Help me figure out the nature of a potential scam/fraud situation?

[Dollar Slice]

NB: I don't need anyone to tell me to go check my credit report, cancel my card, not engage, etc. etc. I'm just really puzzling over this and wondering if someone has some insight as to how it all pieces together (or if it could be a bizarre coincidence).

Stage 1. Back in Jan/Feb of this year I was getting e-mails from a company I'd never done business with - it appeared that someone had fat-fingered their e-mail address and put mine in, instead of theirs. This happens to me occasionally since I have a simple e-mail address (first name last initial @ common email domain.com) with a very common first name. There was a pretty bad security problem at the company's website; when I tried to unsubscribe to the e-mails, clicking the unsub link automatically logged me into their site and showed me this person's full name, phone number, mailing address, order history, last four digits of credit card, etc. I contacted the company several times but eventually got it resolved. Forgot all about it.

Stage 2. Saturday evening (yesterday), I got an e-mail from a person with my first name. I recognize the last name too - it's the person whose information and order history I'd seen back in Stage 1. She is e-mailing because she thinks she may have accidentally signed up for something with my e-mail address (believable, because her e-mail is first name last initial number @ domain.com, and everything is the same as mine except the number). She asks if I can forward her any e-mails I get by accident. I wrote back and explained about the events of Stage 1 and say I haven't gotten anything recently, but is there anything else I should look for? She then tells me she "was filling out some credit card applications for my mother in law" and tells me the MIL's name. This is... weird? Concerning? Maybe she is trying to use her MIL's identity for credit cards and hide it from her husband/MIL? I can't really see how it could involve me, other than the e-mail thing.

Stage 3. Today I happened to log in to one of my credit card accounts to see if I have enough rewards to cash out. There's a $590 charge in there that I'm pretty sure I didn't make (I had to double check and make sure I didn't go shopping in my sleep, since it's a website I buy from on a semi-regular basis and had been on it a few days ago looking at something). Nothing in my account so I guess it's a credit card hack and not an account hack. Called the credit card company, they're issuing a replacement, yadda yadda. This timing seems REALLY suspicious after the events in Stage 2 (I think she must have been e-mailing me within hours of this fraudulent purchase since it was dated yesterday). But... surely if she'd hacked my credit card somehow, she wouldn't be e-mailing me about it!? The account I use on the website where the purchase was made uses a different e-mail address (and a different password) so it would be hard to tie that to my e-mail address that she e-mailed me at.

It's all completely believable as a coincidence, especially with the e-mails I got back in Jan/Feb (I mean, that is a hell of a long con, if it was a setup to make me believe that she would do the same thing now). And yet it's kind of hard to believe that sketchy credit card applications filled out with my e-mail address are somehow unrelated to my credit card being used fraudulently the same day... I mean, what are the odds that two very sketchy credit card things happen simultaneously and are unrelated?

So my question is: can anyone figure out what the hell is going on with this? Is there some way this could all be tied together? Am I being paranoid?

[Zamboni]

I think that Stage 2 is sketchy . . . so don't respond in any way to any further contact from her. If you do get something from a credit card company, do what you did in Stage 1 with the possible addendum that you might want to also forward them her email from Stage 2 if you suspect fraud.

Stage 3 is, unfortunately, run of the mill. I have had to have my Corporate Card reissued twice in the past year, just as an example. The most recent time I'm fairly certain even my PIN got skimmed at a quickie mart during international travel because I am dim am things look different in other countries than what I am used to seeing. It's probably not related to Stages 1 & 2.

[dandarc]

I think that Stage 2 is sketchy . . . so don't respond in any way to any further contact from her. If you do get something from a credit card company, do what you did in Stage 1 with the possible addendum that you might want to also forward them her email from Stage 2 if you suspect fraud.

Stage 3 is, unfortunately, run of the mill. I have had to have my Corporate Card reissued twice in the past year, just as an example. The most recent time I'm fairly certain even my PIN got skimmed at a quickie mart during international travel because I am dim am things look different in other countries than what I am used to seeing. It's probably not related to Stages 1 & 2.

This.  There is no reason to have any further contact with Stage 1 / 2 person - just report it if you have any further reason to suspect fraud.

Stage 3 happens often to many people - a one-off, even if timed with this other strange email, is probably just a coincidence.

[Dollar Slice]

Frankies Girl, I would like to reiterate the first line in my OP. I know what I'm doing, I did not get phished, I do not have a keylogger, and I am not, generally speaking, a dumbass. And I didn't post this looking for the sort of advice you'd give your grandma, which is why I included that disclaimer at the very beginning. :-) I've worked in IT for many years. I'm the one who keeps an office full of idiots from getting infected/phished/etc. I was very careful and very sure about everything I did. I have zero concerns about computer security.

I am also very familiar with the concept of people stealing credit card numbers (between work and home I think I've had it happen 6-7 times).

I posted this to see if anyone could figure out if there is some deeper underlying scam connecting all this that I'm not quite seeing, which would indicate that I've been somehow targeted personally. This may be paranoia - that's why I'm asking. It would seem insane for someone to contact me as they hacked my credit card, but the timing is unnerving me.

[AccidentialMustache]

How was the english on the emails? Most phish if it is broad spectrum is going to be clearly not a native speaker.

I'd say more likely your card got stolen and you got emails, rather than them being related. That might just be because I think we've had a new card for our primary card every year for the past three or four years.

[Dollar Slice]

How was the english on the emails? Most phish if it is broad spectrum is going to be clearly not a native speaker.

The English is perfect and it comes across exactly like a young woman typing a quick note on her phone, complete with "Sent from my iPhone." It doesn't make sense for this to be a 'broad spectrum' phish, though. If it is a scam, it's targeted and written individually. (You'll have to trust me on this as I don't wish to share the entirety of the e-mail; there are names, e-mail addresses, etc.)

[Zamboni]

My other half has a similar thing happen sometimes . . . a woman in California has an email address that is one character different on the common domain, and once in awhile she mistypes it when she buys things or subscribes to things. I would guess that her work email is firstinitiallastname@work.com and she forgets she needs an extra character in the common domain and puts in just firstinitiallastname@common email domain.com. It has been going on for years with no major headaches other than an unwanted confusing email every year or two. Getting to the bottom of the emails by contacting vendors always leads to the same flaky lady, although most vendors will not disclose all of the personal information you were given! We have not made contact with her and she has never contacted us.

So 1&2 could just be annoying coincidence and an honest mistake. The thing about the MIL is weird, but it's possible her MIL is just really tech clueless and can't type (like my mom) and she's helping her out. It seems reasonable to treat it that way since you have all precautions in place.

If you keep doing your due diligence, then 3 shouldn't be a big concern. The overall rate of credit card fraud is alarming, isn't it? I'm stunned by it, and we all pay for it.

[Dollar Slice]

Slightly scary update... I was contacted by a different credit card company and they said that someone called them on the 13th and tried to add an authorized user. That is the same weekend that the OP all happened. I'm really hoping that the credit card co. was socially engineered into letting this person access the account without my password, social, etc. because the alternative is scary. :-(  It would be one thing if they hacked my login for online access, but over the phone they ask for so much info (last 4 digits of SS#, a password, birth date, etc. etc.). I have to wait until Monday to talk to a supervisor who can access a recording of the call. I insisted that I needed to know exactly what info this person had.

They said that I basically have to shut down the account and there is no way to recover it (which seems bizarre, but I kind of wanted to close it anyway, so not that big a deal).

Ran a malware scan on my computer just in case, but it came up clean... going to pull a credit report too, just in case. This is definitely past "rando hacker and coincidence" and into "potential identity theft" now. Ugh. Still not sure how all of it could tie together, honestly.

[bacchi]

It certainly has the smell of a scam, especially the MIL part (Potential you: "Oh, my MIL's name is Alice, not Carol.")

Weathering had a good idea -- it's a distraction so that it's not your fraud, it's the other person's. Forward to her.

Is the company in 1) a legit company? Whois checks out and they actually had a real security problem?

[Dollar Slice]

Is the company in 1) a legit company? Whois checks out and they actually had a real security problem?

It is a well-known retailer that's been around for decades. I'm sure it wasn't a phish - I went back and forth a few times with their customer service reps about it and they seemed quite concerned and thanked me for reporting it. I can't find any news about them having a security problem, but it was such an extremely specific issue that I wouldn't expect it to be talked about anywhere. I might well have been the first person to stumble across it.

I'm a little tempted to e-mail the person and say hey, my identity was stolen the day after you sent this e-mail. You will be hearing from the police! And just see what she says...

[bacchi]

Another tip: if they have your company's info, they may be stealing your mail.  Happened to me once - and many others where I live.  That's how they find out info about your accounts and which banks to contact.  Had any bills, packages, or other things go missing, too?  Dead giveaway.  Check with the postal service, but they're pretty awful when it comes to that...it's not their money, so they don't really care. 

Proactive tip for US residents:

Sign up for USPS Informed Delivery. The USPS will send you an email each morning with a scan of that day's mail. If it doesn't arrive, you got problems.

https://informeddelivery.usps.com/

[Dollar Slice]

Luckily the account that was compromised over the phone was not an account in active use and I have no other accounts with them. I'm going to call (or visit) my actual bank where I keep my money and see what I can do to lock that down.

My mail should be fine as my mailbox has a lock and key and the building has pretty high security. Nothing has gone missing.

I'm holding out on potential vs. actual identity theft until I hear the actual call that was made. Could have been just a very smooth-talking thief who convinced the customer service rep to access the account without all that info. Stuff like DOB and SS# is available to hackers through many data leaks, but I'd be really astounded if they were able to give my verbal password.

[bacchi]

Could information have been leaked the other way? As in, the company contacts the fat-finger person and casually mentions that "Dollar Slice" in NYC has a similar email ("but with a 13 instead of an 11...") and alerted us to the problem. This then gave her an idea....

How did fat-finger person even use the site with a wrong email? You wrote that there was an order history. She's been ordering from them and never noticed that order updates never arrived? Have you google stalked this person and is she a 60 year old who uses the internet sparingly?

[Dollar Slice]

Could information have been leaked the other way? As in, the company contacts the fat-finger person and casually mentions that "Dollar Slice" in NYC has a similar email ("but with a 13 instead of an 11...") and alerted us to the problem. This then gave her an idea....

All they had was my e-mail and my first name. I'm pretty careful about putting my full real name online. I think the only way to get info from my e-mail address would be if LinkedIn let you search by e-mail address and come up with my name... in which case you'd get my full name, and the fact that I live in New York City, and the company I work at. If you tried hard enough maybe you could get there. But it seems a bit of a stretch to think that a person would decide to do a ton of research and steal someone's identity just because they have the e-mail address of someone who did them a favor (by reporting a security flaw exposing their info).

How did fat-finger person even use the site with a wrong email? You wrote that there was an order history. She's been ordering from them and never noticed that order updates never arrived? Have you google stalked this person and is she a 60 year old who uses the internet sparingly?

Google stalking says she's 46. (Which I guess would be the right age to have to help her MIL with internet things... and google-stalking says she has a relative with the name she mentioned to me as the MIL.) 

I don't believe I ever got an order confirmation e-mail from that company... maybe she had just gone in to change her e-mail address from an old one to her current one, and fat-fingered it there? So I started getting their promo e-mails but she didn't make any more orders until after I got it fixed.

Meanwhile I've started getting e-mails from a parenting website in the UK... seems unlikely to be the same person giving my e-mail address, since she's in California.

[Dollar Slice]

This just keeps getting weirder/dumber... although this update is good news.

I called the credit card company again to talk to a supervisor about getting a recording of the call where someone had supposedly impersonated me, yadda yadda. Turns out... there was no such call. Nothing happened that weekend. No authorized user was added. Nothing. Turns out that JUST BY COINCIDENCE the credit card company was doing some kind of review, and noticed a bunch of authorized users added/removed back in the beginning of the year (tradelines!), and sent me a letter dated the same weekend as all this other stuff happened. Completely coincidental timing. Also, I guess, a coincidence, was that the person on the phone on Friday was completely wrong about everything that had happened.

So bizarre, but a relief that I don't have to search my workplace for hidden microphones today... ;-)