I have an entry on the Mystery Shopping section, but this needs to be said relating to CORI. I just deactivated, although it is too late.

I received a Priority Mail envelope yesterday, and in the envelope is a letter on Corporate Research International Letterhead, with my Shopper Number and with instructions to deposit the enclosed money orders and send money and blah blah blah...plus two U.S. Postal Service Money Orders in the amount of $970. Definite fakes. Ok, it's a scam. I get it.

I FINALLY get someone at CORI on the line. I tell them what I received and the response was basically "yeah, some people have already called." MY SHOPPER NUMBER IS ON THE LETTER. If they have my home address, phone number, full name and shopper number....guess what else they have? My SOCIAL SECURITY NUMBER.

Beware, people, beware. CORI rep I talked to was very lackadaisical about this. Because it's not his info that was compromised. It's ours. The shoppers.

I am taking appropriate actions with the authorities and have now deactivated my account with CORI/Stericycle/whatever they are calling themselves this week. I don't know what else to do other than wait for credit card bills to come in from God knows where taken out by someone else in my name. Fabulous.

Who did you speak with at CORI?

I believe he said his name was Leon. He was not helpful.

Yikes! I am so sorry this happened to you! I was afraid something like this would happen to someone. I just checked and I am very glad my profile lists my tax ID number and not my SS number. This is the main reason why I got an EIN and use it for my MS work. Whoever got your info could've hacked into Sassie (not just CORI) and gotten everyone's information.

Believe it or not, one of my friends who had never done a mystery shop before got a similar letter with the CRI name on the letterhead asking for money, sent Priority Mail, asking him to go to Wal-Mart ! There was no shopper number on it. It was just addressed to "Dear Independent Contractor." My friend had just signed up with the isecretshopper service to do a shop, but hadn't done one yet. As far as I know, they have nothing to do with CRI. These scammers must be sharing the CRI letterhead a lot, and targeting people right out of the phone book. My friend has a listed number and address.

It has become common practice for them to use the name of legitimate companies. You have to wonder how many people received the same thing and have never registered with any mystery shopping company. Whenever a real mystery shopper receives a scam email the first thought seems to be, my information had to come from the real company. In reality, most of the time it just random and we are hyper aware because of our business.

I also placed a call to their office, spoke with someone who said he is not aware of any issues at this point. He also told me he didn't know of anyone named Leon in their office. I will post when he gets back to me.

I left a message last night and again this morning.I emailed last night and again this morning. I called back on my lunch hour and spoke to a male. I believe he said his name was Leon but I could be mistaken. The number I called was 800-977-8943 and extension 1365 to be connected to the mystery shopper group. The male I spoke to answered the phone.

The male I spoke to was just like "yeaaaaaaaaaaaah, you're like the third or fourth person....". I asked him if he would like me send him a copy of the letter or the police report. He said no. I asked him if this was being investigated by them and he said "he thought someone was looking into it."

Lisa- If you have a contact, I would love them to give me a call. PM me if anyone is responsive to you. I am very concerned about this and the less than optimal response I have gotten from their company, as you can imagine.

Edited 1 time(s). Last edit at 07/10/2014 08:26PM by dmh426.

I think if I owned a company and my database was breached, I would send out a notice to the shoppers.

So sorry this happened to you. Usually when there is a breach like this a company will offer free credit monitoring for a year. That's sad that CORI isn't doing that.

I'm curious if you checked the shopper number and verified that it was the same as yours? I'd have no clue if mine was right, I would have to check the website to see.

The content of this post has been deleted to help keep my identity on this forum more secure. If I could delete it, I would!

Edited 2 time(s). Last edit at 07/11/2014 09:48PM by nycrocks.

BGriffin- I did check it. I have all my companies, user names and passwords saved on an Excel speadsheet. It was indeed my shopper number. That was on the letter. On the outside of the envelope was my address, my full name including middle initial and my phone number.

NYCRocks- LOL. I have an amazing credit score, just purchased my first home and would like it to stay that way. I went an signed up for fraud alert. I have my direct deposit through CORI and now am going to have to go through the process of changing my account numbers beacuse I am that freaked out.

I'm a part time shopper and I never expected this kind of thing to happen since I educated myself on MSPA and only signed up with reputable companies after I researched all of them.

Kimmiemae- Thank you. It shouldn't have happened but it did. Sigh. I am just disappointed in CORI's response.

LisaSTL- The letter has my correct shopper number on it. This isn't a random scam. There is a breach at CORI.

nycrocks, you are thinking of a different company. cri and cori
are two different companies. the company that does those cell
phone shops is not the same as cori

It is eating away at me again. I called again today and after being left dangling on hold for four minutes, the manager would not get on the phone with me. At least now they want to see the police report, letter, money orders, etc. They want me to email them. The guy that answered the phone is the same who talked to me yesterday and he said they would review my email and someone may be in contact with me.

GUESS WHAT. SOMEONE WILL BE IN CONTACT WITH ME BECAUSE I WILL BE IN CONTACT WITH THEM. REPEATEDLY.

You can file a police report as well for identity theft. You should also bring it to the attention of your state Attorney General's office. Since they mailed it to you, it is also postal fraud.

Since you spoke to him again today, what was his name and title?

LisaSTL- I am embarrased to say that I didn't catch it. There is an accent and he sounds muffled. I was more focused on getting a manager on the phone than talking to that guy again. Not what you want to say to another mystery shopper since getting names is a big part of what we do!

The email address I was given was for a GNowak. I sent the stuff about an hour ago. Nothing yet.

Not to discount the potential ramifications of a breach or to say I even understand the workings of the criminal mind, but I did have a thought this morning. With the breaches that occurred at Target and other retailers, the thieves simply started using the victims credit/debit cards. Assuming there has been some type of breach at CORI, how much sense does it make for the hacker to start sending bogus checks/money orders in the hopes people will fall for it, cash them and return $500 or $1,000. Wouldn't it be much easier and quicker to use the SSNs, bank and/or PayPal information to clean out accounts? That doesn't mean some personal information hasn't been accessed, or that we should not take any precautions, it just makes me wonder if the more vital information was not.

And you not getting the name is funny on a certain level

LisaSTL- That actually does make sense and the second time I read it gave me a little peace of mind. I hope you are right.

It makes no sense at all. With a SS# and either PayPal info or bank account direct deposit info, no thief would waste efforts sending bogus checks that *might* be cashed - they'd go straight for the bank account. With that info, there's lots they could do, far beyond sending a letter and checks.

Given the huge number of forum members who are registered CORI shoppers, it's odd that not a single other report has been posted about a possible breach.

This sounds like just another scammer who is using the letterhead of a legitimate company. As far as a correct shopper number shown on the letter, could the individual OP's e-mail have been hacked? It seems extremely premature at this point to post warnings that CORI's shopper database has been compromised. That does not necessarily appear to be valid at this point.

I disagree AustinMom. Respectfully. I called CORI and was told there were others who had reported the same thing. I'm sorry that none are on this forum and reported it before me. The letter had my address, correct shopper number, etc. I anticipate that you would also take it at face value that their system were hacked should you recieve similar mail to your home.

I do not know what information they got over and above my contact info and shopper info. I, a cynical person, assume the very worst.

There has been no evidence of my email having been hacked. My spouse is a systems administrator (A legal hacker basically) and my shopper email is through that server in my home with an email adress "@businessname.com". If any IP address tagged in to that server, he would know immediately.

CORI has nothing to do with this SCAM. You should report it to CORI. This has happened to many of the MSC's. The SCAM is obvious. You don't cash checks for anyone.

If you are worried about people opening accounts in your name add a fraud victim statement to your credit report. You can call the fraud assistance department at Experian, Equifax or TransUnion and they will send it to the other bureaus as well. This is different than monitoring because it will tell whatever lender that is pulling your report (as a result of a fraudulent application) that you have been a victim of fraud and to contact you before opening any lines of credit.

techman01 Wrote:
-------------------------------------------------------
> nycrocks, you are thinking of a different company.
> cri and cori
> are two different companies. the company that does
> those cell
> phone shops is not the same as cori

Holy crap! You are right. It's another MSC with Corporate and an R for the second name. I'm deleting that post as I gave away too much info about myself in it! I am signed up with CORI/Stericycle (what an odd name for a MS company - sounds more like a recycling sterilization company) but I haven't done any shops for them.

Thanks for setting me straight!

In addition to Lisa's thought, I find it odd that they would target actual mystery shoppers with this scam since as a whole we are probably the single demographic that is the least likely to fall for it.

My friend got targeted purely because of his address. Everyone's address and age are available online these days without anyone having to pay for that information, unfortunately. It's hard to believe thieves are actually paying for Priority Mail for these scam attempts. It's at least $5 for a Priority Mail envelope these days, I think. If there is any type of tracking number on the Priority Mail envelope, the Post Office should be able to get the scammer(s) on video, if they actually cared enough to try to catch them. The problem with the USPS is, they don't seem to care much about anyone's problems, in my experience, and they do things half-assed. The mail carriers often scan packages as being delivered before they deliver them to make it easier for themselves, in my area. If your package gets lost or stolen, you're SOL and it's your word against theirs, so nothing will be done to help you except they will give you some Federal link to report mail fraud and still nothing will happen. No wonder identity thieves are so abundant. I've heard of people knowing the exact address of an identity thief who had things sent to his home using someone else's credit card, and the police didn't do anything. If someone ripped off some corporate entity though, I bet police would jump through hoops to try to prosecute guilty parties.

nycrocks Wrote:
-------------------------------------------------------
> techman01 Wrote:
> --------------------------------------------------
> -----
> > nycrocks, you are thinking of a different
> company.
> > cri and cori
> > are two different companies. the company that
> does
> > those cell
> > phone shops is not the same as cori
>
> ......I gave away too much info
> about myself in it! I am signed up with
> CORI/Stericycle (what an odd name for a MS company
> - sounds more like a recycling sterilization
> company) but I haven't done any shops for them.
>
> Thanks for setting me straight!

You are partially right about Stericycle. They are a medical waste company that has diversified into other areas. They only recently took over CORI, about a year ago. I had worked for Stericycle (not CORI) doing recalls and pick-ups.

I'm not sure a hacker could get at your actual Paypal or bank account even if they had your Paypal email address and your bank account number. Everyone you give a check to has your direct deposit information. You can't get money out of a Paypal account without a password, and CoRI wouldn't have your password.

The bigger risk is that they might use the name, address, and SSN to open a credit card account. But they shouldn't be able to get at your existing funds just by knowing your information. If they try to change a password on Paypal, it will send a confirming email to your email address. If the hacker doesn't have the password to your email account, he can't intercept the confirmation email and respond to it.

I hope you don't use your Paypal or banking password as your password to log into the MSC sites. If you do, you might want to change your financial passwords to something else. MSCs do not protect the passwords used to log into them. I can't count how many emailed me my chosen password when sending me confirmation emails when I sign up with them. Market Force tells you right on the sign in page that your birthdate is your password. Others default to the first two letters of your last name and the last four digits of your phone number -- not all that hard to figure out. I don't use my shopping password anywhere else.

I am in the process of trying to change my SSN on CoRI to my EIN. I don't know if it will work or not. Right now I'm locked out of taking any more jobs until they "confirm" it.

It's really annoying that all the MSCs don't give the option for using an EIN. Some do, some don't. I don't even have a sense of what percentage will accept an EIN. Whenever I can, I use that, but I've given a lot of them my actual SSN because they refused to take an EIN.

dspeakes, I've had the same experience when first signing up with a few MSCs where their system won't accept my EIN. But sometimes I have been able to go back later and put in the EIN number with no problems. All the Sassie companies accept my EIN right away.

I think the next time I'm doing a search of all my MSC job boards, I will systematically look at my profile and check which is there and try to change any that are still SSN's. But some companies have to go through a "verification" (like CoRI does) so I'll need to be sure I don't change any that have jobs I want to do.

I went through all 110+ companies yesterday for a remote route I'm trying to put together. Out of the 110, maybe 10 had jobs. Wish I'd thought to do this yesterday; I could have EIN'd the other 100 and been done with it.