I have a morning routine, as most do, and mine consists of checking our primary bank accounts to ensure everything is as it should be. You can imagine my anxiety when my password rejected and I was only able to log into my accounts after resetting my password. I then discovered that nearly 200,000 Ultimate Reward points had just vanished overnight. I called Chase right away while still clicking through to try to determine where the points had gone. I quickly discovered that late the night before someone had somehow obtained access to my login ID and within 21 minutes had requested a temporary password, then changed the password, changed the email address on my accounts, transferred all of my points out in “cash” to a bank account not at Chase, and then changed the email back to try to cover their tracks.
The rep I spoke with was at first somewhat dismissive, presuming that my husband had cashed out the points and simply failed to mention it to me. We went through all of the security interrogations (no, the irony of that was not lost on me), and she was able to discover that the points had been cashed out to be deposited into an account at another bank, not Chase, which supposedly had René’s name on it and carried the nickname “G-Baby”. She assured me that the only way the points could be cashed out like this and deposited to an account is if the account has the same name as the Ultimate Rewards account. I had no idea you could cash out the points and send the cash anywhere but to a Chase account, so this was news to me. Fortunately since we caught it immediately, we were able to cancel the fraudulent transaction and the points were returned to my account. We then changed the login ID and password as well and I then proceeded to do the same thing on every single account we have.
I requested to be transferred to the fraud department in order to request this transaction be investigated. After 3 attempts to transfer me to various fraud departments within Chase – online banking, credit card, business services – and each department claiming it had to be handled by another department, she finally reached the customer service fraud department and was told that if the transaction has been reversed and the account login ID changed and therefore secured there was simply nothing to investigate now. Chase fraud department just refused to do anything. When I later called to request new account numbers on all of my credit card accounts with Chase, since this criminal had full access to all of my online banking information for possibly 10 hours before I discovered it, all but one single rep told me I should have been advised to file a police report. I told them their own fraud department refused to even look at it and they were, literally, speechless.
I spent my entire day yesterday changing passwords and login ID’s and making other necessary adjustments to ensure my accounts are secure. You should know I am a very diligent person when it comes to keeping track of finances, and had I not been and not caught this transaction before it actually was processed, I would have lost $2000+ worth of Ultimate Rewards points.
So just who was a fault for this? My husband ran a computer company for 20 years. My PC is always up to date with the latest security software etc. I can tell you that the very first email I got from Chase to alert me about this let me know my password had been reset, that is, a reset request but NOT the link to reset it. This means someone had already been inside my account. While I cannot tell you this was an internal breach inside Chase, I got none of the normal warnings I get when I personally have to reset my password. Normally, whenever I use my laptop from an IP address not from my home, I get alerts to my phone and have to enter a code. I got none of this either also making me feel this had to be an internal Chase hack but I cannot prove that nor was Chase fraud department willing to help me. Most disappointing.
So what have I learned from this I wanted to share? Please continue to be diligent about checking accounts regularly and changing passwords routinely. I have personally updated, one by one, all of my account alert settings so I will be notified if something out of the ordinary happens with any of my accounts. It does take some work but truly a small price to make sure I’m not hacked again! – Lisa