Online fraudsters are apparently taking advantage of Kohl’s rebate program to turn unwanted orders into illegitimate purchases.
Krebs on Security shares the story of a Kohls.com customer, one Suzanne Perry, who says that her online account with the retailer was recently overtaken by an unauthorized third party. Of particular surprise to her, she tells the outlet, was the discovery that the fraudulent orders that were made by the cyberthief (or thieves) using her account were being shipped to Perry’s home.
“I told [Kohl’s] I couldn’t understand why someone would hack into my account just to have a bunch of stuff shipped to my own address,” Perry told Krebs on Security. “I was trying to figure out what the criminal would possibly have to gain from the effort, but the service representative informed me that is actually a very common occurrence for them.”
The Kohl’s representative explained to Perry that sending her unwanted items was only one part of the fraudsters’ goal — that being to gain access to Perry’s Kohl’s Cash, the retailer’s form of store credit that accrues with each purchase made. The hackers’ likely strategy was to use the time that it would take for Perry to receive the items and realize they were sent in error to spend that stolen Kohl’s Cash (which they were able to gain access to via Perry’s compromised email account that was linked to her Kohl’s account) before Perry had a chance to return the goods.
“The representative told me, when these types of fraudulent transactions occur, the victim usually is unaware of it until the items arrive at their house,” Perry continued. “Since the items ordered tend to be large, it generally takes longer for a customer to be able to bring them back for a refund. Had I not questioned the email address change, the items would have shipped to me, and the $220 in Kohl’s Cash [at the program’s current rate of $10 for every $50 spent] would have been long spent by the criminal before I had the opportunity to take the items back and rectify the situation.”
Kohl’s spokesperson Jen Johnson told Krebs on Security in an email that the company “is aware of a limited number of cases where fraudsters have obtained login information from outside sources to make purchases to earn Kohl’s Cash.”
“We are always working to protect our customer shopping experience and will continue to look at ways to make it more difficult for fraudsters in the future,” Johnson wrote. “Customer service is a top priority for Kohl’s, and, as always, we will work with any customer who has had a less-than-optimal experience. As a best practice, we would encourage customers to regularly change their passwords and to not use the same password for multiple accounts.”