your bank knows, get another card, and watch your other accounts, then you’re pretty much covered.”
She warns consumers against paying any company that offers to protect your identity in these situations.
“Identity theft protection companies sell the idea that their services will protect you when your payment card info has been compromised,” she points out. “Generally, most identity theft monitoring protects against new account fraud. That’s when crooks open a new account in your name. That’s not a danger if only your payment card numbers were stolen. Your risk then is fraud on your existing accounts. Since it won’t help prevent existing account fraud, it’s probably not a good idea to run out and buy some expensive identity theft protection because you found out your payment card info was comprised.”
However, if scamsters have accessed more personally identifying information, that’s when you should take additional steps to protect yourself from identity theft, like initiating a security freeze to prevent fraudsters from opening accounts in your name. To that end, Consumers Union has a great checklist of what to do in those situations.
Precaution Is Important
Bales emphasizes the role precaution can have in avoiding such situations in the first place, noting that consumers should be suspicious — “don’t just swipe your card at anything that has a card swipe to it,” for example — and update your card if possible.
“If there’s a chance you can update your card to a newer technology, update your card — that will help you out,” Bales advises.
Tetreault adds that there are some easy ways you can protect your personal information to keep fraudsters from accessing things they shouldn’t.
“Crooks are getting more and more sophisticated, so taking steps to secure your information is good practice,” she advises. “That means, always use good data security hygiene: safeguard your computers and mobile devices with passwords, shred documents with your personal information, consider a security freeze for your credit reports, and take whatever additional steps you can to keep your personal information private.”
Was this helpful? We’re a non-profit! You can get more stories like this in our twice weekly ad-free newsletter! Click here to sign up.