Never mind stealing credit card information: Some thieves have moved on to stealing Kohl’s Cash — yes, the discount department store chain’s coupon-like rewards.
A Kohl’s spokesperson also confirmed to KrebsOnSecurity that the publicly traded company “is aware of a limited number of cases.”
These incidents start with scammers obtaining the kohls.com log-in information of Kohl’s customers.
In the case of Suzanne Perry, KrebsOnSecurity reports that scammers changed the email address she had on file with kohls.com and purchased nearly $700 in bulky goods through her account. As a result, the $220 in Kohl’s Cash earned on the purchases was emailed to the scammers while the goods were mailed to Perry’s home.
According to Brian Krebs, the reporter behind KrebsOnSecurity, the scammers quickly redeem the Kohl’s Cash at stores for items they can resell. By ordering bulky items, which take longer to return, the scammers gain extra time to use the Kohl’s Cash. The time delay is important because Kohl’s revokes Kohl’s Cash rewards when the items purchased to gain them are returned.
Perry became suspicious when she received an email from Kohl’s informing her that her account password had been changed, a key indicator of a compromised account.
Another Kohl’s customer, Diane Poremsky, blogged in October that she did not realize she had been targeted until the goods — 11 identical men’s dress shirts totaling nearly $500 — were delivered to her door. Scammers had used the credit card information she stored on the online account to make the purchase.
The moral of the story? Passwords.
This type of fraud usually stems from customers picking weak passwords, or re-using the same password at multiple sites.
The Kohl’s spokesperson had similar advice:
“As a best practice, we would encourage customers to regularly change their passwords and to not use the same password for multiple accounts.”
Have you heard of this type of fraud? Let us know below or on Facebook.