Yep. It happened. I’ve been buying most of the stuff I own online for at least five years now. I am cautious about who I do business with and where I buy, but I buy something online every week and have never had any problems — until last week. It was an old, established account that got my money (so to speak) and it was my own fault that it happened.
Let me first say I absolutely believe it is safe to buy online. I actually think it’s more of a danger to hand over your credit card to a server who walks away with your card to some dark corner of a restaurant, than it is to use a credit card online. Which, by the way, is how credit card fraud happened to me a few years ago — but that’s a story for another day.
So, let’s talk about what happened last week. My email notifier popped up on my phone and when I went to check it, I had seven order receipts from my PayPal account.
No one but me uses that account so I knew there was something wrong. When I opened the emails, I nearly got sick to my stomach. The receipts were for purchases at the iTunes store and all told amounted to just shy of $300. The really bad part of this is that I keep a minimum amount of funds in my PayPal account — typically less than $200 — so the orders had begun to draw from my bank account (the back up funding source to my PayPal account). It would have been easy to panic.
But I didn’t.
The first thing I did was to log in to my iTunes account, change my password, and cancel my iTunes billing agreement (more on this in a minute). Then I did the same thing with my PayPal account. That stopped the flow. It’s amazing what a few tiny characters can do. 
Then I had to worry about cleaning up the mess.
I started with iTunes. I couldn’t find an iTunes support phone number so I called the Apple support number. And here’s an irritating practice. Apple doesn’t have a support phone number for iTunes. The only option you have is to enter a support ticket via their online form and they promise a response within 48 hours. Ugh! So I entered the details of my issue in the online form and sent it on it’s way.
In the meantime, I contacted PayPal phone support. Yes, you can talk to a real live human. Hurray! I was a bit concerned about getting a refund on the fraudulent purchases from iTunes and wasn’t sure if I should initiate an action from my PayPal account or not. The rep (Thanks Amber!) assured me that I surely could do that, either right away or wait until the 48 hours had passed. I decided to wait.
And I waited. And waited. And waited for what seemed like forever. Forty eight hours passed with no response from iTunes. So I decided to give them one more day.
That did the trick. On the third day of waiting — I got the refund emails from PayPal, that iTunes initiated, a short time before I received their email telling me they were refunding. They were very apologetic about the delay and advised me of steps to take to mitigate fraud issues in the future. (I had already done these — first — see above.)
So all is well and my money was completely refunded. I’m relieved. But there’s a lesson in this story and that’s why I’m telling it to you.
1. Your first line of defense for any of your online accounts is your password. It’s a really bad idea to use a “standard” password on many online accounts. I know this and so do you. But do we practice it? Most of us don’t. I’ve gotten in the habit of using my “standard” password when I first set up an online account, then coming back after it’s established and changing it to a more secure password. That is a bad practice. My iTunes account was three years old and I had never changed it to a secure password. There’s no excuse not to change it except pure laziness (or busyness) since I use a really awesome password manager called RoboForm to help me randomly create secure passwords and keep track of them.
2. Don’t set up one click billing agreements. Technology has made it very easy for all of us to do so much in a single click, we’ve gotten lazy. And that can put your finances in jeopardy, just like it did mine. When I think about the possibilities that didn’t happen — what if the purchases had occurred in the middle of the night and subsequently cleaned out my bank account along with triggering all sorts of other charges? The damage could have been several thousand dollars, not a few hundred. It just makes me cringe. I was really lucky. So even though you can set up one click ordering on web sites like iTunes, it doesn’t mean you should. Forward think the possibilities of what could happen if your account is compromised. Then decide what to do. If the possibilities aren’t pretty, then don’t do it. I know I won’t.
3. Change your critical passwords on a regular basis. I’m planning on changing my passwords every time the time changes just like I do my smoke alarm batteries. More frequent would even be better, but at least it’s a start.
There you go. That’s my story about online credit card fraud. There are many other measures you’ll want to take to avoid fraud, such as shredding sensitive documents and reviewing your billing statements each month. You can get a lot of assistance from your credit card company too. For instance, American Express is a popular small business credit card in part because of their dispute resolution services — which are excellent (and I speak from experience!). It’s the only card I use in my business.
And don’t forget, you can control what happens to you with a few simple keys by making sure you have a secure password. I’ll certainly be more diligent about it now and leverage the excellent password manager I have at my fingertips.
About Denise O'Berry
Hi Denise
Thanks for the great reminder! So sorry to hear that happened to you – but am really glad to know it worked out okay in the end.
Anything linking to your business bank account – debit cards, PayPal account, autopays – can be especially scary because those accounts don’t fall under the same protective rules that apply to personal accounts. So, it pays to be even more vigilant in those cases!
Thanks Trish. Yes, that’s what really alarmed me. It’s really important to make sure we don’t inadvertently put ourselves at risk. I appreciate you stopping by to leave your thoughts.
Your experience seems to highlight an important concept – it’s not a matter of if something bad will happen but when. The important thing is to be flexible and react quickly and effectively which you did. I like your example of feeling safer providing your credit card online compared to a restaurant server. I believe most people probably feel a false sense of security with offline transactions, when in many instances they are not as safe an online – your point is certainly valid!
John — I agree with you on the “when.” As technology and people get smarter, I think we need to be even more vigilant about how we conduct business online. I won’t stop buying though, it’s a way of life for me. And yes, I do believe our risk is higher at giving someone our credit card and letting them walk away. Thanks so much for taking the time to regularly engage here. I appreciate your comments and that you RT the posts on twitter.
Looks like it’s happening to quite a few people. Be safe out there! Here’s the link to the TechCrunch story – http://techcrunch.com/2010/08/23/paypal-itunes-fraud/
Hi Denise – I agree, I like to shop online as well and will not quit anytime soon, if ever, it’s just a matter of keeping on top of things. Glad to become a regular reader and commenter – thank you for your responses and well as the recent follow on Twitter. I look forward to reading more of your articles over time!
Same to you John! BTW — this iTunes+PayPal issue has become pretty huge. Looks like I was really lucky.
I found an interesting article in the NY Times which seemed relevant to our discussion here. It appears that online crime such as identity theft and in some instances spam flourishes and in some cases embraced in Russia. This was brought to light by a recent arrest of a high profile hacker by the US. Here’s the link for more info: http://nyti.ms/cmDZ8t
Wow sorry that happened to you and thanks for linking to it, you definitely made me think. The first thing I thought of is facebook ads. I think it’s the only account that I let automatically withdraw from my paypal (oh wait, so can GoDaddy) and how many people get their facebook accounts hacked?! Probably not that hard (though I don’t give games, etc, permission to use my account).
I’ll be checking my payment subscriptions right away
. Thanks for the warning.
Thanks for stopping by Angela and for leaving your thoughts. Yes, it is way too easy to buy stuff from some websites. And if we use the “easy pay” options, we can easily expose ourselves to fraud. It’s a bit of a hassle to enter payment info every time, but it sure eases my mind when it comes to the possibility of fraud.