A few months back, I helped to set up the e-commerce site for Nutrimart. It's a great family owned business in San Diego, I've been a customer for years, and I was able to knock it out pretty easily.
This weekend I just randomly saw an email flash by about an order, and it piqued my interest a little bit. On first glance, it looked pretty normal.
She had purchased a gift certificate for $100, which is great. People have health fanatic friends, and a gift certificate really isn't a half bad idea (wink wink, in case you're ever wondering what to get me for Christmas).
I checked the IP address and it came back as being from NYC; so that checks out to some degree.
But then I checked the phone number and it belongs to the Pulaski Public Library: a quick phone call revealed that no Maria Darling worked there. Still, no smoking gun. Maybe she just typed the phone number in wrong.
Then shortly thereafter, like within 12 hours, the gift certificate is redeemed by someone in Aurburn, Washington. I google the address, and a dead drop shows up: a location where deliveries can be made and contents picked up. The classic un-inhabited rusted out old business where drug deals happen in a movie.
The people who stole Maria's info are racking up orders all over the Internet, having them shipped to locations like this. If the police are there, no one bothers to stop. If the coast is clear, the inventory is loaded.
Other details start falling in line as well. The shipping phone number rings directly to an un-setup voicemail. The email seemed a little weird too, and googling it brought up the glaring red flag of references to Russia.
Also if you note the shipping method, they paid $32 to have a jug of protein mailed to them. This could have been $10 if they had gone with UPS ground, but when you're spending other people's money who really cares?
So armed with this information, the first thing I'm thinking is Maria Darling, out there in New York, needs to know that her identity has been stolen. Someone has her credit card and her address, and a rather sophisticated con is going on. It's borderline guaranteed that these folks are racking up huge tabs on her account, and she's going to have a nasty mess of a problem to solve.
Remember, all the contact info (minus her adddress) is fraudulent, so I can't contact her directly in a quick manner.
My first call is to the San Diego police department.
Unfortunately I was told that since the crime happened out of state, it's really not their jurisdiction and I should talk to to the FBI.
So then I call the FBI in San Diego. A very nice lady said I should fill out the report online, to which I replied that we have evidence of a crime currently being committed and this lady is actively being defrauded right this very minute: perhaps someone should let her know. I ended up on hold, shuttled around between half interested parties for 20 minutes, and eventually hung up on.
Then I ate a cookie and thought about what else I could do.
Visa! In an ironic attempt to prevent fraud detection, I don't have access to the card number, but certainly if I call up Visa with a lady's name and address, and inform them they're being defrauded, they will contact the card holder. No.
I'm sorry sir, without the card holder's card number I can't help you.
Try as I may, I could not get the local police, the FBI, or even Visa to care enough to do anything in this case. So to Maria Darling, short of booking a flight and waiting at your doorstep with the news, there is absolutely no way I can let you know in a timely manner that right now, as I type this, your finances are being ransacked.
The next time you hear about identify theft and wonder why it's happening at the scale it is, let me provide the answer to you: because it's easy. The distributed nature of these cons, the insulating techniques like dead drops, and the high volume economy we live in makes most of these things incredibly resource intensive to solve.
My guess is the product that would have gotten shipped probably would have ended up on eBay or something similar. Purchased for free, sold at 100% profit, so many steps and layers between all the movements that it would take days of investigative work to put the pieces together.
I wish there was a positive spin to this story: the best I can offer you is to make sure you practice good identity and finance discipline and hope you never fall into the cross hairs of folks like this.