How to detect credit card theft in the early moments

It’s 5:30 am on a Monday and the world is dead silent. I’m not a fan of early mornings or Mondays for that matter, but I’m used to the silence of a sleeping world.

I have a lot of trouble sleeping. Insomnia is a major problem in my life, but I’ve learned to adjust to it over the years. It’s not that I don’t sleep. I do sleep; it just comes at odd hours and for various lengths of time.

Oddly, this jacked-up sleep cycle has been useful to my work and personal life; today is a good example of that.

So, here I am at the desk, bright and early, bleary-eyed and in desperate need of coffee. Part of my morning routine is to scan headlines and check my email.

Today’s a typical day really, aside from a series of messages from Capital One, the company responsible for one of my credit cards.

The company, known for their “What’s in your wallet?” commercials, has a number of security measures that customers can take advantage of, including transaction notifications.

One message was sent at 4:35 am, just an hour before I sat down at the desk, so the transactions that are being reported happened within the last 12 hours. I’ve got three messages total. One is reporting a transaction at Carapace Clothing, followed by a refunded charge at the same store for the amount charged previously. The third email details an Uber transaction.

I’m in Indianapolis, so three charges in Los Angeles, CA are an immediate red flag.

However, I rarely use this card, so if it wasn’t for these emails, it’s possible that whoever obtained my number could have sold it and drained the account in short order before my statement arrived.

The email is below:

–

–

The transactions are small, suggesting that the criminals were testing the card.

These little transactions, one for $5.99 and the other for $2.05, are proof that the card is active. Later, the criminal with access to the card account will use it to purchase tangible items that can be cashed-out for goods, such as gift cards or easily moved items like MP3 players, games, etc.

Still, I’m a security reporter, so I didn’t click any of the links in the email. Instead, I went to my account directly and checked the card online. As it turns out, the notifications were legitimate and the transactions appeared as reported. At that stage, I contacted customer support and they deactivated the card.

Now I get to wait for its replacement. It’s a bit of a hassle, given that I can’t use the card, but worth it considering the alternative.

Again, the only way I would have known about these charges before my monthly statement arrived is the notification emails from Capital One. This is the second time they’ve saved me from losses, the first being when my credit card was compromised during a data breach in 2014.

Capital One isn’t the only financial institution that offers transaction alerts, most credit card companies and banks do, but they’re only useful if you’re taking advantage of them. So the lesson today is, if you haven’t already enabled transaction alerts for your credit cards and banking, do so.

Such alerts are one of the easiest methods for detecting a compromised credit card in the early stages.