If you suspect someone is making unauthorized purchases using your email and login information, you must act quickly to secure your digital identity and financial accounts.
Secure Your Primary Accounts
Change your email password immediately to a strong, unique one (at least 12 characters including letters, numbers, and symbols).
Enable Multi-Factor Authentication (MFA/2FA) on your email and any affected shopping accounts.
Sign out of all devices through your account settings to force anyone currently logged in to be booted out.
Check account recovery info to ensure your recovery phone number and backup email haven’t been changed by the attacker.
Address the Unauthorized Purchases
Contact the merchant directly (e.g., Amazon, Walmart) to report the fraud and attempt to cancel any pending orders.
Notify your bank or credit card issuer immediately to report fraudulent charges and request a replacement card or account freeze.
Review your sent and trash folders for “password reset” or “order confirmation” emails you didn’t initiate; attackers often delete these to hide their activity.
Broaden Your Security
Update other accounts that use the same or similar login credentials.
Run a deep antivirus scan on all your devices to check for keyloggers or malware that may have captured your login details.
Place a fraud alert on your credit report by contacting one of the major bureaus (Equifax, Experian, or TransUnion) to prevent new accounts from being opened in your name.
Receiving an email confirmation for an order you didn’t place is a classic sign of a phishing scam. Scammers send these to trigger a “panic response,” hoping you will click their “cancel order” link or call their “support” number to provide your real login or payment details.
Before taking further action, verify if the email is legitimate or a fake using these steps:
Inspect the “From” Address
Check the Domain: Hover over or click the sender’s name to see the actual email address.
Look for Mismatches: A real Amazon email will come from @amazon.com. Scammers use “lookalike” domains like @amazon-support.net or public addresses like @gmail.com.
Spot Substitutions: Watch for subtle swaps, like the number 1 for the letter l (e.g., paypa1.com) or rn for m (e.g., arnazon.com).
Check for Red Flags in the Content
Generic Greeting: Legitimate companies usually use your name. Be suspicious of “Dear Customer,” “Dear Valued Member,” or no greeting at all.
Urgent/Threatening Language: Scammers use phrases like “Act now to avoid charges” or “Your account will be suspended” to rush you.
Poor Grammar/Formatting: Look for awkward phrasing, spelling errors, or inconsistent fonts and logos.
Suspicious Links: Hover your mouse over any “Cancel Order” or “Login” button without clicking. The URL that appears in the corner of your browser should match the official website exactly.
Verify Safely
Log in Manually: Never use links from the email. Open a new tab, go directly to the store’s official website (e.g., Amazon.com, Walmart.com), and check your Order History.
Check Your Bank: Log in to your banking app independently to see if there is a matching “Pending” or “Posted” charge.
Official Support: If you need to call the company, find their number on their official website, not the one listed in the suspicious email.
If the email is a scam: Do not reply, click links, or download attachments. Report it as spam in your email client and delete it.
***************************
If the charges are already on your bank statement, the security breach is active and requires immediate financial intervention to prevent further loss.
Contact Your Bank Immediately
Call the Fraud Department: Use the official number on the back of your card or the Bank of America, Wells Fargo, or U.S. Bank customer service lines.
Request a Freeze/Block: Ask the representative to immediately freeze the account or block the card to stop any additional pending transactions.
Report Every Unauthorized Charge: Go through your statement and identify every transaction you did not make, no matter how small.
Order a Replacement: Have the bank close the compromised card and issue a new one with a different number.
Formally Dispute the Charges
Initiate a Dispute: Most banks allow you to start this via their mobile app or website, but you may need to follow up with a phone call.
Know Your Liability:
Credit Cards: Federal law (FCBA) limits your liability to $50, and many issuers offer zero-liability protection if reported quickly.
Debit Cards: You must report unauthorized transfers within 2 business days to limit your liability to $50. Waiting longer can increase your liability to $500 or the full amount.
Send a Written Follow-up: To protect your legal rights, send a formal dispute letter via certified mail within 60 days of the statement date.
Broad Identity Protection
Place a Fraud Alert: Contact one of the three major bureaus—Equifax, Experian, or TransUnion—to make it harder for scammers to open new accounts in your name.
Update All Financial Logins: Change passwords and enable 2FA for all banking and investment apps immediately.