I was at my desk the other day when my phone buzzed out a warning: My credit card had just been charged $1.
No such dollar had been spent by me, but I didn’t think much of the notification. Typically, such unexpected charges have perfectly legitimate explanations given my various subscriptions and recurring monthly charges, all of which come at different and unexpected times.
A few seconds later, however, came another buzz, and another charge I didn’t make. This one got my attention: $2,500.
Now, I am the kind of person who sweats every cent of losses in a $3 stock market investment, but at this point I was more confused than concerned. Even though I’ve never spent $2,500 in a single purchase, I assumed there was some kind of innocent explanation. Perhaps this was a new feature my credit card app was trying out, alerting me that my latest bill was available or paid or something, and I had simply misread it as a charge.
I reached for my phone, and it was as though I had pulled a fish out of water. Vibrations came incessantly, a seemingly unstoppable stream of notifications that nearly buzzed it right out of my grip.
They were still coming through as I dialed MasterCard’s
fraud line, building to what was evidently my hacker’s grand finale: a $5,000 double whammy of a charge. It was at this point that MasterCard’s internal security mechanisms flagged my card and suspended the account, although a few of these charges likely couldn’t have gone through, as they would have busted past my credit limit.
$15,001. That was the staggering total attempted. It would typically take me three or four months to accrue that kind of bill; this jerk did it in seven minutes.
So what did this thief spend a hefty chunk of my annual salary on? Did he (or she) buy a first-class ticket to Hawaii? A gold Rolex? Fifteen shares of Amazon? Nothing so exciting. Nope, he (or she) blew the entire wad on American Girl dolls. You know, these things.
To MasterCard’s credit, they quickly verified the charges were fake and removed them from my account. It was, admittedly, a little embarrassing to have to insist that, yes, I was positive I wasn’t spending $15,001 on dolls, but yes, those liquor store and bar charges were legitimate, but outside the inconvenience of being without a card for a few days while a new one was shipped to me, it was a fairly painless experience.
See also: My dad talked me out of the decade’s best investment, but he wasn’t wrong
I was struck, however, by both the size of the fraud and by the thief’s peculiar choice of vendor. I’ve had my card hacked twice before, and on both occasions the expenses were a bit more logical, as far as these things go. Back in 2007 some idiot on the other side of the country got a tank of gas on me, using a fake card, and in 2013 some goober went on a fast-food spree on my account, calling attention to their activity by hitting up McDonald’s
Walgreens, and Dunkin’ Donuts
twice, all in a 15-minute period. In sorting this all out, the credit card representative and I commiserated about how we were missing the “Breaking Bad” finale.
Both of those frauds were far more typical. According to Kyle Marchini, an analyst at Javelin Strategy & Research, which focuses on identify-theft issues, the average amount for a fraud in 2016 was $961. That’d be a hard pill to swallow, but it was a fraction of what happened to me.
“Many factors can influence the actual fraud loss, up- or downward, including the sophistication of the fraud ring, the fraud controls in place at the targeted merchant and card issuer, as well as how quickly the fraud is detected,” Marchini said.
In my case, said Ben Colvin, a senior vice president for North American enterprise security solutions at MasterCard, what likely happened was that someone somewhere, somehow, got hold of my information and used it in what is called “synthetic fraud,” or a “bot attack.”
“Someone will make a trial transaction” — the initial $1 charge — “and once they see that the card works and that they can get away with it, they will do multiple ones and do it rapidly,” he explained.
My initial thought was that the culprit was a bartender at a place I had been to the weekend before this all happened. She had requested both my drivers license and my card when I opened a tab, and while this isn’t uncommon, it struck me that the two items had all the necessary information for a scam: Not only the card number, expiration date, and security code, but also my (billing) address.
Colvin downplayed this possibility, however. “There are so many ways to get information,” he said. “They could have pulled the number from one place, your social security number from another, and once they parse it together they can use it or sell it to someone on the dark web.” He noted that a number of high-profile hacks, including at Yahoo Inc.
and many others, had made vulnerable the information of literally hundreds of millions of consumers. In all likelihood, I was swept up in their ranks; according to Javelin, a record 15.4 million Americans were victims of identify fraud in 2016, an increase of 16% over the prior year.
Technology has reduced some of these risks. “Card present” fraud, where the thief uses a counterfeit card (as happened to me in 2007), used to be the most common form, accounting for $32 billion in false charges, according to Colvin. However, the introduction of “chip” cards that you insert rather than swipe curtailed this approach. “Now we’re starting to see fraud move online,” he said, recommending that users do what I did and set their accounts so that they’re notified on any activity. Alerting them promptly, he said, means a better chance that charges won’t go through.
Read: 5 ways to protect yourself from credit-card fraud
Regardless of how my information was attained, I continued to be mystified by how all the charges were at American Girl. I knew its products were something of a luxury item (dolls go for about $115 a pop, whereas Barbies can be had for $6.99), but I never would have guessed it was a major stall in the black market.
And apparently it isn’t. According to Julie Parks, an American Girl spokesperson, the company’s fraud rate is less than 1%.
“While American Girl is not typically thought of as a high-profile fraud target, gift cards have always been popular merchandise for fraudsters due to their high resale value,” Javelin’s Marchini told me. “The availability of in-store gift-card redemption kiosks and online resale markets has made it fairly straightforward to cash out fraudulently purchased gift cards at near-face-value.” He added that digital-goods merchants lose 8.6% of their annual revenue to fraud “between direct losses, foregone sales due to false positive, and fraud management expenses.”
Parks declined to speak to the specifics of my case but said that if the company is alerted to fraudulent purchases by a bank or credit card company in time, it would cancel the order or recall the product if it was already shipped out. In the case of e-cards or gift cards — as my expenses seemed to be, given the charges were all round numbers — the card would be voided and flagged if someone tried to use it.
That means despite all the Sturm und Drang of what happened to me, it’s likely that no one got anything out of me. However, if you’re a MarketWatch-loving kid who just received 130 American Girl dolls, I’m the one you should be thanking.