Walmart ships fraudulent order to hacker’s address then leaves customer to recoup cost


A Walmart customer says the company left him in the lurch after someone got into his online account and went on a shopping spree. He says he warned Walmart there was a problem, but after one of the orders was delivered to the fraudster, the retailer told the customer he was on his own to recoup the loss.

After Bill Tomlinson warned Walmart that his online account and credit card were being used by fraudsters, he says the retail giant told him it was up to him to try to get his money back. (Craig Chivers/CBC)

The alarm bells went off for Bill Tomlinson after he got an odd text message — in French — on Feb. 2 from Walmart Canada. The Pelham, Ont., man doesn’t speak French and hadn’t ordered anything. 

“I thought, what the heck is that? … oh, something’s gone wrong,” Tomlinson told Go Public.

He logged into his account and discovered fraudsters were using it and his credit card on file to place orders and ship them to Montreal.

There were four orders, all on that same day. Two were for dumbbells at $500 apiece, the other two for Apple TVs worth about $250 each.

Walmart had cancelled the first three orders on its own, but Tomlinson noticed the last one for an Apple TV had just been shipped. He called Walmart right away to let the company know, expecting the retail giant would refund the order.

Instead, two days later, Tomlinson says Walmart told him the product had been delivered to Montreal and that he was on his own to try to get the money back.

“They basically washed their hands of it,” Tomlinson said. 

“They said, there’s nothing more we can do for you. This product was ordered on the account, it was paid for by your credit card, it was delivered by us. We did everything that we were supposed to do.”

  • Got a story? Contact Rosa and the Go Public team

He says Walmart told him he would have to “deal with his bank” to see if it would reverse the charge.

The fraudster placed four orders on Bill Tomlinson’s account for pricey dumbbells and Apple TVs. Their fraud detection system caught three of the transactions — but still shipped an Apple TV. (

Independent financial fraud expert Vanessa Iafolla says she gets several calls a week from people looking for advice on how to recoup their losses after being defrauded online.

“Any company that is going to offer online retail services and make it available for clients or customers to set up accounts is responsible for protecting the security of that account,” Iafolla said.

“I think Walmart really is dropping the ball on this.”

‘More than one chance to stop the order’

When Tomlinson first called Walmart, he was told the company’s fraud detection system had caught the first three orders but not the fourth, and that it needed to look into things before taking action.

Tomlinson does not understand the delay, since all the fraudulent orders were placed on the same day for the same products, and the company already knew the first three were a problem.

He also wants to know why Walmart did not stop the delivery after he flagged the fraud. Failing both those things, Tomlinson says the company should have refunded him the charge without hassle.

“They had more than one chance to stop the order,” Tomlinson said.

“They should have owned up to the fact that they had enough time to solve the problem and they didn’t.”

The website shows the Apple TV was left at the front door of some address in Montreal, more than 650 kilometres from Tomlinson’s address that was on the account. (Bill Tomlinson)

Walmart did not say if it followed up at the Montreal address where the Apple TV was delivered to see who lives there or why its systems failed to flag the fourth fraudulent order.

Go Public wanted to visit the location, but after Tomlinson asked Walmart to lock down his account, he was not able to access the address and Walmart wouldn’t provide details.

The company told Go Public “there was no breach” of its systems and that Tomlinson’s account was taken over by “a bad actor [who] gained access through the customer’s login credentials that were compromised at some point prior to the transactions.”

It said it doesn’t know when or how those credentials were compromised.

WATCH | Customer charged for Apple TV that Walmart shipped to fraudster: 

Walmart shipped fraudulent purchases to hacker, left customer to pay for it | Go Public

An Ontario man says after his online Walmart account was hacked, the company shipped some fraudulent purchases to the hacker and said he’d after to cover the costs – until Go Public stepped in. 2:04

How fraudsters access online accounts

The number of “account takeovers” — a term for what happened to Tomlinson — has been increasing over the past six months, according to Kimberly Sutherland, vice president of fraud and identity strategy for LexisNexis Risk Solutions, a company that works with government and businesses to combat online fraud.  

A survey report by the company, called The True Cost of Fraud, found Canadian retailers, in general, are doing a poor job of preventing fraud attacks.

In 2021, e-commerce retailers surveyed said they prevented about 4,860 attacks, but failed to stop about 4,800 others.

The survey also suggests online and mobile fraud attacks on retailers appear to be rising since the pandemic started, up 45 per cent in Canada from 2020 to 2021.

The report is based on a survey of 1,118 risk and fraud executives (145 Canadian, 973 U.S.) in small-, mid-, and large-scale retail and e-commerce companies. 

Kimberly Sutherland, vice president of fraud and identity strategy for LexisNexis Risk Solutions, says fake accounts and account takeovers are among the most common online retail frauds. (LexisNexis Risk Solutions)

Sutherland says fraudsters get passwords and credentials from websites that are compromised, then reuse them on other sites to see if they work, or they use malicious software that rapidly generates common user and password combinations to get into accounts.

“One of the big challenges with online accounts is that people tend to use the same username and password combinations in multiple accounts. So if one gets compromised, many may end up being compromised,” she said.

Her advice for online shoppers:

  • Delete online accounts you don’t use anymore, including consumer and government program accounts.
  • Use strong passwords and change them frequently.
  • Don’t use the same username and passwords for multiple accounts.
  • Use the strongest authentication methods available, such as two-factor authentication, which often requires a code sent by text message or another means in addition to a password to access the account.

Inside Walmart’s cyber attack problems

While Walmart says Tomlinson’s problem was caused by compromised credentials — not a cyber attack — Sutherland says companies across the board are dealing with such attacks on a regular basis.

Walmart’s 2021 annual report says the company’s websites and apps are “regularly subject to cyber attacks” which include “attempts to gain unauthorized access … to obtain and misuse customers’ or members’ information including payment information.” 

Similar to the LexisNexis survey, the Walmart report says the pandemic has made things even worse.

With more work being done remotely, some of Walmart’s “services and third-party service providers’ systems” have had “limited security breaches.” While those had little impact on operations, the report said, “there can be no assurance of a similar result in the future.”

As for Tomlinson, he did get his money back. After Go Public contacted Walmart, the company refunded the cost of the Apple TV as a goodwill gesture, he says.

He is happy to have his money back but is still deciding if he will shop using Walmart’s website or app again.

Submit your story ideas

Go Public is an investigative news segment on CBC-TV, radio and the web.

We tell your stories, shed light on wrongdoing and hold the powers that be accountable.

If you have a story in the public interest, or if you’re an insider with information, contact [email protected] with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.

Follow @CBCGoPublic on Twitter.

Read more stories by Go Public.

Read More

You might also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More