More than 10,000 Canadians received a medically-assisted death in 2021: report
Quebec Superior Court suspends Bill 96’s translation requirement until constitutionality determined
The Ontario government has given Maggie an ultimatum: the disabled teen can lose her funding or her independence
FBI took 11 sets of classified material from Trump’s Mar-a-Lago home while investigating possible Espionage Act violations (US)
Ontario class action settlement reclassifies volunteers as employees, setting new precedent
Availability of Judicial Review in SABS Disputes
Are masking policies still valid?
Justice Canada releases commission report on impact of lack of legal aid in family law disputes
Harmonized sales tax part of maximum amount of attendant care benefits owed by insurer: court
New rules coming next month to help Canadians with cancelled and delayed flights
Stephen King set to testify for govt in books merger trial (US)
New law program in Quebec to begin next fall, a first in 50 years
The Impact of the Lack of Legal Aid in Family Law Cases
SCC rules that when someone is required by their partner to wear a condom but do not, they could be guilty of sexual assault.
Big Plastic suing feds over single-use ban — again
Tim Hortons offers coffee and doughnut as proposed settlement in class action lawsuit
The SCC has refused to hear the appeal to declare the renewal of the state of health emergency by the Quebec government invalid
Federal privacy commissioner investigating controversial ArriveCAN app
Kraken, a U.S. Crypto Exchange, Is Suspected of Violating Sanctions (US)
Ontario court certifies class action on former patients’ anxiety from notice of risk of infection
The stakes couldn’t be higher as Canada’s top court decides whether to hear climate class action lawsuit
Professor Barnali Choudhury selected by EU as trade and sustainable development expert
The Supreme Court decision on the ‘Ghomeshi’ amendments will help sexual assault victims access justice
AFN Reaches $20 B Final Settlement Agreement to Compensate First Nations Children and Families

Walmart ships fraudulent order to hacker’s address then leaves customer to recoup cost

After hearing from Go Public, Walmart Canada refunded the cost of the Apple TV.

PHOTO: Craig Chivers/CBC

After Bill Tomlinson warned Walmart that his online account and credit card were being used by fraudsters, he says the retail giant told him it was up to him to try to get his money back.

The alarm bells went off for Bill Tomlinson after he got an odd text message — in French — on Feb. 2 from Walmart Canada. The Pelham, Ont., man doesn’t speak French and hadn’t ordered anything. 

“I thought, what the heck is that? … oh, something’s gone wrong,” Tomlinson told Go Public.

He logged into his account and discovered fraudsters were using it and his credit card on file to place orders and ship them to Montreal.

There were four orders, all on that same day. Two were for dumbbells at $500 apiece, the other two for Apple TVs worth about $250 each.

Walmart had cancelled the first three orders on its own, but Tomlinson noticed the last one for an Apple TV had just been shipped. He called Walmart right away to let the company know, expecting the retail giant would refund the order.

Instead, two days later, Tomlinson says Walmart told him the product had been delivered to Montreal and that he was on his own to try to get the money back.

“They basically washed their hands of it,” Tomlinson said. 

“They said, there’s nothing more we can do for you. This product was ordered on the account, it was paid for by your credit card, it was delivered by us. We did everything that we were supposed to do.”

He says Walmart told him he would have to “deal with his bank” to see if it would reverse the charge.

The fraudster placed four orders on Bill Tomlinson’s account for pricey dumbbells and Apple TVs. Their fraud detection system caught three of the transactions — but still shipped an Apple TV. (

Independent financial fraud expert Vanessa Iafolla says she gets several calls a week from people looking for advice on how to recoup their losses after being defrauded online.

“Any company that is going to offer online retail services and make it available for clients or customers to set up accounts is responsible for protecting the security of that account,” Iafolla said.

“I think Walmart really is dropping the ball on this.”

‘More than one chance to stop the order’

When Tomlinson first called Walmart, he was told the company’s fraud detection system had caught the first three orders but not the fourth, and that it needed to look into things before taking action.

Tomlinson does not understand the delay, since all the fraudulent orders were placed on the same day for the same products, and the company already knew the first three were a problem.

He also wants to know why Walmart did not stop the delivery after he flagged the fraud. Failing both those things, Tomlinson says the company should have refunded him the charge without hassle.

“They had more than one chance to stop the order,” Tomlinson said.

“They should have owned up to the fact that they had enough time to solve the problem and they didn’t.”

The website shows the Apple TV was left at the front door of some address in Montreal, more than 650 kilometres from Tomlinson’s address that was on the account. (Bill Tomlinson)

Walmart did not say if it followed up at the Montreal address where the Apple TV was delivered to see who lives there or why its systems failed to flag the fourth fraudulent order.

Go Public wanted to visit the location, but after Tomlinson asked Walmart to lock down his account, he was not able to access the address and Walmart wouldn’t provide details.

The company told Go Public “there was no breach” of its systems and that Tomlinson’s account was taken over by “a bad actor [who] gained access through the customer’s login credentials that were compromised at some point prior to the transactions.”

It said it doesn’t know when or how those credentials were compromised.

How fraudsters access online accounts

The number of “account takeovers” — a term for what happened to Tomlinson — has been increasing over the past six months, according to Kimberly Sutherland, vice president of fraud and identity strategy for LexisNexis Risk Solutions, a company that works with government and businesses to combat online fraud.  

A survey report by the company, called The True Cost of Fraud, found Canadian retailers, in general, are doing a poor job of preventing fraud attacks.

In 2021, e-commerce retailers surveyed said they prevented about 4,860 attacks, but failed to stop about 4,800 others.

The survey also suggests online and mobile fraud attacks on retailers appear to be rising since the pandemic started, up 45 per cent in Canada from 2020 to 2021.

The report is based on a survey of 1,118 risk and fraud executives (145 Canadian, 973 U.S.) in small-, mid-, and large-scale retail and e-commerce companies. 

Kimberly Sutherland, vice president of fraud and identity strategy for LexisNexis Risk Solutions, says fake accounts and account takeovers are among the most common online retail frauds. (LexisNexis Risk Solutions)

Sutherland says fraudsters get passwords and credentials from websites that are compromised, then reuse them on other sites to see if they work, or they use malicious software that rapidly generates common user and password combinations to get into accounts.

“One of the big challenges with online accounts is that people tend to use the same username and password combinations in multiple accounts. So if one gets compromised, many may end up being compromised,” she said.

Her advice for online shoppers:

  • Delete online accounts you don’t use anymore, including consumer and government program accounts.
  • Use strong passwords and change them frequently.
  • Don’t use the same username and passwords for multiple accounts.
  • Use the strongest authentication methods available, such as two-factor authentication, which often requires a code sent by text message or another means in addition to a password to access the account.
Inside Walmart’s cyber attack problems

While Walmart says Tomlinson’s problem was caused by compromised credentials — not a cyber attack — Sutherland says companies across the board are dealing with such attacks on a regular basis.

Walmart’s 2021 annual report says the company’s websites and apps are “regularly subject to cyber attacks” which include “attempts to gain unauthorized access … to obtain and misuse customers’ or members’ information including payment information.” 

Similar to the LexisNexis survey, the Walmart report says the pandemic has made things even worse.

With more work being done remotely, some of Walmart’s “services and third-party service providers’ systems” have had “limited security breaches.” While those had little impact on operations, the report said, “there can be no assurance of a similar result in the future.”

As for Tomlinson, he did get his money back. After Go Public contacted Walmart, the company refunded the cost of the Apple TV as a goodwill gesture, he says.

He is happy to have his money back but is still deciding if he will shop using Walmart’s website or app again.

with files by Jenn Blair

Rosa Marchitelli, @cbcRosa, Rosa Marchitelli is a national award winner for her investigative work. As co-host of the CBC News segment Go Public, she has a reputation for asking tough questions and holding companies and individuals to account. Rosa’s work is seen across CBC News platforms.


Want direct access to the latest LITN content?

Stay in the loop ➞ Subscribe to LITN instant notifications.
Receive the latest content delivered directly to your device.
Unsubscribe at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *

I agree to LITN's Terms & Conditions.

Latest News


Join the LITN Newsletter ➞ the latest news delivered to your inbox. Unsubscribe at any time.


Instagram Feed