“When I called the next day to check in, my father said that the retailer was running into issues refunding the money for the unauthorized purchase on his account. The fraud department wanted him to purchase a VISA gift card that they could load the money on to send him his refund faster.
At this point, it was clear my father was an active victim of fraud.”
Day 1: It began with a text from my father saying there were some unauthorized charges on a retail website and on one of his credit cards, but he assured me he was handling it. When we spoke several hours later, he told me he had been working with the fraud department at the online retailer all day and they were helping him with all his accounts. I questioned why they were helping with all his accounts instead of just the account he had with them, but he assured me everything was OK, and the customer service person was super helpful.
Day 2: When I called the next day to check in, my father said that the retailer was running into issues refunding the money for the unauthorized purchase on his account. The fraud department wanted him to purchase a VISA gift card that they could load the money on to send him his refund faster.
At this point, it was clear my father was an active victim of fraud. We would later learn that the “super guy” in the “fraud department” he had spoken with for two days and more than six hours was quietly stealing his money and identity, while remotely logged into my father’s own computer.
Days 3-15: The entry point for the thieves was an email my father received confirming an expensive order from a major online retailer. In the middle of the email in red letters were the words, “If this is not your order, call 800-XXX-XXX.”
The email was a fraud ploy known as a phishing email. When my father called the 800 number, it was answered by a very nice man who said his name was Jeremy. “Jeremy” was a thief. It took some time to learn the full extent of what had been compromised, but it became clear that the risk was significant. Our first steps were to stop more damage from occurring by making critical contacts.
We contacted every bank, broker, and credit card company to let them know there was active fraud and to put protections in place. During this process, we were able to identify additional breaches of my father’s accounts.
We contacted the three credit bureaus and placed both Fraud Alerts and Credit Freezes on his records. The credit freeze prevents anyone from opening a new credit account without specific authorization from you.
We contacted the local police and filed a police report. There is little that local police can do, but taking this step shows due diligence when reporting fraudulent charges to your bank or credit card companies.
We changed the usernames and passwords on all accounts at risk for financial fraud.
Over the next two weeks, my father and I worked together in person for more than 80 hours to document and secure my father’s financial life. We both learned a lot that I hope will save you from becoming a victim of fraud and identity theft.
You can be too trusting
Whether it is an email, a phone call or a text, never respond to an unsolicited communication about a bank account, credit card or retail purchase. Instead, log into your account independently and check for activity or call customer service using a number from a source that you can verify is legitimate.
If my father had called either the retailer or his credit card company directly, he would have discovered the email was fraudulent.
Enable two-factor authentication
Most financial websites now let you choose two-factor authentication, a feature that sends a code by email, text or voice to your cell phone which you must enter each time you attempt to log into your account. It is an extra step, but it serves two purposes; it verifies that you are the person logging into your account, and it means you will be notified if someone other than you is trying to log into one of your accounts.
Strong passwords stored securely
The thieves were able to gain access to my father’s accounts because he had saved his passwords automatically in his web browser — a default option in many browsers. It makes life easy for us, but once the thief had access to his browser, he had access to everything. Always use unique and strong passwords and store them securely.
Disable obsolete accounts
If you don’t use a credit card anymore, you might want to consider cancelling it. Same goes for old email accounts. The thieves used an old email account of my father’s that he no longer used, which allowed them to make online purchases — like digital gift cards worth thousands of dollars — and have them delivered right to his own email. That rendered the transactions untraceable, and he never knew it was happening.
Finally, some good news!
We ended up creating a master document that captured all the information on my father’s financial and digital life. Each account has its own page, and we included every bank and credit account, regular bills like utilities, insurance and so on.
In addition to usernames and logins, for bills we included when they were due, how they were paid, and other important details. We also created pages for social media accounts.
In the end, we documented 37 accounts. We made three copies (in addition to a password-protected digital version), and my father, brother and I each have one that is kept secure. It means that if something should happen to my father, my brother or I can immediately manage his affairs, or just assist him if he needs some help as he ages.
He calls his notebook the best gift he has received in a long time.