Walmart ships fraudulent order to hacker’s address then lets customer recoup cost
Alarm bells went off for Bill Tomlinson after he received a strange text message – in French – on February 2 from Walmart Canada. The man from Pelham, Ontario, doesn’t speak French and didn’t order anything.
“I thought, what the hell is this? … oh, something’s wrong,” Tomlinson told Go Public.
He logged into his Walmart.ca account and discovered that fraudsters were using him and his credit card on file to place orders and ship them to Montreal.
There were four orders, all on the same day. Two were for dumbbells at $500 each, the other two for Apple TVs worth around $250 each.
Walmart had canceled the first three orders on its own, but Tomlinson noticed the last one for an Apple TV had just shipped. He immediately called Walmart to notify the company, expecting the retail giant to refund the order.
Instead, two days later, Tomlinson says Walmart told him the product had been delivered to Montreal and he was on his own to try to collect the money.
“They basically washed their hands of it,” Tomlinson said.
“They said, we can’t do anything more for you. This product was ordered on account, it was paid for by your credit card, it was delivered by us. We did everything we were supposed to make.”
He says Walmart told him he would have to “deal with his bank” to see if that would reverse the charge.
Independent financial fraud expert Vanessa Iafolla says she receives several calls a week from people seeking advice on how to recoup their losses after being defrauded online.
“Any company that is going to offer online retail services and make them available to customers or customers to create accounts is responsible for protecting the security of that account,” Iafolla said.
“I think Walmart is really dropping the ball on this.”
“More than a chance to stop the order”
When Tomlinson first called Walmart, he was told that the company’s fraud detection system had detected the first three orders, but not the fourth, and that he needed to look into things before taking action.
Tomlinson doesn’t understand the delay, since all of the fraudulent orders were placed on the same day for the same products, and the company already knew the first three were problematic.
He also wants to know why Walmart didn’t stop delivery after reporting the fraud. Failing those two things, Tomlinson says the company should have refunded the fee without hassle.
“They had more than a chance to stop the order,” Tomlinson said.
“They should have admitted they had enough time to fix the problem and they didn’t.”
Walmart didn’t say whether it followed up with the Montreal address where the Apple TV was delivered to see who lives there or why its systems failed to flag the fraudulent fourth order.
Go Public wanted to visit the location, but after Tomlinson asked Walmart to lock his account, he was unable to access the address and Walmart did not provide details.
The company told Go Public ‘there was no breach’ of its systems and that Tomlinson’s account was taken over by ‘a bad actor. [who] gained access via client login credentials that were compromised at some point prior to the transactions.”
He said he does not know when or how those credentials were compromised.
How fraudsters gain access to online accounts
The number of “account takeovers” – a term for what happened to Tomlinson – has increased over the past six months, according to Kimberly Sutherland, vice president of fraud and identity strategy for LexisNexis Risk Solutions. , a company that works with government and businesses to combat online fraud.
A company investigation report, titled The true cost of fraudfound that Canadian retailers, in general, do poorly in preventing fraudulent attacks.
In 2021, e-commerce retailers surveyed said they prevented about 4,860 attacks, but failed to stop about 4,800 others.
Investigation also suggests fraudulent online and mobile attacks against retailers appear to be increasing since the start of the pandemic, up 45% in Canada from 2020 to 2021.
The report is based on a survey of 1,118 risk and fraud managers (145 Canadian, 973 American) at small, medium and large retail and e-commerce companies.
Sutherland says fraudsters obtain passwords and credentials from websites that are compromised and then reuse them on other sites to see if they work, or they use malware that quickly generates password combinations. common username and password to access accounts.
“One of the big challenges with online accounts is that people tend to use the same username and password combinations in multiple accounts. So if one is compromised, many can end up be compromised,” she said.
His advice to online shoppers:
- Delete online accounts you no longer use, including accounts for individuals and government programs.
- Use strong passwords and change them frequently.
- Do not use the same username and passwords for multiple accounts.
- Use the strongest authentication methods available, such as two-factor authentication, which often requires a code sent by SMS or other means in addition to a password to access the account.
Inside Walmart’s Cyberattack Problems
While Walmart says Tomlinson’s problem was caused by compromised credentials — not a cyberattack — Sutherland says businesses at all levels face such attacks on a regular basis.
Walmart 2021 Annual Report says the company’s websites and applications are “regularly subjected to cyberattacks,” which include “attempts to gain unauthorized access…to obtain and misuse customer or member information, including payment information”.
Similar to the LexisNexis survey, Walmart’s report says the pandemic has made matters even worse.
With more work done remotely, some of Walmart’s “service and third-party service provider systems” have had “limited security breaches.” Although these had little impact on operations, according to the report, “there can be no assurance of a similar outcome in the future”.
As for Tomlinson, he got his money back. After Go Public contacted Walmart, the company refunded the cost of the Apple TV as a show of goodwill, he says.
He’s happy to have his money back, but is still deciding whether to shop on Walmart’s website or app again.
Submit your story ideas
Go Public is an investigative news segment on CBC television, radio and the web.
We tell your stories, shed light on wrongdoing and hold powers to account.
If you have a public interest story, or are an insider with information, contact [email protected] with your name, contact information and a brief summary. All emails are confidential until you choose to make them public.
To follow @CBCGoPublic on Twitter.
Read more stories by Go Public.