Scam artists have been using hacked accounts from retailer Kohls.com to order high-priced, bulky merchandise that is then shipped to the victim’s home. While the crooks don’t get the stolen merchandise, the unauthorized purchases rack up valuable credits called “Kohl’s cash” that the thieves quickly redeem at Kohl’s locations for items that can be resold for cash or returned for gift cards.
KrebsOnSecurity reader Suzanne Perry, a self-professed “shopaholic” from Gilbert, Penn., said she recently received an email from Kohls.com stating that the email address on her account had been changed. Recognizing this as a common indicator of a compromised account, Perry said she immediately went to Kohls.com — which confirmed her fears that her password had been changed.
On a whim, Perry said she attempted to log in with the “updated” email address (the one the thief used) along with her existing password. Happily, the thieves had been too lazy to change the password.
“Once I was logged in, I checked my order history to determine if any fraudulent orders were placed in the 20 minutes since I received the notification,” she said. “I wasn’t that surprised to see two online orders, totaling almost $700 each, but I was very surprised to see they were being shipped to my house and not some address I never heard of.”
Perry said she then contacted Kohl’s and gave them the two order numbers and the fraudulent email address.
“I explained what happened, and they were very helpful in canceling the orders, updating my email address, and resetting my password,” she said. “I told them I couldn’t understand why someone would hack into my account just to have a bunch of stuff shipped to my own address. I was trying to figure out what the criminal would possibly have to gain from the effort, but the service representative informed me that is actually a very common occurrence for them.”
Turns out, the criminal wasn’t after the merchandise at all. Rather, the purpose of changing her email address was to drain the account’s stored Kohl’s cash, a form of rebate that Kohl’s offers customers — currently $10 for every $50 spent at the store. The two fraudulent orders yielded $220 in Kohls cash total, which is emailed once the order is confirmed (hence the need to change the victim’s email address).
“Since the orders were being shipped to me, even though they were above the threshold for what my typical online spending behavior is, no red flags were raised on their end,” Perry said.
More interestingly, virtually all of the merchandise the thieves ordered to build up the account’s Kohl’s cash balance were bulky items: Three baby cribs, a stroller system and car seat, and a baby bath tub, among other items. Perry said Kohl’s told her that the thieves do this because they know bulky items usually take longer to return, and since Kohl’s revokes Kohl’s cash credits earned on items that are later returned, the thieves can spend the stolen Kohl’s credits as long as the owner of the hijacked account doesn’t return the fraudulently ordered items.
“The representative told me when these types of fraudulent transactions occur, the victim usually is unaware of it until the items arrive at their house,” Perry said of her conversation with the Kohl’s representative. “Since the items ordered tend to be large, it generally takes longer for a customer to be able to bring them back for a refund. Had I not questioned the email address change, the items would have shipped to me and the $220 in Kohl’s cash would have been long spent by the criminal before I had the opportunity to take the items back and rectify the situation.”
Perry said she was shocked by the scam’s complexity and sheer gumption.
“The people behind this are clearly making every effort to not only defraud an account, but also to inconvenience the affected customer as much as possible,” she said. “I think Kohl’s handled the situation well over all; the email notification of an account change is more than I get from some other online shopping sites, and they were able to cancel the Kohl’s cash. Still, I’m a bit surprised they aren’t doing anything to promote awareness among their customer base.”
Reached for comment about the apparent fraud trend, Kohl’s spokesperson Jen Johnson said the company “is aware of a limited number of cases where fraudsters have obtained login information from outside sources to make purchases to earn Kohl’s Cash.”
“We are always working to protect our customer shopping experience and will continue to look at ways to make it more difficult for fraudsters in the future,” Johnson wrote in an emailed statement. “Customer service is a top priority for Kohl’s and, as always, we will work with any customer who has had a less than optimal experience. As a best practice, we would encourage customers to regularly change their passwords and to not use the same password for multiple accounts.”
This type of fraud usually stems from customers picking weak passwords, or re-using the same password at multiple sites. However, Perry said she’s still mystified how the thieves were able to get hold of her password, which she said was an 11-character, three-word phrase that she didn’t use on any other site.
It’s unclear how much is lost annually to points and rewards fraud, but the industry is ripe for the picking: Loyalty program experts at Colloquy.com estimated in 2011 that some 2.6 billion loyalty memberships generated $48 billion in rewarded points and miles.
Have you experienced similar fraud at merchants that offer rewards points or cash? Sound off in the comments below.
Wouldn’t the person get an email about placing an order? Even if the crook changed the email the original email should get a message saying the email had been changed?
It says right in the second paragraph that the reader who reported this scam “received an email from Kohls.com stating that the email address on her account had been changed”. In the future, try reading the post before you comment.
Get rid of your Kohls account — their security is terrible.
My identity was stolen two several years ago. Several new accounts were opened at various retailers, all of which caught the fraud and called me before I even knew about it. The sole legitimate account that the thieves were able to access was Kohls. They purchased so much jewelry that I got a fancy gold-foil envelope and thank you note for my purchase from the president of Kohls. I would have preferred a note of apology for having such a crappy security system.
If you forget your Kohl’s card, the checkout clerk simply turns the terminal around and asks you to enter your SSN and show your driver’s license. The terminal looks up your account and allows the transaction to proceed. That customer “convenience” is a gaping wide point of vulnerability if (when) an identity thief shows up. I closed the account during my phone call with Kohl’s security and never looked back.
I no longer use store cards and I use credit card from a bank with an aggressive fraud alert program. I’m delighted to get a text from my them when I make an unusual purchase.
just got hacked.. my emailed was loaded with over 10k yes 10,000 emails and in the middle of it was an order placed with Kohls with an item over $100 worth of items shipped to some unknown person across the US and charged to my account. I am working with UPS to put hold on order and have told Kohls of the fraud on account. I don’t recall the kohls rep being very friendly at all but almost condescending that I was feeling so scared and afraid of what else the hackers had a hold of. I had to take it upon myself to try and stop the order from kohls as they told me they would do it but UPS said it is kohls that would have to contact ups to try and put stop on order.. I would cancel account too after this ordeal.
Same thing just happened to us. Suggest you get rid of ALL your revolving retain card accounts. we have now had this happen with Macy’s, Target, Kohl’s, and it is just ludicrous their security sucks so much! We now have a primary credit card, and one back-up, and EVERY other card is shredded!