Scam alert: PC Optimum points stolen through 'household' feature

hooded cyber hacker stealing data or information from internet
This is what I imagine the scammer that took all my PC Optimum points looks like. (Getty)

Anyone who visits Yahoo Canada knows that we write about our fair share of scams, and how to avoid them.

So imagine my surprise when I ended up the target of a scam myself.

About three weeks ago, I got a flurry of email notifications from my PC Optimum account: “You’ve successfully joined a PC Optimum household.” “Mary has joined your PC Optimum household.” “Kim has joined your PC Optimum household.” “Mary has left your PC Optimum household.” “Kim has left your PC Optimum household.”

When I looked at my account balance, instead of the 28,000+ points I’d had in there the last time I checked, I was down to 9.

Screenshot from a phone of PC Optimum app. (Yahoo News Canada)
My points balance in my PC Optimum app the day after I reported points missing. (Yahoo News Canada)

This all happened around 7 p.m. on a Saturday, and coincidentally, the support centre for PC Optimum users closes at 6 p.m., and doesn’t reopen until Monday.

Nevertheless, I filed a “missing points” inquiry with PC Optimum on their website, outlining the situation and explaining that I hadn’t added anyone to my household. This feature on the PC Optimum program allows users to send invitations to friends and family so they can all earn points together, including transferring points balances between members.

According to Loblaw, which owns the PC Optimum program, “members send an email request from their PC Optimum account to the person they want to join.”

I’d never sent an email request to anyone, I was just notified that people I didn’t know were added and removed from my account. Presumably, my points were transferred to the “new household members” in the interim, and the members were removed before I could go in and do so myself.

Not the first incident

You can find stories similar to mine dating back to late 2018, like this Redditor who had about $400 in points stolen, or this couple who lost about $300 in points in February. My loss was worth about $28, so certainly comparatively low, but frustrating, nonetheless.

When I reached out to the public relations team for Loblaw about concerns around security breaches (but not mentioning my own), they said they were aware of a small number of incidents.

“Recently, we have heard from an extremely small subset of our more than 18 million members with concerns about stolen points. In those cases, we halt their accounts and ask them to reset their passwords,” Loblaw said in a statement.

For the record: I got an email August 2018 asking me to change my password, which I did within the week. I haven’t received any other emails telling me to change it since then.

“Over the past year, we have strengthened our security for customers, requiring a stronger, more complex password, and introducing (and in fact incenting customers to implement) two-factor authentication,” the statement continues. “We have also introduced notifications into the system, so that the primary account holder is emailed with any account information changes or redemptions.

In their defence, I had not enabled two-factor authentication when my points were transferred out of my account, which did put me at greater risk of being scammed. Based on the guidance from the PC Optimum site and sent directly from Loblaw’s, two-factor authentication is the best way to protect yourself against scammers stealing points.

“Security is also the role of the customer, and we encourage our members to take precautions with their online accounts,” Loblaw said. “Strong, unique passwords protect personal information and points. And members are encouraged to enable two-factor authentication for additional protection.”

But I’m still waiting on those points

It’s been 16 business days since I first filed my complaint via the website. I’ve had two “we’re looking into it, a specialist will reach out to you” emails (one in response to my “when is this specialist going to contact me” email), but no further contact since that time.

I called customer care directly today, asking for the status of my case. I was informed that it had been escalated to a supervisor “due to the number of points involved” and would be contacted “soon.”

Looking at the bigger picture, I didn’t lose as many points as some PC Optimum users, and it was certainly a good reminder to turn on two-factor authentication. But it’s also a reminder that scammers are out there, and eager to exploit points programs like PC Optimum, SCENE, Air Miles or Aeroplan if users of the programs and companies aren’t vigilant about keeping them out.