Many of you are probably familiar with Kohl’s, a national department store chain. Like many companies, it has a loyalty program. Kohl’s loyalty program which is called “Kohl’s Cash” credits registered Kohl’s customers with ten dollars for every fifty dollars that customers spend at the store which can then be used for subsequent Kohl’s purchases. Recently a number of Kohl’s customers Kohl’s Cash accounts were hacked and the hackers used the customers’ credit cards which were also registered with Kohl’s Cash to order large and expensive items that were then delivered to the Kohl’s customers whose accounts were hacked. Although this might initially seem puzzling as to how a hacker could profit from the scheme, the effectiveness of the scheme becomes more apparent when you realize that what the hackers are really after is the Kohl’s cash generated by the purchases. The Kohl’s cash is emailed to the hacker who has changed the account’s email address when he or she hacked into the account and upon receiving the Kohl’s cash credits use them to buy other products which he or she can then sell on the black market. The reason the hackers initially order large sized items is to make it more inconvenient for the hacked customers to return the unordered merchandise to the store, which would cancel the corresponding issuance of Kohl’s cash on the transaction.
It does not appear that Kohl’s as a company has suffered a data breach as much as it appears that it is the accounts of individual Kohl’s customers whose accounts were hacked because the hacker had access to or was able to guess the customers’ passwords.
This scam again highlights the importance of having strong, unique passwords for each of your online accounts. Often companies with weak security are hacked and the hackers steal passwords accessed in the data breach to access other accounts of the victims of the data breach when the same passwords are used. Other times it is the victims themselves who have had their data stolen directly from their computer, laptop, smartphone or other electronic device when they have unwittingly downloaded keystroke logging malware, most often as a result of phishing that lured the unsuspecting victim into clicking on a link containing the malware. Thus it is important to use strong, unique passwords for each of your accounts as well as maintain up to date security software on all of your devices as well as refrain from clicking on links in emails or text messages unless you have absolutely confirmed that the email or text message is legitimate.