Skip to content
 

Crooks Commandeer Sam's Club Name to Send Scam Emails

Warehouse club among hundreds of big brands hijacked by phishing fraudsters this year

storefront of a sams club store

Getty Images

En español

Scam emails supposedly from Sam’s Club recently have wormed their way into inboxes across the country. One of the fake messages invites consumers to answer a bogus 30-second survey for a chance to win a $1,300 Apple laptop or other prize.

After three emails that highjacked the warehouse retailer’s name were shown to Sam’s Club, spokesperson Erin Hulliberger told AARP that the company had not sent them. The big-box store sends emails only from addresses ending with “@SamsClub.com,” she said.

The emails shown to Sam’s Club, which were sent in September and October, came from different email accounts from impostors. The messages were phishing emails, Hulliberger said, so recipients should report them to the company and, out of caution, change their Sam’s Club password.

In a phishing attack, cybercriminals try to grab people’s sensitive data by using fraudulent solicitations in emails and on websites. Typically, the crooks masquerade as a representative of a legitimate business or pose as a reputable person, launching thousands of phishing attacks every day — “and they’re often successful,” the Federal Trade Commission (FTC) warns. The agency is among entities tracking what one outside expert characterized as a growing global threat. Here’s the FTC's guidance on staying safe.

500 brands phished in May

A record-breaking 500 consumer brands were hit by phishing attacks in May, according to an international trade group, the Anti-Phishing Working Group (APWG), which tabulates reports and tracks the attacked brands. It does not publicize the brands, so bad actors can’t detect which of their illicit emails bypassed security protocols.

Experts say that if you receive a suspicious email, just hit delete. Equally important: Never click a hyperlink or open an attachment in a sketchy email or interact with the sender in any way.

Airbnb, Amazon and Costco are a few of the well-known companies that have fought bogus emails or websites. Well-known brands also contend with scam phone calls and fake texts, mobile apps, social media posts, special offers and coupons.

phishing email posing as a sams club promotion with the stamp labeled scam on top of it

AARP

This phishing email — not actually from Sam’s Club — was sent to an AARP member in October. Experts say hundreds of brands are featured in scam emails like these, and they should be deleted.

Large-scale scourge

Sam’s Club has 599 stores in 44 states and Puerto Rico, its corporate parent, Walmart, stated in its last annual report. Sam’s Club has seen no indication that its computer systems have been infiltrated or that it suffered a data breach, according to Hulliberger. When the company contacts consumers, it never asks for a credit card number, so consumers should not reveal theirs, she added. 

The top methods of contact in frauds reported to the FTC in recent years have been, in descending order, phone calls, texts and emails. Though in third place, illicit emails trigger big losses: $149 million during the first half of 2021, which put losses on pace to exceed the $252 million lost in all of 2020 and $226 million in 2019.

After the record-setting number of brand attacks in May, the number dipped to 495 in June, the Cambridge, Massachusetts–based APWG stated in a recent report. Meantime, in June, 222,127 unique phishing websites were reported, along with 9,669 unique phishing email subject lines, the consortium said.

The APWG has members from governments, law enforcement and other entities in about 140 countries, but most of its phishing reports come from the U.S., said Peter Cassidy, its cofounder and secretary-general.

To report a phished email, contact:

• The Anti-Phishing Working Group at reportphishing@apwg.org

• The Federal Trade Commission at Report.Fraud.FTC.gov

To report a phished text message, the Federal Communications Commission advises alerting your wireless service provider by forwarding the text to SPAM (7726).

Be vigilant as holidays near

The upcoming holidays require vigilance, since the pandemic has triggered a huge uptick in e-commerce, Cassidy said. COVID-19 has conditioned consumers to be comfortable with online retail and digital payments, so “phishing gangs will be using that comfort and familiarity to their advantage.”

Addressing the phishing emails purportedly from Sam’s Club, Cassidy said that on their face, they were unremarkable — the “same old, same old” pitches that have long bedeviled consumers. Phished “Sam’s Club” emails don’t seem to be among cybercrooks’ “perennial favorites,” he added.

Still, it’s what happens when you respond to a phishing email that causes problems, Cassidy warned. Does a fraudster in a follow-up call try to wheedle information out of you? Does a link take you to a malicious website?

The anti-phishing group warns that technical subterfuge can play a role in phishing attacks, as bad actors try to plant malicious software onto computer devices to steal consumers' credentials. Often they misdirect consumers to counterfeit websites to intercept sensitive information.


AARP Membership — $12 for your first year when you sign up for Automatic Renewal

Join today and get instant access to discounts, programs, services, and the information you need to benefit every area of your life. 


Financial institutions are top target

National brands are vulnerable because they are known and trusted, Cassidy said. Financial institutions were the hardest-hit sector, the target of 29 percent of phishing attacks from April through June of this year, according to the APWG. Rounding out the top five sectors were social media sites (15 percent of attacks), digital-payment sites (12 percent), email and cloud-based software service providers (9 percent), and retail and e-commerce sites (8 percent).

Also worrisome is that the cryptocurrency industry, including exchanges and wallet providers, was the sixth-most-often-hit sector, the target of 7.5 percent of attacks in the second quarter of the year (up from 2 percent in the first quarter).

Observing that cybercrime ignores country borders, Cassidy said gangs across the world can easily obtain huge lists of emails, steal company logos and masquerade as legit businesses.

So, remember, if you are asked in a questionable email to take a survey or click a link, do not, Cassidy stressed. No purported reward or prize is worth the trouble that could result. Likewise, delete emails from entities that you do business with but that do not normally reach out in electronic messages. Instead, contact the company through a secure method, like a phone number from a statement, to investigate what’s been presented.

“Be thoughtful about every inbound communication,” Cassidy said. “The most effective email attacks are against people who are really customers of an organization or a company.”

As for the phishing emails supposedly from Sam’s Club, the recipients aren’t members. And, no, they didn’t engage. Instead, they unleashed a not-so-secret weapon: the delete key.

How to Identify Fake Emails

Katherine Skiba covers scams and fraud for AARP. Previously she was a reporter with the Chicago Tribune, U.S. News & World Report, and the Milwaukee Journal Sentinel. She was a recipient of Harvard University's Nieman Fellowship and is the author of the book, Sister in the Band of Brothers: Embedded with the 101st Airborne in Iraq.

AARP’s Fraud Watch Network can help you spot and avoid scams. Sign up for free Watchdog Alerts, review our scam-tracking map, or call our toll-free fraud helpline at 877-908-3360 if you or a loved one suspect you’ve been a victim.

Note: We are currently in the process of replacing our commenting service, so it may take a few days for previous comments to appear. Login or register on AARP.org to join the conversation.