Scam emails supposedly from Sam’s Club recently have wormed their way into inboxes across the country. One of the fake messages invites consumers to answer a bogus 30-second survey for a chance to win a $1,300 Apple laptop or other prize.
After three emails that highjacked the warehouse retailer’s name were shown to Sam’s Club, spokesperson Erin Hulliberger told AARP that the company had not sent them. The big-box store sends emails only from addresses ending with “@SamsClub.com,” she said.
The emails shown to Sam’s Club, which were sent in September and October, came from different email accounts from impostors. The messages were phishing emails, Hulliberger said, so recipients should report them to the company and, out of caution, change their Sam’s Club password.
In a phishing attack, cybercriminals try to grab people’s sensitive data by using fraudulent solicitations in emails and on websites. Typically, the crooks masquerade as a representative of a legitimate business or pose as a reputable person, launching thousands of phishing attacks every day — “and they’re often successful,” the Federal Trade Commission (FTC) warns. The agency is among entities tracking what one outside expert characterized as a growing global threat. Here’s the FTC's guidance on staying safe.
500 brands phished in May
A record-breaking 500 consumer brands were hit by phishing attacks in May, according to an international trade group, the Anti-Phishing Working Group (APWG), which tabulates reports and tracks the attacked brands. It does not publicize the brands, so bad actors can’t detect which of their illicit emails bypassed security protocols.
Experts say that if you receive a suspicious email, just hit delete. Equally important: Never click a hyperlink or open an attachment in a sketchy email or interact with the sender in any way.
Airbnb, Amazon and Costco are a few of the well-known companies that have fought bogus emails or websites. Well-known brands also contend with scam phone calls and fake texts, mobile apps, social media posts, special offers and coupons.
Sam’s Club has 599 stores in 44 states and Puerto Rico, its corporate parent, Walmart, stated in its last annual report. Sam’s Club has seen no indication that its computer systems have been infiltrated or that it suffered a data breach, according to Hulliberger. When the company contacts consumers, it never asks for a credit card number, so consumers should not reveal theirs, she added.
The top methods of contact in frauds reported to the FTC in recent years have been, in descending order, phone calls, texts and emails. Though in third place, illicit emails trigger big losses: $149 million during the first half of 2021, which put losses on pace to exceed the $252 million lost in all of 2020 and $226 million in 2019.
After the record-setting number of brand attacks in May, the number dipped to 495 in June, the Cambridge, Massachusetts–based APWG stated in a recent report. Meantime, in June, 222,127 unique phishing websites were reported, along with 9,669 unique phishing email subject lines, the consortium said.
The APWG has members from governments, law enforcement and other entities in about 140 countries, but most of its phishing reports come from the U.S., said Peter Cassidy, its cofounder and secretary-general.
Be vigilant as holidays near
The upcoming holidays require vigilance, since the pandemic has triggered a huge uptick in e-commerce, Cassidy said. COVID-19 has conditioned consumers to be comfortable with online retail and digital payments, so “phishing gangs will be using that comfort and familiarity to their advantage.”
Addressing the phishing emails purportedly from Sam’s Club, Cassidy said that on their face, they were unremarkable — the “same old, same old” pitches that have long bedeviled consumers. Phished “Sam’s Club” emails don’t seem to be among cybercrooks’ “perennial favorites,” he added.
Still, it’s what happens when you respond to a phishing email that causes problems, Cassidy warned. Does a fraudster in a follow-up call try to wheedle information out of you? Does a link take you to a malicious website?
The anti-phishing group warns that technical subterfuge can play a role in phishing attacks, as bad actors try to plant malicious software onto computer devices to steal consumers' credentials. Often they misdirect consumers to counterfeit websites to intercept sensitive information.
Join today and save 25% off the standard annual rate. Get instant access to discounts, programs, services, and the information you need to benefit every area of your life.
Financial institutions are top target
National brands are vulnerable because they are known and trusted, Cassidy said. Financial institutions were the hardest-hit sector, the target of 29 percent of phishing attacks from April through June of this year, according to the APWG. Rounding out the top five sectors were social media sites (15 percent of attacks), digital-payment sites (12 percent), email and cloud-based software service providers (9 percent), and retail and e-commerce sites (8 percent).
Also worrisome is that the cryptocurrency industry, including exchanges and wallet providers, was the sixth-most-often-hit sector, the target of 7.5 percent of attacks in the second quarter of the year (up from 2 percent in the first quarter).
Observing that cybercrime ignores country borders, Cassidy said gangs across the world can easily obtain huge lists of emails, steal company logos and masquerade as legit businesses.
So, remember, if you are asked in a questionable email to take a survey or click a link, do not, Cassidy stressed. No purported reward or prize is worth the trouble that could result. Likewise, delete emails from entities that you do business with but that do not normally reach out in electronic messages. Instead, contact the company through a secure method, like a phone number from a statement, to investigate what’s been presented.
“Be thoughtful about every inbound communication,” Cassidy said. “The most effective email attacks are against people who are really customers of an organization or a company.”
As for the phishing emails supposedly from Sam’s Club, the recipients aren’t members. And, no, they didn’t engage. Instead, they unleashed a not-so-secret weapon: the delete key.
Katherine Skiba covers scams and fraud for AARP. Previously she was a reporter with the Chicago Tribune, U.S. News & World Report, and the Milwaukee Journal Sentinel. She was a recipient of Harvard University's Nieman Fellowship and is the author of the book, Sister in the Band of Brothers: Embedded with the 101st Airborne in Iraq.