I got robbed last weekend.
Not in the way you’re probably thinking. I answered a text message, which led to a short series of events that wiped out a stash of customer loyalty points I’d been saving for months. It wasn’t fun! But it was, in some ways, a very valuable lesson. Here’s what happened.
Saturday morning, while making breakfast, I scrolled through email and messages on my phone. Energy bill, lunch invite, current affairs newsletter, a bank email about tax season, and a text from a name that generally piques my interest: PC Optimum.
I’ve been an Optimum member since before it merged with PC Plus to make its current iteration of the loyalty program, and have collected points for years. A 2017 maternity leave tipped that relationship into high gear: popping into the Shoppers down the street frequently for diapers, Medela bags, or a quick stroller run just to get out of the house has had me checking flyers weekly for deals and working out how to stack promotions to my best advantage ever since. I haven’t paid actual money for mascara in over a year.
The text message I got that Saturday morning indicated I needed to update my account to continue receiving points for my purchases. “Just log in here,” it said, with a link. Was it the fact I was distracted? Or that Shoppers texts me details on points offers all the time? It didn’t matter: I clicked on the link, which brought me to a login page designed exactly like the PC Optimum site, entered my user information without a second thought and went about my day.
Later that evening, on a streetcar ride home from watching a movie with friends, I scrolled through my messages again. This time I had three more messages from Optimum, all of them emails: one to tell me a new user named “Marciela” had been added to my household, a feature that allows multiple card users to pool and share points; another to confirm I had changed my account name to “Brandon Olaru,” and yet a third to congratulate me for redeeming all 200,000 of my points (worth up to $300 that weekend) in one transaction at a Shoppers location 40 minutes across town. What?
I generally think of myself as someone who, for better and sometimes worse, is a pretty skeptical person. But it turns out I’d fallen for a phishing scam that had been circulating through PC Optimum members for some time, and that this isn’t the first Optimum points scam of its kind: there are multiple reports from people who have lost anywhere from $30 to $400 worth of points since the program’s merger in 2018. That year, one Saskatoon-based woman lost more than a million points, about $1,000 worth, after, she reportedly said, her account was hacked.
Optimum members, we've been made aware that some members are receiving phishing texts, which aren't legitimate & we're investigating. Please don't click any links or reply with any personal information. If you have please, reset your PC id password on https://t.co/oosDWh5IJn ASAP
— PC Optimum (@pc_optimum) February 15, 2020
According to Loblaw, this phishing scam sends out messages in the hopes of luring people with PC Optimum accounts. “It uses phone numbers from various systems to blast Canadians with messages like this in the hopes consumers will click on the website link and access their account information this way,” Loblaw director of communications Nadine Jahangir Gerrard wrote in an email, adding that members can only securely access their account via the PC Optimum app or online at pcoptimum.ca. “For added security, we implemented multifactor authentication and regularly communicate with members to encourage them to activate two-step verification and keep them informed.”
Whoever hacked into my account waited until 7:30 p.m. that day to redeem those points—about 90 minutes after the Shoppers Drug Mart customer help line closes for the day—but a customer service rep followed up with me fairly quickly on Twitter. I was told they’d look into it and get back to me, but no word yet on how or when that will happen.
Till then, what have I learned? First, to use two-factor authentication—an extra step to verify your identity, usually a code sent to your phone or email that has to be entered when you log in—for any kind of online program I use, and question any form of personal login that doesn’t offer this as an option. Second, to count myself lucky that I made this mistake with a loyalty points program and not, say, banking or credit card information: this might’ve been a sadder story if I’d had a PC Optimum credit card attached to my account.
And third, to maybe dial back on the loyalty points fervour. If I do get my points back, I’m going to look into some local non-profit organizations to donate them to.