Living with credit, Protecting yourself

How a misspelled email address helped me spot card fraud

Rebecca Lake

It’s hard not to worry about the security of our financial information these days. It seems like there’s a new data breach making headlines at least once a week.

When it came to protecting my bank and credit card accounts, I’d always assumed I was doing everything right:

  • I used unique passwords and updated them regularly.
  • I didn’t handle any major financial transactions using unsecured Wi-Fi.
  • I didn’t give out my debit card PIN number or lend my credit cards to friends and family.
  • I checked my credit report regularly to make sure no one was opening accounts in my name and signed up for free credit monitoring services.

If I was doing all these things, I should have been confident that my accounts were safe, right? But here’s the thing: Identity thieves are sneaky. And sometimes, they’re really good at flying under the radar, as I found out.

Misspelled email address leads to a card fraud attempt

Last summer, I logged into my Capital One account to see if the annual fee had been applied to one of my credit cards, so I could pay off that charge. (At the time, I had three cards with Capital One.)

While I was there, I decided to do a biannual password update. I also checked my personal information and the alert settings for each of my cards.

I noticed that one of my cards had my email address spelled incorrectly. It looked like my email, only a couple of the letters had been switched. I updated the address, thinking it was just a glitch and didn’t think anything more about it.

That is, until a few days later when I got an email alert notifying me that a $200 cash advance withdrawal was pending on one of my accounts.

Wait, what?

I rarely used any of those cards and I certainly wouldn’t have any reason to take a cash advance.

I logged in to my Capital One account again to investigate. I pulled up the pending transactions and found that someone had taken a cash advance from an ATM in Texas just a few minutes before I received the email alert.

Since I live in North Carolina, it was clear to me that someone had hacked my account. A little more digging told me that the fraudster had managed to add themselves to my card as an authorized user.

No fraud alerts? No chance of spotting fraud on your card

The fraudster had changed the email address listed on the account to make it look like my real email address, in what I assume was the hope that I wouldn’t be alerted to any fraud until he or she had a chance to withdraw more cash or do a little shopping on my dime.

Not exactly high-tech hacking, but they got a $200 payday out of it.

I wasted no time calling Capital One to alert my card issuer and explaining what I believed had happened. As this was my first run-in with any kind of credit card fraud, I expected it to be resolved fairly quickly.

It didn’t exactly happen that way, though.

The Capital One representative I spoke with initially seemed reluctant to accept that I hadn’t made a cash withdrawal in Texas, despite assuring her that I lived over 1,000 miles away.

The representative also couldn’t explain to me how the authorized user had been added to my account either, and to this day, I have no idea how the identity thief was able to get access to my card details.

Eventually after some back and forth, Capital One initiated a fraud investigation. From there, it took about two weeks for my card issuer to determine that I’d never added an authorized user and issue a credit refunding the fraudulent advance.

Then I had to go through the added step of canceling the old card and getting a new one delivered, which took another week or so. It was a huge hassle.

Lessons to learn from a card fraud attempt

So, what’s the lesson here? Two things.

1. Don’t skip out on setting up email or text alerts for your accounts. It only takes a minute or two and it can save you serious headaches.

2. Check your accounts regularly. Make sure your personal information is correct so that you’re actually receiving the email or text alerts on your accounts.

If I hadn’t set up email alerts to notify me when there was a new transaction on my account and if I hadn’t checked my account to make sure Capital One had the right email address on file, the damage could have been a lot worse. I might not have known anything was wrong until I received a statement in the mail showing a balance.

Taking extra steps to keep your card account safe

Ever since this happened, I’ve taken steps to up my security game.

I’ve checked every one of my credit card accounts to make sure I have alerts in place, and that the email and phone number on file are mine.

I’ve done the same with my bank accounts since banks don’t offer the same consumer protections against fraud for debit cards as they do for credit cards.

This means I get an email now every time I swipe my debit or credit card, but a quick glance confirms that I’m the one who’s doing the spending, not an identity thief. And a few extra messages in my inbox are well worth it if it means keeping a fraudulent authorized user from having a field day with my debit card or credit cards.

See related: My new BFF who fraudulently opened an authorized user card on my account, 10 things you should know about identity theft

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.