Today I want to talk about an email I keep getting from Kohl’s.
I’ve seen this email before, when I could not remember my own kohls.com account password in the store while trying to access my account on my phone.
In the last six months, I’ve probably received this email four times, and I have not actually shopped at Kohl’s online nor in the store since last Fall. I have not tried to access my kohls.com account. I have not forgotten my password.
What is Going On: The Short Answer
- The email itself is not a scam. It is an auto generated email from Kohl’s.
- It means that someone has tried, unsuccessfully, to access your Kohl’s account and guessed the password wrong one too many times. Kohl’s security system automatically locks the account and forces the account owner to change the password.
- Multiple scammers are targeting multiple Kohl’s accounts, regularly, most likely, in order to steal Kohl’s Cash.
- Even if you change your password immediately, you might receive this email again within a matter of days or weeks.
- Solution 1: open a new Kohl’s account under a new username that is more than just your email address and difficult to replicate.
- Solution 2: leave the account locked (as in, do not change your password) until the minute you need to access it. Expect to be locked out again soon, and continue to remain locked out until you place another Kohl’s order.
- Extra precaution 1: stop using and delete your Kohl’s App.
- Extra precaution 2: remove saved credit card information off your Kohl’s account entirely.
What’s Going On: The Much Longer Answer
I do not work for Kohl’s and I am not in the internet security business. I’m just an average shopper and blogger who had a complaint, Googled it, then wrote about it. It turns out it is a very common complaint. This post has received multiple organic hits a day from Google searches – which means we are not alone. That said, I’m sorry I cannot offer better advice or solutions. Maybe you’ve already seen enough, and that’s totally cool. But read on if you care to discover how I came to the conclusions above.
What A Little Online Search Revealed
As I always do when crowdsourcing a problem, I went straight to Facebook. I was surprised that I didn’t receive as many responses as expected. I was also surprised that the most common answer was something along the lines of, “This email isn’t from Kohl’s. Delete it immediately and don’t click anything.”
I didn’t like that response. The email is real and really is from Kohl’s. Just trust me when I tell you that the problem is not an email phishing or spam issue. After receiving this email, every single time, if I go independently to my kohls.com account, it is indeed locked, my correct password does not work, and I am forced to reset my password through the “Forgot Your Password” link on the Kohl’s website – not a link in the email.
I’m annoyed for a variety of reasons, but I’m just going to be up front about my primary qualm. I’m running out of damn passwords, people. Listen, I know I’m on the cusp, but I consider myself part of Generation X, and we just aren’t known for being idiots when it comes to online identity protection.
This means no, I do not actually use the same password for every single online account I use. Yes, I change my passwords regularly. Yes, my passwords are ridiculously long and difficult to decipher. Also ridiculously difficult to remember and to type via iPhone. And, about three years ago, I actually went in and deleted all my saved credit cards for all the online shopping I do. A potentially unnecessary but added precaution.
So try to imagine how I’m feeling when Kohl’s continues to email me and tell me to change my password.
It turns out, if you are looking to crowdsource literally anything, reddit.com should probably be your go-to. From there I was actually led back to a public Facebook post, but was also cross-referenced with enough similar stories to make me think the answer I’m about to give you is probably legitimate. And it all has to do with Kohl’s Cash.
Some Truths about Kohl’s Cash
About every six to eight weeks, Kohl’s runs a promotion in which everything in the store is on sale and for every $50 you spend, you receive $10 in Kohl’s Cash. This Kohl’s Cash is printed at the register and is basically a coupon code. If you have a Kohl’s account, the code will be saved in your wallet. The start date for using your Kohl’s cash is always one day after the mega sales event is over, and the redemption period is usually pretty short. Like maybe ten days.
Truth Number One: if you return an item on which you earned Kohl’s Cash, you void the Kohl’s Cash if it has not been spent.
Truth Number Two: Kohl’s Cash does not work like a gift card. It is applied before any other discounts, expires, and is foregone at the moment it is handed over.
Truth Number Three: When you spend Kohl’s Cash, you better know you want to keep what you spend it on, because, to clarify the above, if you return an item you spent Kohl’s Cash on, you will receive the price of the item minus the Kohl’s Cash. If the redemption period is over, you lose the value of the Kohl’s Cash entirely.
Truly, this is a marketing ploy to get people to come back and spend more money in Kohl’s after they dropped at least $50 in the store the week before. I know this is all very annoying and confusing to those of you non-Kohl’s shoppers. I apologize. But we hustlers take our coupons and our promos very seriously.
And obviously it works. With four children, I admit I’ve done a fair amount of shopping at Kohl’s. I’ve earned a fair amount of Kohl’s Cash, and I rarely, if ever, have let it expire. (This is basically how I keep my kids in new socks and underwear year after year and feel like I got it all for free.) And, in Kohl’s’ defense, all of this is to prevent people from buying large items simply to get the freebie, then returning the original item but keep the freebie.
The Time My Kohl’s Cash Was Stolen
I actually do the bulk of my Kohl’s shopping on Black Friday, which is the day I find the best deals on Christmas PJ’s and dresses. I nearly always spend between $50 and $100 which means my Black Friday shopping always results in $10-$20 of Kohl’s Cash. Last January, when I went to spend my $20 (on underwear, in the store), I got to the register to find that it had already been spent.
Not by me.
Someone had actually stolen my Kohl’s Cash. In a phone call placed from the Kohl’s parking lot I learned that my account had not been compromised. In this particular instance, I’m guessing a series of randomly generated numbers landed on the exact code of my $20 coupon. A couple more phone calls and several complicated instructions later did result in Kohl’s giving me back the $20, but I had to use it online.
You know I demanded free shipping despite my under $50 order, since I was otherwise already at the store (and not paying shipping for my free underwear) which was another hassle all by itself and almost made me think the free underwear not worth it. But not quite.
But that is not the point. The point is, there is an entire ring of people out there succeeding at stealing Kohl’s Cash. They are likely banking on the fact that many people would forget to spend it and never notice it went missing.
This current email problem I’m having is actually this scheme but taken one step further. Hacker-thieves are breaking into kohl’s.com accounts completely, ordering $50+ worth of anything on the final day of a promotion and stealing the resulting Kohl’s Cash.
Dramatization Based on Actual Events via Reddit
Let me break this down. Holly Hacker is sitting at her computer one rainy Tuesday with a list of random email addresses and, oh I don’t know, a computer program that guesses passwords. She spends a few minutes or a few hours unsuccessfully breaking in to Kohl’s online accounts. Included in her list is my account and I receive an email that I must change my password (because Ms. Hacker tried unsuccessfully to guess my super hard password the maximum number of times and didn’t unlock the gate.)
But wait. Peter Password at hotmail dot com doesn’t take such high security measures as Cee Pee Wait at gmail dot com does, and Holly Hacker gets right in to Peter Password’s account. Bingo! Not only is she in, but Peter has saved his address, phone number, and Kohl’s credit card information, all right there, to be accessed at the touch of a button. Holly Hacker goes ahead and orders Peter a $500 Weber Genesis, and has it shipped right to his house. What are the odds that Peter Password is going to notice an email receipt from Kohl’s today? (Answer: low.)
Congratulations Peter Password, you’ve earned $100 in Kohl’s Cash that you can begin spending tomorrow!
And Holly Hacker does spend that Kohl’s Cash. All of it. Doesn’t matter who it is or where it has gone, Kohl’s Cash is merely a code that anyone can apply to any order or account. When spent in the store, the only thing Kohl’s can track is the city and state of the store it was spent in. (In my true scenario above, the stolen Kohl’s Cash was spent in Trenton, New Jersey.)
This means I can give away my Kohl’s Cash to anyone and they can spend it and then I can call Kohl’s and give them the code of my Kohl’s Cash and they cannot tell me how it was spent or even specifically where. I’m not sure from the desk at which my representative sat, he could even access a day or time that it was spent, but it seems to me this is information that should be available in the year 2018 when computers rule our lives. To Kohl’s, this “cash” it is just a coupon. A mostly worthless coupon, in fact.
A mere thirteen days later, a $500 grill shows up on Peter Password’s front porch. After running through a mental list of holidays and birthdays that do not line up, Peter at last concludes that this must be a mistake. So he calls Kohl’s, only to discover that he himself has ordered this very expensive grill. He tells Kohl’s his account has been compromised, and Kohl’s is very understanding. They run through the usual protocol of changing Peter Password’s password, and then tell him to simply return the grill.
But wait. That $500 grill is now only worth $400, because Holly Hacker has already spent the $100 of Kohl’s Cash that came with it.
And herein lies the problem.
Does Peter Password get his entire $500 back? Maybe. After some work. I like to think that he does. But what about the other Peter Passwords who were not out $100 but only $10? Maybe to those people, the fight is ultimately not worth $10. And because of this, Kohl’s is losing exactly zero skin in this game, and so nothing has been done to remedy the situation.
Certainly I don’t know what the remedy is. But it seems to me there should be a remedy. Forgive me but here is where my investigative journalism ends. At least for now.
In the meantime, here is my solution. (And I’m sorry, but it doesn’t include completely boycotting Kohl’s, because, well, Christmas PJ’s!) I’ve deleted all of my personal information off my Kohl’s.com account, even my address. Though I didn’t have a credit card saved there to begin with, I never will. And I’ve deleted and stopped using my Kohl’s app. And, I will not change my password until the next time I am shopping at Kohl’s online with the intention of making a purchase, which will be next November on Black Friday.
**UPDATE AUGUST 17: took advantage of a great online deal with triple overlapping coupon codes to stock up on new socks and underwear for all my kids. Within a day of placing that order, I got that same email above to change my password. I am still on with the original plan to just leave my Kohl’s account locked until I need to use it again.**
I feel like this post could generate some thoughts and hope it does. Please put your comments here on my blog rather than on Facebook or Instagram so if anyone stumbles upon this post and has a similar experience, insight can be gleaned all in the same place.
This post may contain affiliate links. Read my full disclosure here.