Recourse if debit card was used on a suspicious website

Question

My husband got a pop-up ad on his phone for a fashion website and purchased two pairs of sunglasses using our debit card. The confirmation was emailed to me (marked as spam by gmail), and the site seemed very suspicious to me: the URL is nonsense, the confirmation message had a number of basic grammatical errors, and the deal seems too good to be true. It could potentially be completely legitimate, but I'm suspicious.

What, if anything, should I do at this point to mitigate the fact that my husband just gave out our billing information to a potentially fraudulent website? We are in the USA.

Billing confirmation message:

no-reply@tobeno1shop.com
Jul 30 (2 days ago)

 to me 
Dear {{ myemailaddress@gmail.com }},
Attention：This is a confirmation for your order detail. It means you have paid for the order successfully.
Order details:
Merchant Order No. :  628
Order No.          :  {{ order number }}
Payment Date&Time  :  Mon Jul 31 03:01:01 CST 2017
Amount             :  54.98 USD
**Please do not reply to this email. Emails sent to this address will not be answered.
**Due to floating exchange rate, tiny disparity of order value may exist.
**Please note that your bank may apply a small charge for handling this transaction.
Contact details:
Email: service@tobeno1shop.com
☆ We an independent third party payment provider and as such protecting all cardholders is our primary concern.
☆If you have any problems about this transaction, please don’t hesitate to contact us. We’ll try our best to help you until you are satisfied with it.
☆Please ensure our email add added to your allowed list to ensure that we can help you properly.

I'd suggest reporting the ad to the app/website owner your husband was using. — Mart10, Aug 01 '17 at 17:03
You should never, ever use a debit card online. If possible, use disposable (one-time) credit card numbers (check with your bank if they offer that as a service). When you use a debit card, the money is gone at the moment of payment. — xxbbcc, Aug 01 '17 at 22:18
@xxbbcc, this is not so simple, at least in the U.S. Debit cards are fraud protected to some extent, similar to credit cards — SplashHit, Aug 01 '17 at 22:22
@SplashHit I'll take your word for that :) . I still wouldn't use a debit card online at all (or actually any real card number for that matter). Every time I buy online, I go to my bank, get a one-time credit card number and use that. As far as I can tell, that's the best way to protect the real card number but I may be oblivious to hacks around it. — xxbbcc, Aug 01 '17 at 22:35
@xxbbcc Mine for some reason has a 2 month minimum on the expiration of the temporary number, but you can also set a maximum spending amount so I just set that to the amount I'm planning to pay. — IllusiveBrian, Aug 02 '17 at 02:30
https://usa.visa.com/support/consumer/debit-cards.html says "If your Visa Debit card is lost or stolen and fraudulent activity occurs, you are protected by Visa's Zero Liability Policy. That means 100 percent protection for you. Whether purchases occur online or off, you pay nothing for fraudulent activity." — dandavis, Aug 02 '17 at 03:20
maybe this is a bit off topic, but in the unlikely event that you receive the sunglasses, it's absolutely imperative that you check them with some UV flashlights. They have much higher chance to be low quality and thus lacking UV filter, and in that case wearing them will inflict permanent and cumulative damage to the eyes. — Display Name, Aug 02 '17 at 05:47
I thought no one would take seriously things popping by in their computer. teach him how to use paypal. here we have virtual VISA cards. — Rui F Ribeiro, Aug 02 '17 at 13:21
@IllusiveBrian So does mine - sounds like it could be the same system. — xxbbcc, Aug 02 '17 at 14:57
The proper time for protecting against fraud was __BEFORE__ he clicked the ad. Every time I know that I need to pay for something, but don't want my card number to be re-used after that, I use my [Simple](https://simple.com) debit card that I leave _turned off_ all the time, and only turn it on when I am about to make a purposeful transaction. — NH., Aug 02 '17 at 20:31
A lot of these solutions are not available or practical in the US (which I left out of my question originally--my fault) — thumbtackthief, Aug 02 '17 at 20:32
I wanted to **edit the URL out of the question** as it might direct traffic towards that site (even if it's unlikely to lead to other user action, hxxp only helps so much) and an answer containing advice on how to check whether a website is suspicious should be generic (since I imagine directly verifying the legitimacy of any given entity is, or at least should be, beyond the scope of this site), but unfortunately the current accepted answer is fairly heavy on explaining the problem with that specific website. — NotThatGuy, Aug 03 '17 at 13:31
Aside from the technical issues I would note that the Chinese make some pretty good knock-offs of well-known sunglasses brands. And I don't buy the FUD on UV - plain ordinary [polycarbonate](http://4.bp.blogspot.com/-1zBXuA0iw8c/TlLCKwhKNgI/AAAAAAAAAgU/9WYyCRN03ZA/s1600/Makrolon-Sheet_transmission.jpg) blocks UVA, UVB, UVC. Chances are you will get some reasonable quality fake sunglasses in the mail in a month or so. — Spehro Pefhany, Aug 03 '17 at 15:29
@thumbtackthief Using one-time credit cards with a spending limit is definitely available in the US, through at least Bank of America (ShopSafe) and likely some others. — xxbbcc, Aug 03 '17 at 17:24
@thumbtackthief then please take a look at my previous comment (if not already) — Display Name, Aug 24 '17 at 10:54
@SpehroPefhany yeah that's true but then one needs to check that it's indeed polycarbonate and not some random plastic. — Display Name, Aug 24 '17 at 10:55
@SargeBorsch Other clear plastics behave similarly. You can argue the ethics of the Chinese copying the design and doing the gruntwork of manufacturing (or the ethics of **kley charging $200 for a few cents worth of plastic- most likely from the same Japanese or German resin supplier) but I don't think there is a functional argument to be made. — Spehro Pefhany, Aug 24 '17 at 11:11
@SpehroPefhany definitely not all plastics have the same properties. I've tested them and witnessed that. And nope, I am not trying to say that it's somehow related with the price or country of origin. I want to say that unless you are absolutely trust the seller and manufacturer, you should test the glasses. — Display Name, Aug 24 '17 at 11:12
@SargeBorsch What plastic would you recommend for a UV-transparent window? It would be nice to avoid using expensive quartz. — Spehro Pefhany, Aug 24 '17 at 11:14
@SpehroPefhany I can't say what exactly the formula is. I tested some random sunglasses and some of them had inadequate UV filtering, that's all. btw why would you want a window which lets UV through? also, see the edit of previous comment, I added some clarification — Display Name, Aug 24 '17 at 11:17
@SargeBorsch I'm an Engineer, I want all kinds of weird things. — Spehro Pefhany, Aug 24 '17 at 11:28

Ivan · Answer 1 · 2017-08-02T20:39:22.273

47

Don't report this as fraud; that will kick off an investigation that will ultimately conclude you did authorize the transaction. Waste of time all around.

Call the card company, tell them you made a purchase on a site that is not at all PCI-compliant, is "likely fraudulent" and your card information is now assumed compromised.
Go through the hoops to get a new card issued with new numbers.
Wait 30-45 days to see if the glasses show up. Be pleasantly surprised if they do. If they don't, dispute the charge before the end of the dispute period (gen. 60 days).
Educate your husband to never buy anything marketed through ads. Even when the goods are delivered, they're seldom as good a deal as you think.

As for identity fraud, I'm not seeing birthdays or socials in the form, so it's unlikely they could actually do anything with it. They ask for enough information to authorize a transaction so I'd expect fraudulent charges on the card at worst if you don't shut it down immediately.

edited Aug 02 '17 at 20:39

answered Aug 01 '17 at 17:16

Ivan

6,288
3
18
22

13

^ This. I can't see how reporting the incident (or site owner) as fraud would help or be successful, or even strictly legitimate. They didn't do anything wrong so far. OP _wanted_ sunglasses, OP _bought_ sunglasses. Now it's the merchant's to deliver them (or... not), and sure enough the card will be charged (what else!). A purchase knowingly and willingly made on a site that is highly suspicious at first sight is _still_ an entirely "legitimate" transaction, until proven otherwise. I don't see how you could possibly report this as fraud at the present time. – Damon Aug 01 '17 at 18:48
13

*"if you file a chargeback, it will apply to the original defunct card and you'll never get the money back on the new one."* -- this is incorrect. Your card(s) current number has absolutely zero bearing on whether or not you will receive a refund from a successful chargeback claim. Even if you *close the account*, the bank will issue you a refund check if your chargeback claim is successful. Chargebacks are filed against and refunds issued to *accounts*, not *cards*. – josh3736 Aug 01 '17 at 23:31
1

@josh3736 It varies by bank and aquirer. Also, if the shop itself want to issue a refund, for example if they is out of stock and want to abort the transaction after it has been finalized, it cannot be done if the credit card has been cancelled. I have been through that once. I had a card which I cancelled. The shop emailed me and said that the refund transaction failed to go through, and they couldn't refund me, and the sum was forfeited. They also sent me the refund processing log which clearly said the card was hotlisted and refund transaction was refused by aquirer. – sebastian nielsen Aug 02 '17 at 08:20
@sebastiannielsen Ah, thanks for that. That's the exact scenario I had in mind-- it wasn't chargebacks, it was pending refunds that I've had get lost in the shuffle. I will edit my answer. – Ivan Aug 02 '17 at 15:27
1

@Damon On the other hand, they are most likely knock-off sunglasses, which were probably advertised as a real brand-name. That part actually is fraud and sunglasses are one of the most common items it happens with. Agreed with the answer that you'll probably need to wait until you have them (if you ever do) to dispute that, though. – reirab Aug 03 '17 at 15:33
@reirab: Even then, I'm almost inclined to say it may be a challenge to get the money back. If [Schlemihl sells you air](https://www.youtube.com/watch?v=9GNfRBn4-5c) and Schlemihl very obviously looks like and talks like... well, like Schlemihl does, then what's there left to say about it. You really _had to expect_ that air is all you get, and nothing more. I'm not saying that this makes it ethical or even legal, but I could imagine the merchant and possibly the credit card company as well (for whom following your complaint is needless trouble) sees it just that way. – Damon Aug 04 '17 at 08:54

whoami · Accepted Answer · 2017-08-02T17:35:45.460

The best course of action would be to contact your card provider and ask to block the transaction. Also, I recommend you block your credit card number and get a new replacement credit card. Here's why:

The whois information for the website reveals that it is registered to someone in China with most likely a fake address:

Domain Name: RBXZO.COM 
Registry Domain ID: 2137576384_DOMAIN_COM-VRSN 
Registrar WHOIS Server: whois.publicdomainregistry.com 
Registrar URL: www.publicdomainregistry.com 
Updated Date: 2017-06-27T10:21:01Z 
Creation Date: 2017-06-27T10:21:00Z 
Registrar Registration Expiration Date: 2018-06-27T10:21:00Z 
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com 
Registrar IANA ID: 303 
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited 
Registry Registrant ID: Not Available From Registry 
Registrant Name: liu fuquan 
Registrant Organization: liu fuquan 
Registrant Street: guangdongsheng zhaoqingshidinghuqu    
Registrant City: BeiJin 
Registrant State/Province: BeiJin 
Registrant Postal Code: 526000 
Registrant Country: CN 
Registrant Phone: +86.017082434147 
Registrant Phone Ext:  
Registrant Fax: +86.017082434147 
Registrant Fax Ext:  
Registrant Email:

The registered email at qq.com also looks fake.

The website itself asks to register an account and set password on a non-SSL (not properly secured / no encryption) HTTP page as seen below:

I did not actually go through with the registration page and cannot see the payment page, but I doubt that they have HTTPS (SSL) encryption on there either.

Overall, very shady and I highly recommend you block the transaction, the credit card and get a new credit card delivered to you.

Addendum:

As someone pointed out in comments, the password your husband created or used on the website should not be used elsewhere anymore. If your husband has that same password set elsewhere, we recommend changing it.
Also, to clarify, you can try to cancel the transaction, but as others pointed out, you did initiate the transaction and so it's a valid transfer of money as far as your financial institution is concerned. So you will likely not recover the money your husband spent on the website. But you can block the card and ask for a new one to prevent misuse of your card in the future.

The email address looks fine to me. All-numeric email addresses are quite common in China. — , Aug 01 '17 at 17:23
In particular, qq.com is definitely one of those sites that gives all-numeric emails. I actually have one myself (although I forgot the number). — David Z, Aug 02 '17 at 05:46
Note that [accroding to this site](https://www.scamadviser.com/check-website/rbxzo.com) domain is only 36 days old, and email address is used on 129 websites. Still, guangdongsheng zhaoqingshidinghuqu is very real place you can find on Google Maps - about 2000km from Beijing (Google does not know BeiJin). This looks suspicious, too. — Mołot, Aug 02 '17 at 10:56
@ΈρικΚωνσταντόπουλος That just means the domain cannot be transferred to another registrar. It's standard practice to lock your domain to your registrar in that way to help combat domain hijacking. See [the link in the whois response](https://icann.org/epp#clientTransferProhibited) for details from ICANN. — MTCoster, Aug 02 '17 at 13:05
The weird writing of BeiJin might just as well be the result of transliterating Chinese characters to ASCII because the registrar needs the domain owner details to be ASCII. — simbabque, Aug 03 '17 at 13:02

score 4 · Answer 3 · answered Aug 01 '17 at 14:59

4

Looks exceptionally scammy to me I'm afraid.. I would contact the issuer of the credit/debit card ASAP and go from there. Odds are pretty good that you'll be able to get the money back - most likely outcome is cancelling and re-issuing the card but you'll have to go through every transaction on that card with a fine tooth comb for any time period between placing that order and getting the card cancelled.

answered Aug 01 '17 at 14:59

motosubatsu

862
5
7

2

At best, you'll be shipped fake / counterfeit sunglasses. More likely, however, this was a credit card skimming scheme. Call your credit card company, tell them you were the victim of online fraud, and ask them to a) cancel and replace the card on your account, and b) review your list of recent charges for abuse. – DrDamnit Aug 01 '17 at 15:09
But I'm not in danger of identity theft or anything like that? – thumbtackthief Aug 01 '17 at 15:30
2

@thumbtackthief Identity theft is a possibility (depending on how much info your husband provided during the "ordering" process) but in my opinion it's more likely that they are just after card details. Might be worth signing up to something Experian for a month or two so you can keep an eye out for any suspicious activity. – motosubatsu Aug 01 '17 at 15:42

Harper - Reinstate Monica · Answer 4 · 2017-08-03T01:09:44.240

You have two goals here.

You want to cancel your husband's purchase of sunglasses.

It was an honest purchase by your husband. If you want to back out of the purchase, talk to the seller and see what they want to do. It is legal for them to say "no" unless their terms of sale say otherwise. However most will cooperate, because cheesing off customers is bad for business.

It's time to claim fraud and do a chargeback if:

you earnestly try to reach them multiple times and they are unreachable, over several business days (most of a week).
a month has gone by and the glasses haven't shown up.
the glasses arrive and are honestly inferior to what was claimed.
you are of poor morals and want to steal the glasses.

You want to protect your banking info.

First. Using a debit card online? Seriously? Stop doing that. Everyone agrees: bad idea, particularly with random vendors you've never heard of, who could either be fraudsters or just hacked.

However, the horse is out of the barn. How do you protect your data now? They have your debit card number, not your bank account number. Contact your bank and ask them to replace your debit cards with a new debit card number. Tell them you're doing it "out of an abundance of caution". Don't accept their assurances that you are guaranteed:

What they mean by "guaranteed" is after the crook cleans out your bank account, they will take your fraud report. The bank's fraud team will spend a month or three grinding through their stack of fraud reports. When they get to yours, they will probably find fraud, and if it's guaranteed, they'll refund the money even if they can't claw it back from the fraudster. Meanwhile, in the real world, months have gone by, and normal debits keep hitting the account. What pays them? Nothing does - they bounce. And ding you an overdraft fee to boot. Did they happen to mention you need to replace that money while they investigate? No, they didn't mention that? From their view, they're not in the loan business. They are not going to loan you the disputed money during the investigation. You have to front it to pay your routine bills. I don't understand how they expect working folks to be able to do that... This is the problem with debit cards online.

With a credit card, they don't try to collect amounts in dispute; it only reduces your credit limit by the disputed amount. And they are in the loan business, so they float you the disputed amount. And their disputes get resolved a mite quicker since it's their money in play, not yours.

score 3 · Answer 5 · answered Aug 02 '17 at 00:31

3

Please note that using a credit card vs a debit card online are 2 different things. Both of them have fraud protection (atleast in US), but if there are disputes - with debit card, the money stays out of your account until its resolved in your favor, while credit card means the money stays in the account unless issuer rules against you.

Ignoring the specific site mentioned, in general with a suspicious transaction:

You should always be aware of your card's policy on filing disputes and how long you have to initiate them. Make sure you file for chargebacks in time if you don't receive what you ordered, and don't be assured by a tracking no. as that is not a guarantee the item inside is correct
If you know its suspicious ahead of time (but want to order there for w/e reason) make sure to use a one-time credit card number
Issuers often have free alerts for purchases significantly unlike your past history (e.g. if someone charges $2000 when usual purchases are ~ $100 each). Sign up for these to get alerted if CC skimming leads to attempted large fraudulent purchases
Scan your statements a bit more carefully when you know there is a suspicious incident just happened

You can't always go replacing your card every time there is suspicion. But just scanning statements every 45 days when you have 60 day period to dispute is good for some peace of mind.

As for using debit cards for purchases, if you're really paranoid I guess you can make sure there is enough money in a different checking account for emergency if the linked account is under dispute. Tbh I wouldn't expect things to get that bad, but then I also don't use the debit card at all except for bank ATMs and stick to credit cards online.

answered Aug 02 '17 at 00:31

Alok

131
3

I would NOT recommend a credit card. Since that means if a fraud happens, then they are free to collect as much they want. If the financial institution then rules against you, then you have to repay the debt. In some cases, the financial institution may rule that you have to pay the invoice in the meantime until the case is resolved. I would rather recommend a debit card, but on a separate account, that you only fill with a limited amount of Money. Any leaked details will be unusable as the bank will refuse to authorize transactions when theres insufficent Money on account. – sebastian nielsen Aug 02 '17 at 08:25
Another good thing with debit cards is that you can usually look up the transactions online, while with most credit card (if theres no customer login on the website) you have to wait for the invoice that arrives after like 30-60 Days, Before you will notice the transactions. – sebastian nielsen Aug 02 '17 at 08:27
2

You DO NOT have to pay any disputed amount while the dispute is being investigated. Yes, if the FI rules against you, you have to repay the debt, but if you use a debit card, you are already out the money immediately. As far as the bank refusing to authorize debit transactions with insufficient funds, that's not always true either. A credit card account will have online access in the U.S. The web site will probably also show you pending charge authorizations that haven't settled yet, whereas there's no such thing as a "hold" for a debit card- the money is gone instantly. – nstenz Aug 02 '17 at 10:23
@sebastiannielsen If you're worried about thief running up high charges on CC, just ask bank to set low limits (to w/e you were comfortable with in seperate account for debit card). – Alok Aug 02 '17 at 21:55
2

@sebastiannielsen you are just wrong. By "wrong" I mean all the major consumer advice services disagree with you. Debit/ATM is much more risky than credit cards. Someone with your DC info can literally drain your bank account, and that means you will not be paying rent this month. Good chance your fraud claim will *eventually* claw the money back, if the bank decides in your favor. That won't reverse the twelve overdraft fees, however. They expect you to just stick more money in to cover your regular debits. None of these problems exist in a credit card. – Harper - Reinstate Monica Aug 03 '17 at 00:17
1

@sebastiannielsen It's better to use a credit card. If you get scammed and the FI decides for whatever reason you're liable for it, you retain the option to trump their decision by bailing on the debt, settling it for a lesser amount or having it discharged through bankruptcy. If you use a debit card, you're committing to all potential losses upfront as well as the cascading consequences (overdrafts, etc). It's always better to gamble with someone else's money. – Ivan Aug 03 '17 at 03:09

score 1 · Answer 6 · answered Aug 01 '17 at 15:11

1

Most definitely cancel and get a new credit card. There is too many fishy factors about this website.

If in doubt its much safer to do this, as the worst case scenario will be losing some of your time rather than lots of your hard earned cash.

answered Aug 01 '17 at 15:11

user68786

159
1
6

score 0 · Answer 7 · answered Aug 01 '17 at 17:07

0

I doubt you'll get your money back from your Financial Institution, since the transaction was initiated by a valid cardholder. If you don't get the product, you might be able to file a dispute, but they'd probably want to wait a sufficient amount of time for the order to arrive first. Since it's coming from China, you're unlikely to hit that timeframe before you run out of time to file your dispute with the FI.

I definitely agree with the other replies as far as requesting a new card number, though. Your FI should be happy to handle that for you.

answered Aug 01 '17 at 17:07

TesseractE

101
1

You normally have 60 days to dispute a transaction, which is a period generous enough to allow for international trade. If the item hasn't shown up in 30-45 days it's acceptable to start a chargeback. – Ivan Aug 01 '17 at 17:10
Fair enough. That dispute timeframe can vary as can an eta on a package from China, so best thing would be to know your FI's policy. ^^d – TesseractE Aug 01 '17 at 17:27
1

The problem is, fraudsters also hide behind "those very long shipping times", blowing you off saying "just wait a little longer", "wait more", "it's coming". Their goal is to make you miss the 60-day window. – Harper - Reinstate Monica Aug 03 '17 at 01:04

Recourse if debit card was used on a suspicious website

7 Answers7

You want to cancel your husband's purchase of sunglasses.

You want to protect your banking info.