The postman surprised me with a package from Kohl’s today. I thought he had the wrong address but nope, it was for me. Funny, I didn't remember ordering it. Did my kids send me something? Nah… probably not.
I opened it and found 11 men’s dress shirts, all one size and color. Definitely not from my kids!
Was it a mistake? Did Kohl’s somehow mistakenly send me a package meant for someone else?
I log into my Kohl’s account and see that $497.89 was charged to my credit card account. I’m scratching my head, trying to understand the scam on this one. What benefit is there to the hacker if he uses my store charge card and sends me the merchandise?
I dial the number on the invoice.
The Kohl’s fraud department filled me in on the scam. The scammer didn’t want my card or the merchandise, he wanted the $90 in Kohl’s cash generated by the sale. The scammers used to order high ticket items but Kohl’s added more controls to catch those orders, so the scammers moved to ordering clothing and handbags and keeping the sale under $500 so it would be less obvious. As if 10 identical handbags or 11 identical shirts shouldn’t make someone go “hmmm… “.
I don’t recall hearing about a breach of Kohl’s shopping accounts, but someone was able to log into my Kohl’s shopping account, change my email address, and place the order on my stored Kohl’s card. I hadn’t ordered anything in over a year, I check my Gmail account less often these days, and I figured it was safe to store the Kohl’s card since it can only be used at Kohl’s. Boy, was I wrong on that last one!
Kohl’s was able to stop the Kohl’s cash so the scammer got nothing this time.
Kohl’s closed my online shopping account and cancelled my store card.
We returned the merchandise to the local Kohl’s store for a refund tonight. The employees at the service desk had never heard of this scam before. Like me, they couldn’t understand shipping an order for 11 identical items without confirming with the customer that it was correct.
Tonight I’m changing my username on all accounts that use that username or the email address I used with Kohl’s. I'm removing stored credit cards. I’m changing the email address on my accounts to one I check daily and adding text message notifications when offered. If multifactor authentication is offered, I’m enabling it (even though it’s a PITA at times.)
Assuming the scammer actually got the $90 in Kohl’s cash, I don’t see how it was worth his effort. Yeah, it’s $90, but it’s only good at Kohl’s.
If he really wanted the shirts, they were on sale this week for half off.