11

This scam involves my HomeDepot.com account. For those not in the US, Home Depot is a chain of very large home improvement / DIY stores.

Background / how I knew my account was compromised:

Yesterday I received 3 emails from Home Depot, followed by roughly 100 spam emails that all made it through the hotmail spam filter. The 3 emails from Home Depot were:

  • Shipping address change
  • Credit card added
  • Order confirmation (about $1000 worth of power tools)

I did not have a credit card of mine on file. The credit card added was not mine. The shipping address for the order was a residential address about 10 miles from my address (same zip code).

I contacted Home Depot using the customer service number on their site and explained I had not placed the order. The rep said she thought it came about through someone placing the order over the phone, giving an email address close to mine and a Home Depot rep entering that person's information into my account. She said she would cancel the order and insisted my account had not been compromised.

At this point I did not make the connection between the deluge of spam mails and the Home Depot order so I considered her explanation plausible. I deleted the address and credit card from my account.

Today the same thing happened again. Another 3 emails from Home Depot (address change, credit card added, order placed, $1000 power tools) followed by another 100 spam emails. This made me (finally) realize that my account had indeed been compromised.

This time I changed my password and enabled 2FA authentication. I contacted Home Depot again and the order was canceled (they have a very inane system where the customer cannot cancel an order from their website, they have to cancel it).

Some things to note:

  • Shipping address for second order was a different address, some 20 miles from my location, different zip code but fairly close
  • Credit card used was the same as for the first order, or at least the last 4 digits are the same. I cannot see the full credit card number, just that it was a Mastercard and the last 4 digits

Now to my question:

  • What is the endgame for this scam? The credit card used was not mine. Why use my account to place an order instead of creating a new account? I understand the deluge of spam emails is to try to hide the order confirmation / address change emails, but why? Why not just create a new account at Home Depot, which is free, and place the order from there?

I do not believe the residential addresses used are those of parties involved in the scam / theft. I'm guessing part of the scam is to contact the shipper once the order ships and divert the shipment to either a Home Depot store for pickup, or to a shipping center for pickup.

But I do not understand why bother to do all this through my account

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
user469104
  • 213
  • 1
  • 2
  • 5
  • 1
    Although creating an account is free, do you still need some form of identification to do so? Do you need to go into the store to register, or can you do it online? – meowcat May 01 '19 at 03:31
  • 3
    You can do it online. You only need to provide a valid email address. After creating an account, an email with a validation link is sent to the provided email address. No other information is validated when creating an account. – user469104 May 01 '19 at 03:37
  • 1
    Home Depot supports 2FA?!? – gowenfawr May 01 '19 at 09:44
  • @gowenfawr yes, I was as surprised as you to see they have 2FA but for sure a good thing – user469104 May 01 '19 at 12:12
  • @user469104 I updated the title to include details about your actual question. If you don't agree with the change, you're welcome to revert it or edit it again yourself. – Conor Mancone May 03 '19 at 01:50
  • @ConorMancone, good edit – user469104 May 03 '19 at 12:03

1 Answers1

15

This is my first time hearing about this kind of "scam", so I am guessing, but I'm pretty sure I can tell you the answer. The key detail is here:

Order confirmation (about $1000 worth of power tools)

When I hear that I immediately conclude that this order was placed with a stolen credit card.

Anecdotally, I used to manage an eCommerce site for a very small (3 store) chain of hardware stores. They had frequent problems with people using their eCommerce site to purchase things with stolen credit cards, and the chargeback fees from their processor when the fraud was reported were painfully high. This caused them to spend time manually verifying any potential fraud orders. Fortunately, fraud orders were fairly obvious: they always involved large numbers of power tools. Fraudsters would buy power tools for the same reason they buy phones/laptops with stolen credit cards: they are easy to resell for near retail.

Initially the company I worked with would look at the shipping address as one factor to determine the odds of fraud, but that eventually became worthless: as you mentioned, fraudsters learned to change the shipping destination en-route (UPS supports this with a myUPS account, for instance).

Therefore I suspect that the combination of a local shipping address and using your already established account had the same purpose: attempts to minimize red flags and skirt past any potential fraud screening on Home Depot's side. I would guess that the fraudsters are working under the assumption that Home Depot will look less carefully at orders from established accounts than from new accounts or anonymous orders. I'm sure that Home Depot does plenty of their own fraud screening (probably automatic rather than manual), so the fraudsters may even be correct.

Also, I agree with your assessment that the spam was meant to hide the order confirmation from you.

In short, your account is being used as a patsy to use stolen credit cards to place fraudulent orders. Whether or not Home Depot might try to hold you responsible for the order when the credit card is discovered to be stolen is unclear to me (probably not), nor does the fraudster care (IMO). I suspect the use of your account was all about trying to minimize red flags on the order, rather than trying to hide their own identity or shift blame (they could have just as easily placed an anonymous order for that).

Regardless, proactively notifying Home Depot about the fraud order was obviously the right call: then there is certainly no risk of them blaming you. Moreover, it saves them a bunch of money. It's a shame that they made it so hard for you to do that for them.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • 1
    This makes sense, i.e. using established account to reduce risk of getting caught in automated fraud screen. Home Depot definitely does not make it easy to help them. The first customer service rep I talked to about the second order refused to cancel it as it was not my credit card that was used. She insisted that made it a valid order even though I did not place the order and it was being shipped to an address that is not mine... I had to call back to get another representative in order to get the order canceled. – user469104 May 01 '19 at 12:28
  • 1
    @user469104 lol! That sounds about right. Makes me wonder if the order would have gone through if you hadn't canceled them. If so, you legitimately saved Home Depot a ton of money. Latest studies suggest that between cost of goods, charge back fees, and other costs, every dollar of fraud costs the business $2.77 on average. https://www.thepaypers.com/digital-identity-security-online-fraud/the-cost-for-each-dollar-of-fraud-losses-up-to-15-percent-for-merchants/771123-26 That means this $1000 order could have cost them almost $3000 if not caught. – Conor Mancone May 01 '19 at 12:34
  • 1
    @user469104 you should ask them for your cut :) – Conor Mancone May 01 '19 at 12:34