In this issue:

• Scammers used my email for credit card fraud!

• Scammers spoofing the FBI IC3 website

• Data breaches this week

Scammers used my email for credit card fraud!

Let me start right away with stating my email itself was not hacked. However, one of my email addresses was definitely used by a criminal and I'm not happy about it.

Here's what happened.

Saturday afternoon I was working on my computer and went to check my email. I received an email around 1:30 pm saying "Welcome to Walmart!". This was in my very private email account that I never use for purchases and only use for personal communications.

My email also said I placed an order and then canceled it right away. This wasn't me.

When I saw the emails around 2pm, I checked my password manager and my current Walmart account uses a different email address. I immediately went to the Walmart.com site and had it send me a one-time-passcode (OTP) to that very private email address.

When I logged in, I saw the account had my name (but it wasn't my legal name), my private email address, but someone else's delivery address and the last four digits of a cell number (not mine) and a credit card (also not mine).

It wouldn't let me change the password or phone number, so I deleted the Walmart account. I looked online and read there were others that had something similar happen over the years.

For a few minutes I thought, "maybe this was innocent and someone had an email address similar to mine." Then I thought, "maybe my email was compromised," so I also changed my email password to something impossible for them to recreate. Since it was a google email account I also went into the Google security settings to remove the third-party connections (those connections are created when you use your google account to login to other sites) in case on of those connections was compromised.

Along with removing the third-party connections, I disconnected all the other devices (such as my Amazon Kindle where I watch Google's YouTube) because there were a few I wasn't sure about but I think they were all my devices.

Then a few hours later I received another set of emails with a new Walmart account, a new purchase, and a canceled order. I went back in and deleted the account AGAIN.

I knew this time it wasn't my email that was compromised.

I tried to create a Walmart account on my own using that same email address but it won't let me, probably because it triggered a fraud alert in Walmart's systems. I tried to create a new account a few times yesterday and today, but still can't. I hope it's permanently disallowed.

I figured out the criminal's scam. Credit card fraud. Not mine, but someone else's.

I'm very certain that they had gotten a hold of someone's credit cards and address. This was confirmed when I saw they had loaded two credit cards on the new Walmart account. No one opens a brand new account and immediately loads two credit cards.

When a criminal gets a hold of a stolen credit card number, they usually try to buy something to verify it's active. Sometimes they do this in person, like at Walmart or a gas station. When we've had our credit cards compromised, that's usually where they went.

In this case, they used the Walmart website because the login is through either an email or phone number. They don't need both to access the system.

I'm guessing the phone number was a burner phone. Why they picked my email address to use, I have no idea but maybe because it's a legitimate name and email. They could have used any other email address and name.

There's nothing Walmart could do for me other than delete the account, which I did for myself. There's also no way to prove that the person was a criminal, but since the mailing addresses, phone numbers, and credit cards were different across the two accounts, I'm positive they were testing how much could be purchased on the cards.

The takeaway is that you should carefully watch your emails for any unusual activity. Nothing happened to me in this situation, but it still irks me that I was "used". Stay alert and stay cyber safe, my friends.

Scammers spoofing the FBI IC3 website

You’d think scammers would steer clear of impersonating the FBI, right? Not a chance. The FBI recently issued a warning that cybercriminals are spoofing the FBI's own Internet Crime Complaint Center (IC3) website—the very place people are supposed to go to report scams. The irony writes itself.

I've written multiple articles that link to the FBI IC3 website so it's important that you know what is real and what is not. Here’s how it works: scammers set up a fake site (known as spoofing) that looks almost identical to the real IC3.gov page. From there, they trick visitors into sharing personal details, downloading malware, or even paying bogus “processing fees.” Because the design looks official and carries the FBI’s name, many people let their guard down.

The real IC3 site is simple: it never asks for money. Some of the spoofing sites used names like ic33 or ic3a with the .gov extension. If you land on a site that looks suspicious, double-check the URL before clicking anything. Better yet, link from my website or type “ic3.gov” directly into your browser instead of relying on links in emails or texts.

The fact that scammers are bold enough to copy the FBI’s cybercrime hub is a reminder that no brand—even one with badges and three letters—is immune to spoofing. And in case you are new here, here are my previous articles that reference the FBI:

• $19,372 average lost via internet crimes in 2024

• FBI alert for home internet routers

• FBI warning: BADBOX 2.0 botnet on your IoT home devices

• FBI warning: Criminals posing as health insurers / authorities

• FBI warning: Phantom Hacker Scam

Data breaches this week

Most of the time these will be companies that you don’t have any personal data with, but scan the names to make sure you aren’t affected.

UK Harrods department store: 430k customer records: Hackers contact Harrods after 430,000 customer records hit by IT breach

ClaimPix insurance claim management: 5.1M files: 5M Records Exposed, Leaking Sensitive Auto Insurance Data

Texas General Land Office: 44k people: Data Breach Hit Texas General Land Office Online System

New York Excelsior Orthopaedics: 395k individuals: Excelsior Orthopaedics Data Breach Lawsuit

Florida's Vital Imaging: 260k patients: Vital Imaging Data Breach: What 260,000 Patients Should Do Now

University of Iowa Health Care and Home Care: 211k people: Data compromised for 211,000 people with University of Iowa HomeCare

Do you have an idea for a future newsletter? Please reply to this email and let me know.

Thank you so much!

Sincerely,
Cassie Crossley
Founder, Cyber Safe Center
https://www.cybersafecenter.com