Beware! Costco Annual Cashback Scam Targets Loyal Shoppers

Photo of author

Written by: Stelian Pilici

Published on:

Costco, one of the largest membership-only warehouse store chains in the United States, has become the latest target of an insidious phishing scam. Scammers are using text messages and emails pretending to be from Costco to trick customers into visiting fake websites and handing over sensitive personal and financial information.

This scam aims to steal credit card details, account usernames and passwords, and open doors for further fraud against victims. With Costco having over 60 million member households in the U.S. alone, this scam has the potential to affect millions of Americans.

In this comprehensive guide, we’ll explain everything you need to know about the Costco annual cashback scam, including how it works, what to watch out for, and most importantly, how to protect yourself.

COSTCO Your annual cashback

An Overview of the Costco Annual Cashback Scam

The Costco annual cashback scam works by sending members text messages or emails claiming their yearly Costco cash back reward is ready to be claimed. The messages contain links to convincing but fake Costco reward center websites.

If the recipient clicks through to the fraudulent website, they are prompted to enter personal details like name, date of birth, credit card information, Costco membership number, and more to allegedly claim their cashback bonus.

In reality, any data entered is harvested by scammers who will either use it directly for financial fraud or sell it on to other criminal groups. As well as credit card theft, the scammers can hijack Costco accounts once they have the login credentials.

This allows them to fraudulently use victim’s membership benefits, collect more personal data, and even have goods delivered on the victim’s dime for resale by the criminals.

Hallmarks of the Scam

There are certain hallmarks to look out for that can help identify this scam:

  • Unsolicited contact – Costco does not send unprompted messages about cashback rewards. Any surprise texts or emails are highly suspect.
  • Sense of urgency – Scammers will emphasize acting quickly before you “miss out” to get you responding without proper consideration.
  • Links to non-Costco domains – Check the sender’s domain name before clicking. Links will direct to convincing but fraudulent sites.
  • Requests for sensitive information – Costco would never ask for credit card details, account passwords, social security numbers, etc via unsolicited messages.
  • Poor spelling and grammar – Texts and emails may contain typos, grammatical errors and awkward phrasing.
  • Threats of account closure – Some variants threaten closure of the victim’s Costco membership if they don’t claim their cashback promptly.

What Information Do Scammers Collect?

The exact data phishing websites aim to collect can vary, but commonly includes:

  • Full name
  • Home address
  • Date of birth
  • Phone number
  • Costco membership number
  • Costco website login credentials
  • Credit/debit card details
  • Social security number
  • Driver’s license details

With this wealth of personal and financial information, fraudsters can directly steal money from accounts, make purchases in the victim’s name, open new lines of credit, and commit identity theft.

The threat to victims is very real, making it crucial not to submit data on suspicious cashback websites.

How the Costco Annual Cashback Scam Works

Now let’s examine exactly how scammers operate the Costco cashback scam from start to finish:

1. Scammers Obtain Costco Member Contact Details

Scammers and hacker groups build up databases of Costco member details from:

  • Data breaches – past hacks of companies can expose customer info including Costco members.
  • Public records – names and addresses can be gathered from sources like phone directories.
  • Website vulnerabilities – flaws in Costco’s own systems could be exploited to get customer data.
  • Phishing campaigns – past phishing scams may have already tricked some people into surrendering their details.
  • Social engineering – directly contacting Costco and impersonating members to extract account information.
  • Dark web marketplaces – hacked databases containing Costco member information can be bought.

2. Phishing Emails or Texts Are Sent En Masse

Using the member contact details on file, scammers will send out mass phishing emails and SMS messages to thousands of potential victims.

These messages are disguised to appear as if they are official communications from Costco. The sender details, branding, logos, and messaging will all mimic legitimate Costco rewards emails/texts.

Here is an example phishing email:

Dear John,

This is an important notice regarding your Costco membership reward funds.

According to our records, you have $352.12 in cashback rewards currently available in your Costco Membership Rewards Account as a result of your shopping activities and loyalty to our warehouses.

Please click here to confirm your identity and redeem your 2023 Costco Membership Reward.

The link will direct you to the rewards center where you can easily claim your $352.12 cashback into your account.

If you don’t claim by 09/30/2023, these funds will expire, so act quickly!

Claim My Rewards

Thank you for your Costco membership,

Costco Customer Service

This email contains the typical scam hallmarks like urgency and a link to a fraudulent website disguised as a legitimate Costco domain.

3. Recipients Click Through to the Phishing Website

Worried about missing out on their supposed cashback, and seeing what looks like a genuine Costco communication, some recipients will click the link and be taken to the phishing site.

These sites closely impersonate the real Costco rewards center, using copied branding, web design, and messaging. This convinces visitors they are on a real Costco domain.

4. Users Are Prompted to Enter Personal Information

The fake rewards center website will request visitors enter personal and financial information to process their cashback claim. Scammers will phish for data like:

  • Full name and home address
  • Date of birth
  • Phone number
  • Email address
  • Costco membership number
  • Costco account username and password
  • Credit/debit card number, expiration date, and CVV
  • Social security number

Users are less likely to question requests for sensitive data, since the website looks identical to Costco’s real site.

5. Entered Data Is Harvested by the Scammers

When victims enter their details into the different forms on the phishing site, all information is sent directly to the scammers.

Fraudsters will store this data to use in identity theft, make direct withdrawals from bank accounts, charge credit cards, apply for loans/cards, and steal the Costco credentials.

6. Costco Accounts and Reward Programs Get Hijacked

With obtained membership numbers and passwords, scammers can now access and take over victims’ Costco accounts.

This allows them to:

  • Collect more personal data from the account like stored payment methods, purchase history, and shipping addresses.
  • Improperly earn and redeem rewards points using the account.
  • Make purchases on the account and have items shipped to addresses they control for resale.
  • Change account details and settings like the password, registered email, and phone number.
  • Open executive Costco memberships using stolen payment cards, for additional checkout privileges.
  • Add other accounts as household members to share benefits.

So compromised accounts provide a treasure trove of opportunities for ongoing fraud against the victims.

7. Stolen Information Is Sold and Used For Further Crime

Beyond directly misusing collected information themselves, scammers frequently sell on the data to other criminal groups and shady marketplaces on the dark web.

Buyers of this illegally obtained personal and financial data then use it to commit more forms of identity fraud against the victims.

Once account passwords, bank details, and social security numbers are sold into cybercriminal networks, victims can suffer the consequences for years in forms like:

  • Credit cards opened in their names and maxed out
  • Loans taken out in their identity
  • Medical insurance fraud using their information
  • Tax fraud
  • Unauthorized money transfers and withdrawals

So victims of this scam are often left dealing with the fallout of identity theft long after the initial phishing attack against their Costco membership.

How to Identify Costco Cashback Scam Emails

Email is one of the main vectors scammers use to perpetrate Costco rewards phishing schemes. Here are tips for analyzing emails and recognizing signs they are attempting to impersonate Costco:

Inspect the Sender’s Email Address

Closely check the address the email is being sent from. Scammers will often use slight misspellings or non-Costco domains:

  • costumerservice@costco.com
  • service@costcorewards.com
  • info@costco-promotions.com

Hover over any displayed sender name to view the actual email address.

Look for Poor Spelling and Grammar

Phishing emails may contain:

  • Typographical errors like “Cashhback” instead of “Cashback”
  • Poor grammar like “Costco We value loyalty of our members” instead of “Costco values the loyalty of its members”
  • Overuse of exclamation points and capital letters

Verify Linked URLs

Hover over any links rather than clicking them. The pop-up should show a real Costco domain like costco.com—not a deceptive lookalike link.

Manually navigate to Costco in your browser instead of trusting links if you want to check your account.

Check for Odd Wording

Phishing emails often have strange phrasing and tone that the real Costco would not use, like:

  • “Immediately provide your Costco payment information.”
  • “You must comply now to claim this offer!”
  • “We require your quick response to process this claims bonus.”

Identify Out of Character Requests

Costco would never ask for credit card numbers, account passwords, or SSNs over email. Any message making these kinds of requests is surely from scammers phishing for data.

Watch For Threats or Ultimatums

Scammers frequently threaten consequences like closure of accounts or forfeiture of funds if immediate action isn’t taken:

  • “Respond in the next 2 hours or your cashback offer will expire.”
  • “Unless you confirm by 09/30, your Costco membership will be cancelled.”

Real messages from Costco would not make such threats if you didn’t act quickly.

How to Spot Costco Cashback Scam Text Messages

Scammers also leverage SMS text messages to distribute Costco phishing links. Here are signs a Costco-themed text may be fraudulent:

Sender is Not Costco

Check the sending number against Costco’s real customer service line – (800) 955-2292. Any other number is suspicious.

Contains a Phishing Link

Messages will urge you to click embedded links to claim rewards. Hover over them to check if they really direct to a legit costco.com URL.

Full of Urgency and Threats

Scam texts often stress urgency (“Act now before rewards expire!”) and threaten consequences for inaction like account closure or forfeiting points.

Requests Personal Details

Any texts asking for credit card info, SSNs, account logins or other sensitive data to process a reward claim will be phishing scams.

Poor Grammar and Spelling

Much like phishing emails, texts containing typos, gramatical errors and awkward phrasing indicate scammers and not real Costco messages.

Offers Unprompted Rewards Out of the Blue

Costco would not text you unexpectedly about existing cashback rewards. The scam tries to make rewards seem already owed to you when they’re not.

Stay vigilant and don’t click or reply to any texts containing these scam indicators – report them to Costco immediately.

What to do if You Have Fallen Victim to the Costco Cashback Scam

If you suspect you have been caught out by a Costco cashback phishing scam, here are the steps to take right away:

1. Contact Your Bank(s)

If any debit/credit card information has been submitted to the scammers’ website, your top priority is contacting your bank(s) to protect your accounts.

Inform them you believe your card details have been compromised and request that they:

  • Closely monitor your accounts for any unauthorized transactions.
  • Implement increased security measures like reduced withdrawal limits.
  • Issue new card numbers to replace any compromised cards.
  • Reverse any fraudulent transactions the scammers may have already made.

Closely watching your statements for irregularities in the coming days/weeks is also advised. Report any suspicious charges or withdrawals to your bank immediately.

2. Reset Costco Account Password and Security Questions

Once you have financial account security measures in place, take steps to lock down your Costco membership:

  • Login and change your Costco website password immediately – avoid reusing previous passwords.
  • Update your security questions and answers – scammers may have accessed previous ones.
  • Remove any household members you did not personally approve – scammers may add other accounts.
  • Check stored payment methods – remove any cards that you did not add yourself.
  • Review recent orders and cancellations – look for any unauthorized activity.
  • Consider signing up for Costco’s identity protection service included with memberships.

Proactively changing your credentials prevents criminals from accessing your account now that they have your old login details.

3. Place Fraud Alerts on Your Credit Reports

Contact Equifax, Experian and TransUnion to place fraud alerts on your credit reports. This makes it harder for criminals to open new credit lines in your name:

  • Equifax – (888)-298-0045
  • Experian – (888)-397-3742
  • TransUnion – (800)-680-7289

When possible, enact a credit freeze instead to fully block access to your reports without your consent.

4. Change Credentials On Any Compromised Accounts

If you reused the same username and password combo on your Costco account anywhere else, promptly change credentials on those other accounts:

  • Email accounts
  • Bank websites
  • Retail sites and apps
  • Social media
  • Anywhere else with the same login details

Doing so prevents further account hijacking and limits wider damage from your credentials being sold on by criminals.

5. File Identity Theft Reports

Formally document identity theft instances with police and government agencies:

  • File an identity (ID) theft report with the Federal Trade Commission at IdentityTheft.gov.
  • File an additional police report about the identity fraud in your local precinct.
  • Provide these reports to banks and creditors to prove unauthorized activity.
  • Get an IRS Identity Protection PIN each year preventing tax fraud.

These reports create an official paper trail you can reference when fixing issues caused by the fraud.

6. Monitor Accounts Closely

Be extremely vigilant about reviewing all your financial statements, credit reports, and online accounts for anything suspicious in the coming months.

It can take time for the ripple effects of stolen credentials and compromised data to fully manifest. So be proactive about detecting any fraudulent activity early to minimize damages.

Looking out for unfamiliar transactions, accounts opened in your name, or unrecognized logins is crucial to defend against follow-on fraud.

Protecting Yourself from Costco Cashback and Other Phishing Scams

While no one can be completely immune from phishing scam attempts and data breaches, there are important precautions you can take to minimize your risks:

Use Unique Passwords

  • Don’t reuse the same login credentials across multiple sites – compromise on one site puts all your accounts in jeopardy.
  • Use randomly generated long passwords for important accounts – these are far tougher to crack than short dictionary ones.
  • Consider a password manager app to securely generate and store unique passwords.

Enable Two-Factor Authentication

  • Have secondary login prompts like codes sent to your phone to enhance account security.
  • Two-factor authentication prevents criminals from accessing accounts with just a stolen password.

Check Sender Details

  • Double check the email address or phone number of any unexpected messages before clicking links.
  • Hover over links to compare the destination URL to what it claims to be.
  • Call companies directly using numbers from their website rather than unsolicited messages.

Avoid Clicking Directly on Links

  • Even if a message looks legitimate, manually navigate to the company’s site and login there rather than clicking embedded links.

Limit Data Shared Online

  • Be wary of what personal information you share publicly on social media sites and online profiles.
  • Scammers can piece together a lot about you from seemly innocuous data spread across sites.

Monitor Credit Reports and Accounts

  • Review credit reports from Equifax, Experian, and TransUnion every few months for any fraudulent activity.
  • Enable transaction notifications from banks and lenders to spot irregular charges and payments.
  • Report anything suspicious to banks and card providers immediately.

Staying vigilant makes it quicker to detect and respond to fraud.

Frequently Asked Questions About the Costco Cashback Scam

The Costco cashback scam tricks members into sharing personal and financial details via phishing emails and text messages. This FAQ addresses common questions about how the scam operates and how members can protect themselves.

What is the Costco annual cashback scam?

This scam sends Costco members phishing emails or SMS messages falsely claiming their yearly cashback reward is available for redemption. The messages provide links to fake Costco websites that harvest entered personal data for identity theft and account hijacking.

How does the Costco cashback scam work?

  1. Scammers obtain Costco member details from data breaches, previous phishing scams, or by directly contacting Costco while posing as members.
  2. Phishing emails and texts are sent en masse to Costco members telling them an annual cashback reward awaits them.
  3. Recipients are directed via links to convincing fake Costco domains asking for personal/financial details to process the supposed reward redemption.
  4. Unwitting victims enter data like credit card numbers, SSNs, account credentials, etc. which is harvested by scammers.
  5. Scammers commit direct fraud like withdrawals from bank accounts. They also sell the data on the dark web for wider identity theft.
  6. Costco account logins allow scammers to hijack member accounts for more data gathering, fraudulent purchases under the victim’s membership, and maximizing account benefits.

What red flags indicate a Costco cashback message is a scam?

  • It’s completely unsolicited – Costco does not proactively contact members about existing rewards.
  • There is a sense of urgency, threatening expiration of funds if immediate action isn’t taken.
  • Links go to non-Costco domains – hover over and manually type Costco URLs to be sure.
  • Requests for sensitive data like credit card numbers that Costco would never make via unprompted messages.
  • Spelling, grammatical errors, and awkward phrasing.
  • Threats of account closure if the cashback isn’t promptly claimed.

What information do Costco cashback scammers try to collect?

Scammers phish for any personal or financial data they can obtain, including:

  • Full name and home address
  • Date of birth
  • Phone number
  • Email address
  • Costco membership number
  • Costco website username and password
  • Credit/debit card details (number, expiration date, CVV)
  • Social security number
  • Driver’s license details

What should I do if I shared information with a Costco cashback scam website?

If you suspect your data was compromised, immediately take these steps:

  • Contact banks to monitor accounts closely for fraud and implement increased security measures.
  • Reset your Costco password, security questions, and review recent account activity for anything suspicious.
  • Place fraud alerts on credit reports and sign up for credit monitoring services.
  • Change credentials on any other accounts that may have reused the same username and password combination.
  • Formally report the identity theft to the FTC, IRS, and local police.
  • Closely monitor accounts and credit reports for signs of any further fraudulent activity going forward.

How can I avoid falling victim to the Costco cashback scam?

  • Use unique passwords for every account and enable two-factor authentication wherever possible.
  • Carefully inspect sender addresses and manually type URLs rather than clicking links.
  • Never provide sensitive data like credit card details or SSNs via unsolicited messages.
  • Limit sharing of personal information publicly online that could aid identity thieves.
  • Proactively review credit reports and financial statements for irregular fraudulent activity.

What should I do if I receive a suspicious Costco cashback message?

If you get any text messages or emails about an unclaimed Costco reward requiring you to provide personal/financial details, do not click any links or call phone numbers provided. Instead:

  • Report phishing emails as spam or forwards them to phishing@costco.com.
  • Report suspicious texts to Costco customer service at 1-800-955-2292.
  • Avoid responding to any phone calls about surprise rewards – hang up and call Costco customer service directly to verify if legitimate.
  • Log into your Costco account directly through the real Costco website rather than via links to check any rewards status.

Can Costco prevent my details being used for this scam?

Unfortunately Costco cannot fully control if your information ends up in the hands of scammers through data breaches or sales of data on the dark web. But they take data security very seriously, requiring strong passwords, using encryption, leveraging firewalls, and employee training.

How can I recover losses from providing data to a Costco cashback scam?

If money was stolen from accounts or fraudulent purchases made, contact your bank and lenders immediately about reversing the transactions and restoring lost funds. File reports about the identity theft and provide them to help argue your case. Utilize fraud insurance and protections provided by credit card companies and Costco to limit personal losses.

Is the Costco scam the only reward phishing scam I should watch for?

No, scammers frequently impersonate major retailers, hotels and airlines to phish under the guise of uncashed rewards, vouchers, or loyalty points. Apply the same precautions checking sender addresses, manually entering URLs, and avoiding unsolicited requests for your data.

Who can I contact if I have any other questions?

If you have any other queries or concerns about potential scams misusing the Costco name, reach out to their dedicated customer service team for assistance at 1-800-955-2292.

The Bottom Line

The Costco annual cashback scam is part of a growing wave of phishing campaigns targeting members and customers of major retailers. Scammers aim to trick people into surrendering valuable personal and financial data for identity theft and account hijacking purposes.

If you receive any unsolicited contact via email or SMS about an unclaimed Costco reward, don’t click the links and report the message to Costco. Remember, Costco does not proactively reach out about cashback rewards requiring urgent action.

Should you fall victim and share information with a phishing site, take steps like changing passwords, placing fraud alerts, and monitoring your credit. But first and foremost, immediately contact your bank about any compromised financial data.

Moving forward, be vigilant about phishing scams spoofing major brands you hold accounts with. Always double check the sender’s details before clicking on links or calling numbers in messages that request your personal information.

Implement strong unique passwords, two-factor authentication, and credit monitoring best practices to limit your vulnerability to data theft and subsequent fraud.

Staying informed about the latest phishing techniques and using caution when contacted about account activity gives you the best chance of avoiding becoming another victim of scams like this Costco cashback scheme.

How to Stay Safe Online

Here are 10 basic security tips to help you avoid malware and protect your device:

  1. Use a good antivirus and keep it up-to-date.

    Shield Guide

    It's essential to use a good quality antivirus and keep it up-to-date to stay ahead of the latest cyber threats. We are huge fans of Malwarebytes Premium and use it on all of our devices, including Windows and Mac computers as well as our mobile devices. Malwarebytes sits beside your traditional antivirus, filling in any gaps in its defenses, and providing extra protection against sneakier security threats.

  2. Keep software and operating systems up-to-date.

    updates-guide

    Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.

  3. Be careful when installing programs and apps.

    install guide

    Pay close attention to installation screens and license agreements when installing software. Custom or advanced installation options will often disclose any third-party software that is also being installed. Take great care in every stage of the process and make sure you know what it is you're agreeing to before you click "Next."

  4. Install an ad blocker.

    Ad Blocker

    Use a browser-based content blocker, like AdGuard. Content blockers help stop malicious ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not stop.

  5. Be careful what you download.

    Trojan Horse

    A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather.

  6. Be alert for people trying to trick you.

    warning sign

    Whether it's your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it's easy to spoof phone numbers, so a familiar name or number doesn't make messages more trustworthy.

  7. Back up your data.

    backup sign

    Back up your data frequently and check that your backup data can be restored. You can do this manually on an external HDD/USB stick, or automatically using backup software. This is also the best way to counter ransomware. Never connect the backup drive to a computer if you suspect that the computer is infected with malware.

  8. Choose strong passwords.

    lock sign

    Use strong and unique passwords for each of your accounts. Avoid using personal information or easily guessable words in your passwords. Enable two-factor authentication (2FA) on your accounts whenever possible.

  9. Be careful where you click.

    cursor sign

    Be cautious when clicking on links or downloading attachments from unknown sources. These could potentially contain malware or phishing scams.

  10. Don't use pirated software.

    Shady Guide

    Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.

To avoid potential dangers on the internet, it's important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.

Previous

Don’t Fall For The Fake Costco Rewards Emails Promising Prizes

Next

Beware Walmart Reward Emails Asking You to Take Surveys