Walmart ships fraudulent order to hacker's address then leaves customer to recoup cost
After hearing from Go Public, Walmart Canada refunded the cost of the Apple TV
The alarm bells went off for Bill Tomlinson after he got an odd text message — in French — on Feb. 2 from Walmart Canada. The Pelham, Ont., man doesn't speak French and hadn't ordered anything.
"I thought, what the heck is that? ... oh, something's gone wrong," Tomlinson told Go Public.
He logged into his Walmart.ca account and discovered fraudsters were using it and his credit card on file to place orders and ship them to Montreal.
There were four orders, all on that same day. Two were for dumbbells at $500 apiece, the other two for Apple TVs worth about $250 each.
Walmart had cancelled the first three orders on its own, but Tomlinson noticed the last one for an Apple TV had just been shipped. He called Walmart right away to let the company know, expecting the retail giant would refund the order.
Instead, two days later, Tomlinson says Walmart told him the product had been delivered to Montreal and that he was on his own to try to get the money back.
"They basically washed their hands of it," Tomlinson said.
"They said, there's nothing more we can do for you. This product was ordered on the account, it was paid for by your credit card, it was delivered by us. We did everything that we were supposed to do."
- Got a story? Contact Rosa and the Go Public team
He says Walmart told him he would have to "deal with his bank" to see if it would reverse the charge.
Independent financial fraud expert Vanessa Iafolla says she gets several calls a week from people looking for advice on how to recoup their losses after being defrauded online.
"Any company that is going to offer online retail services and make it available for clients or customers to set up accounts is responsible for protecting the security of that account," Iafolla said.
"I think Walmart really is dropping the ball on this."
'More than one chance to stop the order'
When Tomlinson first called Walmart, he was told the company's fraud detection system had caught the first three orders but not the fourth, and that it needed to look into things before taking action.
Tomlinson does not understand the delay, since all the fraudulent orders were placed on the same day for the same products, and the company already knew the first three were a problem.
He also wants to know why Walmart did not stop the delivery after he flagged the fraud. Failing both those things, Tomlinson says the company should have refunded him the charge without hassle.
"They had more than one chance to stop the order," Tomlinson said.
"They should have owned up to the fact that they had enough time to solve the problem and they didn't."
Walmart did not say if it followed up at the Montreal address where the Apple TV was delivered to see who lives there or why its systems failed to flag the fourth fraudulent order.
Go Public wanted to visit the location, but after Tomlinson asked Walmart to lock down his account, he was not able to access the address and Walmart wouldn't provide details.
The company told Go Public "there was no breach" of its systems and that Tomlinson's account was taken over by "a bad actor [who] gained access through the customer's login credentials that were compromised at some point prior to the transactions."
It said it doesn't know when or how those credentials were compromised.
How fraudsters access online accounts
The number of "account takeovers" — a term for what happened to Tomlinson — has been increasing over the past six months, according to Kimberly Sutherland, vice president of fraud and identity strategy for LexisNexis Risk Solutions, a company that works with government and businesses to combat online fraud.
A survey report by the company, called The True Cost of Fraud, found Canadian retailers, in general, are doing a poor job of preventing fraud attacks.
In 2021, e-commerce retailers surveyed said they prevented about 4,860 attacks, but failed to stop about 4,800 others.
The survey also suggests online and mobile fraud attacks on retailers appear to be rising since the pandemic started, up 45 per cent in Canada from 2020 to 2021.
The report is based on a survey of 1,118 risk and fraud executives (145 Canadian, 973 U.S.) in small-, mid-, and large-scale retail and e-commerce companies.
Sutherland says fraudsters get passwords and credentials from websites that are compromised, then reuse them on other sites to see if they work, or they use malicious software that rapidly generates common user and password combinations to get into accounts.
"One of the big challenges with online accounts is that people tend to use the same username and password combinations in multiple accounts. So if one gets compromised, many may end up being compromised," she said.
Her advice for online shoppers:
- Delete online accounts you don't use anymore, including consumer and government program accounts.
- Use strong passwords and change them frequently.
- Don't use the same username and passwords for multiple accounts.
- Use the strongest authentication methods available, such as two-factor authentication, which often requires a code sent by text message or another means in addition to a password to access the account.
Inside Walmart's cyber attack problems
While Walmart says Tomlinson's problem was caused by compromised credentials — not a cyber attack — Sutherland says companies across the board are dealing with such attacks on a regular basis.
Walmart's 2021 annual report says the company's websites and apps are "regularly subject to cyber attacks" which include "attempts to gain unauthorized access … to obtain and misuse customers' or members' information including payment information."
Similar to the LexisNexis survey, the Walmart report says the pandemic has made things even worse.
With more work being done remotely, some of Walmart's "services and third-party service providers' systems" have had "limited security breaches." While those had little impact on operations, the report said, "there can be no assurance of a similar result in the future."
As for Tomlinson, he did get his money back. After Go Public contacted Walmart, the company refunded the cost of the Apple TV as a goodwill gesture, he says.
He is happy to have his money back but is still deciding if he will shop using Walmart's website or app again.
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrongdoing and hold the powers that be accountable.
If you have a story in the public interest, or if you're an insider with information, contact GoPublic@cbc.ca with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.
Follow @CBCGoPublic on Twitter.
Read more stories by Go Public.
with files by Jenn Blair
To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.
By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.
Become a CBC Account Holder
Join the conversation Create account
Already have an account?