I Just Got Scammed for $399 - Watch Out!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

well yesterday I got scammed it happened more specifically I was a victim of fraud and it was not my fault but the way the scammers did this was very interesting I've never seen anything like this before so I figured it would be good to make a video about it because I didn't do anything it was all on the scammers part so this would be a good thing to look out for in the future and also be interesting to know how some of these scammers work so the story begins yesterday when I was working on a video that was going to be released today and is obviously now delayed but I look in my phone and I see that a couple minutes ago I received a text message that said a number is your shop pay code from and then a name that I've never seen before it was a store name so my first thought was well that's weird I did not place this order clearly someone must be trying to use some my info to make an order and it was clearly a Shopify platform code because I could see that in the text message history there was other text messages from other Shopify stores if you're not familiar Shopify is basically a platform where pretty much anyone can set up a store and then they kind of do all the backend stuff including some of this text message stuff so I'm like well I'm not I'm not going to enter this code anywhere but here's the problem I then see that there was actually a notification from my credit card app saying that a $399 charge has gone through from that same company name that I've never heard and this really concerned me and Confused me because I was not sure how they were able to put this order through if they did not have this code that was sent to me this two-factor authentication code I mean credit cards get stolen whatever people place fraudulent orders but how were they able to get through this code that is the main thing that concerned me so next I go to check my email to see if there's any kind of order confirmation sure enough there is an order confirmation from this same website and I look and it's the typical Shopify type or confirmation page and in Gmail I can see that it actually does say it was sent via Shopify so it is a Shopify store and I'm looking at this and I click on view my order to see some more info about it now keep in mind normally I would never click on a link in one of these suspicious emails from a supposed order confirmation in case it was fishing but seeing as it was shop five from Gmail that said that and the credit card charge literally already went through I'm thinking it's a fraudulent charge but the order confirmation is probably legit so I click on the view order page I see that they ordered some dumb stroller I did not buy a stroller for $399 and weirdly enough on the order confirmation page all my information is correct the shipping address the billing address the email address is all correct they had all that info so at this point I'm even more confused because if they were trying to scam and buy something for themselves they wouldn't put in my shipping address so I go and actually Google this website the name of it and there's like two search results for it there's like just the website itself and then a couple domain registrar websites that just kind of list out a million domain so there's no actual real search results for this appearing anywhere on the web and the website itself is extremely sketchy it's very bare-bones there's like a couple strollers on here the title is just infant baby stroller for newborn and toddler like they clearly put no effort into this I'm thinking this is a fake set up website and you could even see on one of the pictures there's like random Chinese writing which is even more sketchy so to confirm my suspicions I look up the Whois record for the domain which is like you can look up for any web site info including when the domain was created and sure enough this domain was created just a few days ago so clearly this is telling me that this site was set up as a scam in itself and probably the people who placed this order fraudulently are the same people who own the site and that's why they didn't care if the shipping name was the same because they were never going to ship anything out they just want the order and the money to go through and then they'll collect it on the other side so obviously I call my credit card company I tell them I didn't place this order someone must have stole my card so they they refund the order to do an investigation they cancel the card they send me a new one but the main thing concerning me is still that two-factor authentication code that they never got and I know it wasn't some sort of sim swap because I never lost sell signal usually if someone steals your SIM card then you lose the sell signal and it gets transferred to them that never happened I never lost that so they didn't have the text message at all so I go on Shopify his website and they are not usually a customer facing website so I kind of dig through I find a customer service number and I call them and kind of explain I'm not a store owner I'm a customer this is what happened and I'm kind of trying to figure out why they were able to place this order without the two-factor authentication code and the customer service rep was very understanding very helpful and they said they would be launching an investigation whatever they email me confirmation that they were looking into this all that so they took down all the info I gave them like the name of the website the order confirmation number which was literally one zero zero one so they it was literally the first order ever made on that website was a fraudulent order because they just add a thousand in front of it they also took down like my email address my shipping info and then that way they could like match it up with the other Shopify account on the back end so they could just have all the info and obviously they couldn't give any details on the investigation they were gonna do they couldn't like confirm anything but they still took it all down to do the investigation and they emailed me saying that but I do have a final working theory on what happened it's just a theory but I'll kind of break down some of the background so basically the first clue is the text message I got it said your shop pay code now shop pay is a feature in Shopify stores that's optional and basically it allows someone to type in either their email address or their phone number into the checkout page and then what happens is it sends a text message to the person who's tied to that account and if they type in that code that they got into the checkout page it will automatically fill out the rest of the information like your name address whatever so you don't have to type it in however one important detail that the customer service rep mentioned an email is that the shop pay code is actually optional even if you get sent the text message you can still just manually fill out the details like the name the shipping address all the info and still place the order through and because the scammer was literally running the site and they had control of the backend of it I assume there's some setting they could change that would allow them to not require a phone number to go along with the order so they could just type in all the info they had and still allow the order to go through I also believe that these scammers probably already had my credit card info and all my other info from so other random data breach and the reason for this is one strange coincidence that happened earlier this week which is I got a letter from my credit-card company saying that they would be replacing my credit card with the same exact type of credit card but just a new account and it didn't specifically say that it was because my credit card was stolen and potentially stolen but it was weird to me because my credit card did not expire until like the end of the year so I'm like why are they replacing my card now if it doesn't expire yet and it was being replaced with the exact same card it wasn't like they were upgrading the card to a new type and also it wasn't like they said oh we're cancelling your card or replacing it now they said you will get a new card in a few weeks and when you activate it the old one will be deactivated it'll be a totally new number and what I'm thinking now is the credit card company whatever fraud detection methods they have at the company might have either seen my credit card show up in a stolen database or they were able to somehow flag my credit card number as have having been maybe used at the same place where other credit card users had used it and gotten stolen so either way somehow my credit card was flagged and possibly that's why they were placing it preemptively even though it wasn't actually used for fraudulent transactions but then right now obviously they were right and it ended up being actually used before they were able to replace it again that's just a theory but I think the timing and the coincidence is just too much and it does make sense so knowing all this in context I think I've come up with a theory on a timeline of events of how all this happened first I think my credit card was stolen in some kind of data breach the reason being because the weird coincidence of the credit card company saying they're gonna replace my card for no specific reason and I do not believe that the vulnerability was in Shopify itself so I think the credit card was stolen ahead of time then the scammer is set up a domain specifically to be used to cash out on these credit cards that they probably have stolen and set up this generic Shopify store threw on some expensive products and would use that to order using the credit cards and I definitely believe this is the case because of how recent the domain was set up and how sketchy and generic the website is it's clearly some boilerplate thing they just threw up there then what I believe happened is they went to enter all my info on my real info into the checkout page on their site and I believe they used my real info because a lot of fraud checks through Shopify and other credit card processors look for consistencies in billing address shipping address email address even to make sure all the account info lines up so I believe they had to use all the correct info to make sure that it didn't trigger any fraud warnings to block the transaction so if this is all true what would happen is when they went to enter my email address I even tested this myself on another Shopify legitimate website when you enter your email address if the Shopify back-end sees that you have a Shopify account info it actually automatically sends a shop pay code to your phone no matter what there's no selecting to send it it just automatically sends it so they probably enter that in and without a choice it sent a text message to my phone but here's the key it's not required to use the code to autofill the page the code is just a autofill but they already had it so they just filled it in themselves which would explain the 3-minute difference between when I got the text message and when the order actually went through and I got the email so it turns out and this is a fact what I thought was a two-factor authentication code was more of just a convenience code it's not required to make the purchase and they didn't need it because they had all my other info and billing info that they just put in and were able to place the order by entering it manually and by the way I do not believe this is any vulnerability with Shopify itself if you had entered my correct info and credit card info and shipping address into any website with all that being correct the order would have went through the reason they had to set up their own site is because they did not intend to ship anything out and if they had to use my correct shipping address well then they weren't going to get anything that they bought with my card so they had to set up their own site so the money would go directly to them and the fact that the text message of sent to me was more of just a side effect of them using Shopify as a platform for this scam and I just thought this was really interesting because I've never seen this before where someone was set up an entire website with Shopify just to be able to harvest credit card details but it makes complete sense and actually at it's kind of dumb for the scammers to be using Shopify because obviously if they enter a customer's info then they're gonna get a confirmation email with this order that they can immediately see oh I didn't place this order it's not like they have to look at their credit card statement so it actually tipped me off earlier than if they would have placed it some other place the unfortunate thing is you can't really defend against this type of scam except retroactively Lee and get refunded from the credit card company because obviously they could do this anywhere however if anyone from Shopify is watching I do have a major free feature request which is two-factor authentication requirement as an optional feature for customers where on any Shopify site if you're going to place the order require that the text message code be entered before the order goes through at all not just the autofill that would be awesome now shop light does have a two-factor authentication feature but I believe it's only for store owners not customers in fact Shopify doesn't really allow you to access the profile of customers at all it kind of just gets entered when you place an order and it's all stored in the backend you can't like login to Shopify directly and change your order info or mailing address anything like that so I wish there was some sort of back-end account you could do customizations like that for Shopify customers but until that becomes the case there's really unfortunately no way to defend against this just like you couldn't any other kind of credit card fraud you just have to kind of lay your credit card company know if this happens in any case though hopefully you guys are now aware of this I thought it was interesting how I believe they did this but if you want to keep watching I did make another video recently talking about seven new scams in 2020 to watch out for so I'll put that link right here if you just want to click on that so thanks so much for watching guys and I'll see you in the next video

Info

Channel: ThioJoe

Views: 485,461

Rating: undefined out of 5

Keywords: technology, tech, scams, security, new scams, data security, credit card security, credit card fraud

Id: GfpAELZlHZ0

Channel Id: undefined

Length: 12min 51sec (771 seconds)

Published: Wed Feb 26 2020