CVS Rewards Phishing Scam

Recently, a TINA.org reader received an email from what appeared to be CVS offering a free gift worth up to $100 in exchange for completing a short survey. But there’s more to this offer than meets the eye.

When you click “Get Started” in the email to start the survey, you are taken to a page replete with positive reviews for products purportedly obtained by other survey respondents along with a countdown showing that you have a limited amount of time to accept the offer (red flag alert). If you accept and take the 8-question survey regarding your experience at CVS Pharmacy, you’ll be presented with some free “exclusive rewards,” such as a robot vacuum, a foot massager or even a smartwatch.

No matter which product you chose, a pop-up informs you that you only have to cover shipping costs to receive your prize. And while this may seem like a small price for a robot vacuum or a wireless speaker, it could cost you more than you think.

That’s because although the email appears to be coming from the “CVS Rewards Team,” if you hover or click on the sender’s name, the specific email address reveals no association to CVS whatsoever:

That’s because CVS didn’t send the email. What’s going on here is what is known as phishing — when a scammer poses as a legitimate entity in an attempt to steal personal information. Following the prompts provided by the scammers could result in malware or ransomware being downloaded to your computer, and could also reveal personal information about you that scammers can then use to steal your money or maybe even your identity.

According to the FTC, phishing scams can use various deceptive tactics to make consumers believe the issue is urgent including posing as the IRS, claiming you have a missed delivery, texting about “unpaid tolls” and much more.

With respect to the CVS look-alike email above, CVS told TINA.org that all legitimate communications regarding its rewards program, ExtraCare, will come from the email address [email protected]. CVS also said that anyone who receives this email should immediately delete it, may submit concerns to its Vulnerability Disclosure Program, and can visit its security webpage regarding ways its customers can protect themselves from fraudulent communications.

If you receive an email like this, it’s a good idea to hover over the name to verify the sender’s actual email address before clicking on any links. And it’s always a good idea to check with the company directly (using verified contact information provided on its official website) if you believe that an institution you’re involved with is contacting you.

Lastly, the FTC advises that consumers use multi-factor authentication for their accounts, update their devices so they have the protection of the latest security tools, and back up all their data in order to protect themselves against these kinds of scams.

Find more of our coverage on phishing scams here.