Halloween is conventionally associated with all sorts of scary stuff – spiders, vampires, and horror movies. This year I was hit with something far worse… over $10k worth of financial theft via cyber crime.
Warning #1
On Tuesday, October 24, I got a vague text informing me of suspicious activities on my Citi Prestige and prompting me to call. The card account would’ve been heavily restricted in the meantime.
Having been a decade into the credit card game, I was familiar with all sorts of fraud alerts from all major banks. I had grown unfazed to both real fraud leading to card closures and false alarms triggered by my more creative purchases. However, this text felt different. It did not refer to a particular transaction, and was many hours after my last use of the card. I’d have written it off as a potential phishing attempt, though it did correctly reference the last 4 digits of my card number. Then when I logged into my online account, a warning was flagged there too. I called the number that the online account instructed me to, which eerily differed from what was listed in the text (Citi not doing its part to inspire confidence).
The agent asked me to verify the one pending charge on the card. It was lunch at a place that I regularly visit, and thus couldn’t possibly be the trigger. She also let me know that there were some suspicious activities trying to access my card account, but had zero details to offer. The only unusual thing I could think of was an online bill pay I made the day before, with the remaining balance in a checking account that I closed. $4.52 was perhaps an oddly small payment, but it was still a stretch how that could lead to a red flag. With no other information to work with, we just focused on resetting the account status so I could continue using that card.
Warning #2
On Wednesday, October 25, the same text struck within 18 hours from the first one. I took a break from work and called again. It was a similar interaction where I had to confirm both the lunch I just paid for and the lunch that I had already confirmed the day before. The agent had no clue what else was wrong so we moved on. Now I was annoyed, thinking there was something wrong in Citi’s system that made it overly trigger happy. I just hoped I wouldn’t get one of these every time I swipe the card.
The Hit
On Sunday, October 29, we woke up in anticipation for a series of Halloween festivities. After breakfast, I glanced at my email and saw a long list of messages from Citi. My heart sank.
This was not a warning. It was way worse. From a quick glance it seemed like somebody had:
- Changed the security password on my Citi Prestige card
- Changed the phone number on my account
- Redeemed a ton of my points for gift cards (Macy’s of all places) and travel
- Attempted to put charges on my other cards and triggered a denial on one of them
- Registered for a new online login to my account
- Changed the email address on my account
The last item meant that should there be further attacks on my accounts (and there were), I wouldn’t even be notified. Unsurprisingly, my online login stopped working, too, so I couldn’t even assess the damage.
This episode was terrifying because while fraudulent credit card charges were easy to dispute, I had no idea how unauthorized use of reward points would be handled.
The Calls
As I had feared, to report the crime, I had to speak with THREE separate groups of people at Citi.
The first call was the conventional credit card fraud department, which was fairly professional with an efficient protocol in place. In minutes, I was able to reverse the contact info changes and delete the newly created user ID. The ease to do so was a pleasant surprise to me, but it likely also enabled the fraudster to accomplish his criminal activities so quickly. I asked the agent to temporarily lock all my credit cards while I tackled the problem.
A little piece died inside me to learn that my user ID of 20 years was gone. To add salt to the injury, the fake one copied mine and merely added an extra letter in the end. It remains unclear whether the criminal somehow hacked in using my online login, or obtained it after using my credit card information to sneak into the system. I had to re-register for a user name and re-link all my accounts. It sucked.
Then I had to call Citi ThankYou Rewards about the unauthorized redemption of gift cards. The lady was nice but not exactly helpful and hardly sympathetic. She was disconnected from the rest of the conversation and thus not handling the issue with nearly the urgency needed for a crime in action. She submitted the case “for investigation” which would take “7-10 business days”. There was no indication on who will be responsible for the next steps or reassurance that Citi would be committed to protecting my reward points.
A third call was also needed because, somehow, entirely different groups handled gift card vs. travel redemption of the same ThankYou points. This call was easy because the reservation was a hotel booking with free cancellation, so I got my points back the same way I could have changed my mind on a legit reservation that I made for myself.
The Damage
With the most urgent calls done and my online access restored, I looked into the damage. I cringed looking at these 11 redemption orders of $500 Macy’s gift cards, which drained 550,000 points from my primary ThankYou Rewards account. The thief had somehow made this massive order before changing the email address on the account, so the GCs landed in my inbox. Not sure if that was a mistake on his part or if he had another way of obtaining the funds.
The more interesting theft was a reservation made at Kempinski Hotel Gold Coast City, a $500-per-night hotel in Accra, Ghana. The thief had originally tried to make a 4-night booking in an executive room by draining the points balance in my secondary ThankYou account and charging the rest to my Citi DoubleCash. When the payment failed, he booked a 3-night reservation in a standard room instead, fully pre-paid using 156,601 points or 92% of the account balance.
The reservation was scheduled for 10/31 (West Africa time zone), and had free cancellation up to one day in advance. If I had noticed the incident a day later, the hotel could presumably pocket the entire $1,566 USD worth of prepaid amount. The reservation was for Benjamin Akwetey (FUCK YOU BEN), though there’s little reason to think it’s a real name. The original reservation that failed to go through had my name on it, and I can’t imagine it being a mere rookie mistake. Would a sophisticated criminal go this far to have a 5-star vacation? Or is this a scheme to launder money through the hotel?
The Loose Ends
Well, I’m still out 550,000 Citi ThankYou points. What could have been $15,000 worth of Singapore Airlines flights had been converted to $5,500 in Macy’s gift cards. My follow-up calls with Citi regarding the investigation have been nothing short of frustrating. Fingers crossed that the investigation would lead to a just outcome.
I reached out to the hotel to report the incident. Presumably a business with integrity would be interested in helping combat crime or at least disassociating its name from bad actors, though it’s anyone’s guess whether Kempinski Hotel Gold Coast City is partaking in this criminal activity. Will be fascinating to see how they respond.
I also reported the crime to the local sheriff’s office. A deputy sheriff was dispatched rather quickly (how I wish the bank, a private company, would do its job as efficiently as this government entity). Not that I expected any regional law enforcement to actually tackle a cyber crime like this, but I was grateful that he took down the report seriously and expressed much empathy.
However any of the above resolves, though, there remains an uneasy feeling around how the sequence of events went down. It’s not at all surprising that a 20-year-old login from someone constantly opening and closing accounts get compromised. What’s frustrating is that while early signs of trouble had clearly triggered Citi’s warning system, nobody was able to articulate what went wrong or how to nip it in the bud. Furthermore, Citi’s handling of the incident has lacked a sense of seriousness to show that they cared about the massive reward balance built up over a decade. I’ll withhold further judgment and hope for the best.
No Comments