If you came here looking to sign in to a Costco account, navigate directly to the official retailer domain by typing it yourself. This page does not contain a sign-in form. It explains the process so you can recognise a real flow and spot a fraudulent one.
Why an orientation page exists for sign-in
Account sign-in pages for large retail membership programs are among the most impersonated web pages on the internet. The reason is straightforward: a membership account holds purchase history, a saved payment method, and renewal billing information. A stolen credential gives an attacker access to all three. Because the warehouse club's membership model ties a physical card to an online account, a compromised credential can also be used to order to a different delivery address before the member notices anything.
The most effective protection is recognition. A member who knows exactly what the real sign-in flow looks like spots a deviation in seconds. A member who has never looked closely at the real flow may fill in a convincing imitation without hesitation. This page describes the real flow so thoroughly that the contrast with a phishing page becomes obvious.
What the real sign-in flow looks like
The warehouse chain's sign-in process begins at a domain that matches the name printed on a physical membership card. There is one correct domain; variations, hyphens, or added words are not it. The page loads over HTTPS, and the browser address bar shows a padlock icon or equivalent security indicator. If either is missing, leave the page.
The sign-in form itself is minimal: an email address field and a password field, a submit button, and links to password reset and account creation. It does not ask for a membership card number at this stage. It does not ask for the last four digits of a Social Security number. It does not ask for a PIN. These are common additions on phishing pages designed to harvest more than just a password — if you see them on what you believe is the sign-in page, the page is not what it claims to be.
After submitting valid credentials, the platform may present a multi-factor authentication challenge before displaying the dashboard. The challenge takes the form of a time-limited numeric code sent to the phone number registered to the account. Enter only that code. If a caller who identifies themselves as the retailer's security team asks you to read that code aloud, hang up — the real platform never asks for MFA codes by phone.
The four-step walkthrough
The HowTo schema embedded in this page describes the four steps in machine-readable form. In plain prose they are: verify the domain before typing anything; enter only your email and password; complete the MFA challenge if prompted; and confirm the dashboard shows your familiar account details before trusting the session. Each step has a single decision point where a phishing attempt typically diverges from the real flow.
Step one is the most important. Typing the domain directly is the only reliable defence against typosquat domains — addresses that substitute one character or add a word to look like the real domain at a glance. Search-engine results and email links are less reliable entry points because both can surface imitation pages in specific attack scenarios. Typing directly costs three seconds and provides near-complete protection against that vector.
Step four is underused. Most members click through the dashboard without reading it. A quick scan of the first name displayed, the membership tier shown, and the most recent order listed takes five seconds. A mismatch on any of those signals means either that you signed in to the wrong account or that someone else has accessed yours. Neither situation should be ignored.
Password managers: how they help
A password manager stores a unique, randomly generated password for each site and fills it automatically when the browser detects the correct domain. That last part is the security benefit most people undervalue. Because the manager fills based on the domain, it will not autofill credentials on a lookalike site — even one that looks pixel-perfect. If you navigate to a phishing domain and your password manager does not offer to fill, that silence is a warning.
The secondary benefit is password uniqueness. The most common way warehouse-club accounts are compromised is not through a direct attack on the retailer's systems but through credential stuffing: attackers take a leaked password from an unrelated breach and try it on retail accounts. If the retail account password is unique — which a password manager ensures — credential stuffing fails by definition.
Setup takes about thirty minutes for a first-time user. Most major password managers offer free tiers sufficient for personal use. The CISA Be Cyber Smart guidance includes a primer on password hygiene and credential management that covers the topic from a federal cybersecurity perspective.
Multi-factor authentication in practice
MFA at a retail membership site typically takes one of two forms. The most common is an SMS code sent to a registered phone number. The less common but more secure option is a time-based one-time password (TOTP) generated by an authenticator app. The SMS method is vulnerable to SIM-swap attacks; the authenticator-app method is not. Both are dramatically more secure than a password alone.
When enabling MFA, the platform usually presents backup codes — a set of one-time-use strings that can sign you in if you lose access to your phone. Store these somewhere secure and offline. A member who loses their phone and has not saved backup codes may face a lengthy account-recovery process. The ten minutes spent saving backup codes during MFA setup prevents that situation entirely.
Phishing red flags: a reference table
The table below lists the most commonly observed phishing red flags in warehouse-club impersonation attempts. Each row describes the flag, the behaviour it signals, and the correct response. This table draws on publicly reported phishing patterns and aligns with guidance from the FTC and CISA.
| Phishing red flag | What it signals | What to do instead |
|---|---|---|
| Domain contains a hyphen or extra word | Typosquat or lookalike domain designed to capture credentials | Close the tab; navigate to the official domain by typing it directly |
| Sign-in form asks for membership card number | Credential harvesting beyond a standard login flow | Leave the page immediately; the real sign-in form does not ask for this |
| Urgent email: "Your account will be suspended in 24 hours" | Social engineering to create panic and bypass critical thinking | Do not click the link; go directly to the site and check account status |
| Caller asks you to read your MFA code aloud | Real-time phishing attack intercepting your session | Hang up; the real platform never asks for MFA codes by phone |
| Text message: "Claim your unclaimed Costco reward — link expires tonight" | Fake reward scam; the annual Executive reward arrives as a printed Shop Card, never via a link | Delete the message; report to your carrier's spam number (7726) |
| Sign-in page has no HTTPS or shows a certificate warning | Insecure connection; credentials sent in plain text or to an invalid domain | Leave the page immediately; do not dismiss certificate warnings on sign-in pages |
The account dashboard after sign-in
A successful sign-in to the warehouse-club platform brings the member to a dashboard that shows membership status, upcoming renewal date, recent order history, and navigation to saved payment methods and delivery addresses. Members who use the Costco-branded Visa will see a separate card-management portal linked from the dashboard — that portal is operated by the issuing bank, not the retailer, and navigating to it opens a different domain.
If the dashboard shows an unfamiliar delivery address or an order you do not recognise, change your password immediately, revoke any saved sessions if the option is available, and contact the retailer's member-services desk to flag the account. Do not wait to see if the order resolves on its own.
I knew what phishing emails looked like in theory but I had never seen the sign-in flow described step by step before. After reading the orientation page I set up a password manager and turned on MFA the same afternoon. The red-flag table was the most useful part — it was specific enough that I could actually act on it, not just nod along.
— Eunomia V. WycliffHub reader · Portland, OR