A scammer stole my credit card number online. Learn from my mistakes.

D'oh.

I am a software professional. I consider myself pretty savvy about the risks of operating online. Sometimes I even indulge in a little playful scam-baiting, though nowhere near the level of hilarity achieved by 419 Eater. So it is with no small degree of embarrassment, and only because it is in the public interest to do so, that I confess that I was taken in by an online scam.

As I tell you this story, I predict you that you will groan and say to yourself some version of, "Oh no, I can't believe he actually fell for that! How dumb can you get?" But that's only because you are already primed for what is going to happen. In reality, there is no warning that something is about to happen. No voice-over tells you that you are looking at a scam. There is not even any ominous background music. It's all just perfectly normal, like eating your lunch while reading the news, until a powerfully bitter taste in your mouth alerts you to the fact that your sandwich bread is moldy.

In my case, I was casually scrolling through my Facebook feed, when I came to a sponsored ad for a really cool looking GPS watch. As it happens, my GPS watch is one of the first models Garmin ever put on the market. It's done many years of faithful service, but the GPS is starting to get less reliable, and the "mode" button has stopped working, so basically all I can do is start and stop the timer. So I was already thinking of replacing it when I saw this ad...and wow, what a good offer it was! From a regular list price of $54, it was marked down to about $10. Too good to be true, right? Funnily enough, that thought did occur to me at the time. So I googled the watch model, and found a lot of very positive online reviews. Ok, so what about the merchant? I did a search for the website name, along with the word "scam"...and nothing relevant came up. So I figured, maybe this merchant is doing a special to attract attention and get more customers. The site looked pretty reasonable, if a little tacky in design, and they had a genuine SSL certificate, so when it came time to hand over my credit card details, I was confident that nobody could steal my credit card details.

My first warning that something was amiss came shortly after the purchase. I received two emails confirming my purchase. One said I had been charged $10, but the other said $54. That got me upset, but before I jumped to any conclusions, I thought, let's see what actually appears on my card. Maybe their internal accounting is some stupid system where they charge me $10, but credit me as if I paid $54. So I set a reminder for the next day to check what had appeared on my card...but nothing came up yet. Nor the next day. And then life happened, and the whole thing fell off my radar. This all happened over a month ago.

So yesterday, I was looking back on my old emails, and I noticed the one they had sent me with the tracking number of my package. And I thought, hey, I haven't collected this thing yet, surely it must have arrived by now! And, hey, I should check how much they actually charged me. So first I entered the tracking number, and found that the parcel arrived at the local post office over a week before, and I never received a notification (though that complaint is for a separate discussion).

Then I went into my banking website, and looked back for the expected payment of $10...and found, to my disappointment, but not total surprise, that they had charged me the full $54. But wait...what is that transaction below the payment for the watch? 3,000 shekels for Facebook Ads? What the heck? And then...below that...another...the next day...and another...and another...and another. On five consecutive days, my credit card had been charged with 3,000 ILS, for a grand total of fifteen thousand.

At this point, my heart pumping, I realized what had happened. It's not that someone intercepted my credit card number on the merchant site. It's that the merchant himself simply saved my credit card number, swiped it to purchase me a watch (at full price, of course) from a genuine vendor, then used my card to purchase a fortune more of Facebook ads, in order to hook his next round of victims. I must suppose that not all his victims are paying for Facebook ads; presumably some are funding his big screen TVs, Big Macs, and teddy bears, or whatever else takes his fancy.

Fortunately for me, the credit card companies appear to be pretty used to this kind of event. I called them up and told them what had happened, and they said no problem, they'll reverse the charges. I'm guessing they're insured, because I can't see Facebook returning that money to anyone.

Naturally, the website where I purchased the watch is now 404. (That's how technical people, who are embarrassed at having been shown to be complete suckers and feel the need to attempt to reassert their street cred, say "Not Found".)

This just left open the question of what I should do with the watch. I mean, I was happy to spring $10 for a new GPS watch, but I wasn't so sure about $54. So I figured I'd pick up the watch from the post office, and see if it was worth $54 to me, otherwise I'd contact the merchant and ask for a return and refund. And that's what I did. Here it is:

Now, I know what you're thinking. That's one mighty compact little GPS watch, there. Fits on one finger. Just like a ring. A ring made out of whatever metal alloy happened to be cheapest on the Chinese commodities exchange on the day, with a gently understated geometrical design engraved on the outside. Frankly, I think the bag it came in might have been worth more than the contents. So I guess tomorrow I'll be calling the credit card company again, to request a chargeback for the $54, too.

And now, the important part, without which it would not be worth humiliating myself telling this story: Lessons learned.

1. If it seems too good to be true, it probably is. 20% off is a special. 80% off is a scam. Run a mile.
2. SSL is essential, but not sufficient. That green padlock in the address bar of your browser next to the "https" address just means that your communication with the website is encrypted, and no third party can steal your information. It doesn't help you if the website itself is owned by criminals. Anyone can purchase a domain name and an SSL certificate. You need to know that you can trust the website owner. Otherwise it's like hiring a security guard to supervise as you hand the keys of your house over to a stranger wearing a ski mask.
3. How do you know whom to trust? Well, for a start, there are organizations like the Better Business Bureau. If you want to buy from a website you don't recognize, and can't find any sources to establish the bona fides of the business, don't give them your card number. If they have PayPal, use that. If the only option they're offering you is credit card, walk away.
4. Unrelated, but while we're on the subject, don't give your card number to anyone who calls you, even if they represent a real business or charity. Unless you initiated the call, were expecting their call, or you recognize the person calling you, they could be a scammer, pretending to be soliciting donations on behalf of a legitimate charity. This has happened in Beit Shemesh before, with scammers claiming to represent Lemaan Achai calling hundreds of people here and tricking them out of untold amounts of money.

Bottom line, your credit card number is extremely valuable. Don't give it to anyone, unless you know they are trustworthy.