mahasamatman

Alas, as you see, it's not.

flyer4512

I started a new thread ( post was moved here) and never knew this thread existed so I had no idea.

Fredd

I received a “welcome letter” via e-mail early today for an upcoming 10-day stay at a high-end Italian property starting in a few days. Thank goodness because... we made no such reservation.

I called reservations and the agent said someone must have mixed up the email addresses and not to worry - he'd cancel the reservation. But worry I did. The reservation does not show on my account, so I checked it using the confirmation number while signed out of my account and it showed someone with the same last name and a first name that's a variation of my own name (like Billy instead of Bill).

I called SPG again and asked to be transferred to the fraud department. A CS person did some more investigation and determined that it was indeed MY credit card that held the reservation, MY address, email, and phone number attached to it, but a different SPG number. I asked her how my credit card could be used, since I'd removed it from my profile more than a year ago after a similar incident. She responded that even if it is removed, it is retained in the internal system…..she could see it! Needless to say, we immediately cancelled the credit card, while confirming there were no charges or holds on it.

Strange and concerning…

Seattlenerd

Concerning, but it doesn't make a lot of sense. Why would a fraudster use an email address easily identified by the actual account holder, but a different SPG number? There is no obvious way they'd be able to access any points in the SPG account.

I frequently receive email confirmations for others' hotel reservations (at Starwood and elsewhere) because my email address is just my last name and a common email service provider. But it's never been tied to an actual credit card or loyalty account of mine, and is easily ignored.

Glad to hear you followed up, but something doesn't add up if someone was actually trying to avoid detection, as opposed to just being sloppy in what they entered.

iflyjetz

Please post the final resolution for this. I'm curious if this was a booking done by a live reservation agent that somehow crossed personal data, a computer system glitch, or something more sinister.

Fredd

After further pondering, I do believe it was sinister, lacking any other more convincing and credible explanation. It was my credit card and billing address used to guarantee the reservation (the card that I removed online from my SPG account over a year ago when I found a reservation on my account that I had not made - coincidentally one at a SPG hotel in the same Italian city, if my memory is correct).

Yes, the email address was mine. If the hotel hadn't sent a "Welcome" e-mail I never would have known. The SPG number was different, perhaps because of some gigantic glitch but perhaps so that I wouldn’t see the reservation in my upcoming stays. The name on the reservation was using my last name and a first name that could possibly be a nickname for my name – though one I have never used or even considered.

The SPG CS rep suggested that it might be an error and said she would call the "other" person (she let it slip that this person is on the other side of the country) to give them a chance to change to a different credit card. Lo and behold, that phone call with the same rep reached my voicemail when I was on hold with her! The only other resolution was that the CS rep phoned the Italian hotel to tell them to remove the credit card from the record, although we had already cancelled it while on this long phone call. I would love to have the police show up to nab anybody checking in on this reservation, but I don’t think that will happen. Could it be an inside job? Could it still be some crazy mixup? Anybody's guess is as good as ours (and maybe better).

iflyjetz

Fredd, I'll lay out the less sinister case. I'll call the other person Fred2. See if it makes sense to you.

Let's say there was some crossing of information between two accounts. Fred2 calls SPG reservations and makes a reservation for the upcoming stay in Italy. Fred2 gives the correct SPG number, but somehow it's been populated with your data (I don't know how this happened and that's the perplexing part of this).
The reservation agent asks him if he wants to use the CC on file. 'Yes'.
Fred2 sees the reservation on his SPG account so he doesn't see any problems. He probably doesn't notice hotel emails; I usually just delete them.

At check in, the hotel would have required a credit card, passport, etc. At that point, the error would probably have been found.

Were any points used for the reservation? If not, the only thing that could have been negative would have been a credit card charge to your account and that could be easily disputed because there wouldn't be a swipe, not to mention you wouldn't have been in Italy.

Fredd

Thanks. ^ Yes, I suppose that's possible. The tricky part, as you say, is this:

We're also a little gun-shy because we experienced a similar problem a year or more ago with an Italian SPG property in the same city. We forget which property as we didn't get an e-mail; rather, I was checking our account and suddenly noticed a similarly lengthy reservation for a lot of Euros. That was somebody accessing details of our account but with somebody else's stolen credit card - in neither instance have our points been pilfered.

If it's an innocent mistake / glitch it isn't quite as troubling as deliberate fraud but it's still troubling.

Or as one of P.G. Wodehouse's characters said, I'm not disgruntled, but I'm not exactly gruntled.

COSPILOT

Given the amount of fraud that has occurred (Target, Home Depot, etc.) in the last couple of years, I can appreciate your concern.

Not directly related to SPG, but I have setup all of my cards to alert me for every transaction on my phone. Its literately instant that I get an alert, and even helped me identify a transaction attempt two weeks ago at a Best Buy in Ohio, while I was home in Colorado. Regardless, I was taken care of by my bank, but I shut down the card within minutes and prevented further fraudulent transactions from taking place.

With regard to travel accounts such as SPG, Hilton Honors, UA, etc, I try to take a peek at my accounts every day or so, as the level of security is far less in comparison to credit cards, but valuable nonetheless, at least to me.

I hope in the near future hotel, airline, car rental programs, etc take things more seriously when it comes to account security. Until then, best to take steps (as you did) and be proactive in your approach.

MSPeconomist

If Fred2 were located in the same city, I could see this happening when Fred2 called to make a reservation but didn't know his SPG account number. The phone agent would probably look it up using his name and city/state, find Fred and Fred 2, and somehow have both accounts open, mixing them up when making the booking.

jiaotze

My account was hacked about 10 days ago, with someone first moving 2,900 points out to buy an iTunes gift card.

I called SPG when I became aware of the transaction and they froze my account and instructed me to change my various passwords. A day or two later, someone tried to transfer another 29,000 points, which was then blocked.

I've since worked with SPG on protecting the integrity of the account and they have unfrozen it, but I'm still a bit perplexed how my account was hacked, considering that I haven't had much activity in the account for several years and nothing else on my computer was compromised. (And I couldn't remember myself my verbal password.)

In any event, SPG was very responsive and efficient in handling the whole situation, and they returned the points that were deducted without my authorization. Kudos.

Oxon Flyer

Did the second intrusion happen after you changed your passwords ? IMHO that would be very concerning indeed.

jiaotze

I was in a country with extremely unstable and unreliable Internet service. I thought it would be risky to logon and try to change my password, and perhaps lose the connection and have been unable to logout properly, so I decided to call SPG, inform them of the unauthorized activity and ask them to freeze my account until a time when I was where I could reliably communicate with them and change my various passwords/questions.

It was during that interim that someone tried to move the points out of my account, but the request was denied as the account had been froze.

travelswithmyself

Hmmm. So the "hack" occurred while you were in that country with the unstable internet service. Do you remember logging in while in that country? Could the password have been "sniffed" out that way? (OK I don't really know what I'm talking about but I'm sure the IT types here will put me right :P)

jiaotze

I had not logged in to my SPG account for probably 2-3 months prior to this incident. I did logon to the Internet while I was in this country, and my Hotmail account was hacked, but I figured that out immediately and changed passwords. No other account of any type was compromised.