Don’t Bite: How To Avoid (and Report) Amazon Phishing Attacks

One of the most impressive things about Amazon is the sheer breadth of its ecosystem.  You can watch your favorite Amazon Prime shows and movies on your Fire tablet, read books on your Kindle, have Alexa call your Uber or use Amazon Pay to make a donation to charity.  Of course, Amazon’s own storefront and its third-party “marketplace” sellers make it the greatest shopping mall imaginable. 

The flip side to Amazon’s inescapable dominance is that criminals have learned to harness its visibility and familiarity to fuel their scams.  One of the most common ways you’ll experience this is through phishing attacks claiming to come from Amazon (if you haven’t seen one yet, you will soon).  Let’s take a few minutes to review what those attacks can look like, how to identify them, and how to report Amazon phishing through the appropriate channels. 

About Amazon Phishing Scams

Phishing scams can take a wide variety of forms, but they all follow the same basic principle:  By ostensibly coming from a source you trust, they’ll attempt to trick you into divulging sensitive information, clicking a malicious link or paying out some of your hard-earned money under false pretenses.  You might receive these messages through emails, social media, text (SMS phishing, or “smishing”) and even phone calls (voice phishing, or “vishing”). 

Who's Calling Me?

Search any phone number to learn more about the owner!

Amazon-centric phishing attacks may use any of those approaches, with varying degrees of credibility.  The company’s own consumer fraud detection page acknowledges, for example, that some departments really do make outbound phone calls.  If you’ve recently ordered from Amazon — and in any given week a lot of us have — then a message about an errant package sounds pretty plausible. 

Specific Amazon Phishing Scams

Let’s take a moment to break down some of the most common Amazon phishing scams and what they look like.

Delivery Failure/Tracking Number Scams 

This is one of the most common phishing scams you’ll encounter.  You’ll receive a text or email informing you that your Amazon order, tracking number [x], could not be delivered and instructing you to click the included link to correct the problem.  If you click, scammers have the option of installing malware on your device or taking you to a bogus Amazon login page where they’ll harvest your username and password (and any additional information you might give them). 

The “Suspicious Activity on Your Account” Scam 

This one can happen as an email, text or even a phone call.  The message is the same, either way:  There’s been a suspicious charge on your account, and the fake representative will help you fix it.  If you fall for it, the scammers have numerous ways to exploit you including installing malware or getting your bank information so they can “credit your account” for the fraudulent purchase.

The “Payment Failed” Scam 

Another common Amazon scam tells you that your recurring payment with Amazon — for Prime services or product subscriptions — has failed and that they need to verify your payment method.  Again, this scam may come as a phone call or a text/email message.  Either way, once you’ve given the caller your payment or clicked the link and filled out the form, scammers have your bank or credit card information (and if you’re very unfortunate, they’ve also installed malware on your system or scammed additional personal information). 

The “Refund” Scam 

A caller, claiming to be from Amazon, informs you that you’ve been overcharged at some point and that they just need your up-to-date banking information or credit card number in order to complete the refund.  But these scammers are far more interested in making a withdrawal than a deposit.

Fake Amazon Pay “Invoice”

Amazon offers a service called Amazon Pay, which allows you to use the payment methods you’ve saved on your Amazon account in order to pay for products or services on non-Amazon sites.  That’s perfectly legitimate and convenient — but in this scam, when you attempt to make a purchase on a website using “Amazon Pay,” it generates either an “invoice” or a pop-up requesting payment in the form of an Amazon gift card claim code. 

That’s never, ever legitimate:  You can’t use Amazon gift cards for purchases anywhere but Amazon, even if they’re already loaded to the account you’re using with Amazon Pay. 

Amazon “Guarantees Your Purchase” 

Similarly, dubious sites may display Amazon logos prominently and tell you that your purchase is “guaranteed by Amazon,” as well as that the retail giant will handle the refund if you’re not satisfied.  Then you’ll be prompted to send money by Amazon Pay or in the form of a gift card.  Again, this is completely bogus. 

Payment via Redirect 

In this one, the scammers’ site again displays a prominent Amazon or Amazon Pay logo.  When you click on it as your payment method, you’re redirected to another site — which may be a faux Amazon page or just a generic form — in order to enter your actual payment information. 

These aren’t by any means the only ways criminals can exploit Amazon’s sprawling commercial empire.  Businesses that use Amazon Web Services to host their websites or provide cloud-computing services have a whole host of other potential phishing attacks to worry about, and Alexa — the company’s popular voice assistant — has reportedly had security vulnerabilities in the past.

Recognizing Amazon Phishing Scams

So how can you identify Amazon phishing scams and protect yourself from them?  In practice, there are several steps you can take.  These include: 

Learn How To Recognize a Spoofed Email 

It’s possible for scammers to spoof an email to make it look like it comes from Amazon, but there are ways to unmask them.  This can take some technical knowledge, but using Gmail’s Priority Inbox and strong spam filter settings (and keeping your web protection software up-to-date) is a good first step.

Look at the Real URL for a Link

Links in messages sometimes show their URL, but more often they’re “masked” under a button or a phrase of text.  To see the actual link, hover your mouse over it (don’t click!) or long-press it on a mobile device.  The real URL will show up. 

Don’t Click a Link in a Message

Better yet, make it your practice to never click a link in a message.  Ever.  That works for all phishing scams, not just the ones name-checking Amazon. 

Log In to Your Account To Verify Messages 

When any call or message claims to relate to an order, a refund or a payment issue, don’t respond directly.  Instead, log in to your Amazon account through Amazon itself and check your orders and your payments.  If the problem is legitimate, you’ll be prompted — on the Amazon site itself — to take any necessary steps.

Know What Amazon URLs Look Like 

A genuine Amazon URL will always be in the format of [something].amazon.com.  If it comes from Amazon Pay, for example, it might be payment.amazon.com.  A URL that looks vaguely plausible, such as amazon.accountsreceivable.randomletters.co, is not legitimate.  The only exception to the amazon.com rule comes in the case of localized Amazon sites, like amazon.ca in Canada and amazon.co.uk in Great Britain.  

Verify Any Phone Number You’re Supposed To Call

If an email, text or voicemail message gives you a number to call, use Spokeo’s search tools to attempt to verify it.  If the number shows as registered to a person instead of Amazon, it could be bogus. 

Verify Incoming Phone Numbers 

Checking incoming calls is worthwhile, too, even though criminals can spoof caller ID information.  A Spokeo search on the phone number may reveal a reputation score information indicating numerous recent complaints about it.  This can indicate that it’s being actively exploited by number-spoofing scammers. 

Know What Amazon Won’t Do 

If a call or message wants you to confirm or provide personal information or banking information, that’s not Amazon.  If they’re asking for payment in gift cards, that’s not Amazon.  If they’re offering an unexpected refund, that’s not Amazon.  The company’s help page on identifying real and fake calls or messages can help you decide what’s legitimate and what’s not.  The page on gift card scams is pretty helpful as well. 

Report Amazon Phishing Attacks

Reputation is everything in the online world, and Amazon is zealous in protecting its brand.  If you suspect you’ve encountered an Amazon-related scam, the company definitely wants to know

  • For suspicious email messages, submit them to stop-spoofing@amazon.com.  Amazon prefers you to send the suspect message as an attachment, but forwarding it will also work. 
  • For potentially bogus websites, copy the URL and paste it into your email. 
  • For calls or text messages, report those first to the FTC at its Report Fraud website.  You can also contact Amazon through its interactive problem resolution chatbot, which will put you in touch with a member of the Customer Protection Review team.  If you’re worried that you may have been exposed to a scammer, or that your account may be at risk, they can help. 
  • It’s never a bad idea to report any online scam or phishing attack to the FBI’s Internet Crime Complaint Center (IC3) as well. 

After a Phishing Attack

After you report an Amazon phishing attack, you may want to take a few extra steps to protect your account and your identity in general, even if you’re pretty sure the scammers came away empty-handed.  These might include: 

Changing Your Amazon Password and Making It Stronger

If there’s any chance scammers might have your Amazon password (you can test it at a website called Have I Been Pwned?), you should change it and make it stronger.  In fact, you should probably do that anyway.  If you find it hard to remember passwords, use a password manager

Getting Identity Theft Protection

If you’re at all concerned that scammers may have gotten some of your information (or if your password showed up as compromised), you should consider our identity theft protection service, Spokeo Protect.  It’ll warn you if criminals offer your personal information for sale on the dark web, and the affordable subscription options offer a choice of additional services. 

Add Another Authentication Option 

Protect your Amazon account by setting up another authentication option.  This might be a code texted to your phone, a hardware key or something as simple as enabling push notifications on the Amazon app.  (If someone tries to log in, you’ll be notified and have to manually approve it.)

Secure Your Account 

This is the Amazon-safety equivalent of “break glass in case of emergency”.  If you think you might have fallen for a scam, log in to Amazon immediately, go to your Login & Security settings and choose “Secure Your Account.”  You’ll verify the login by email or phone (whichever your account is set up for) to verify that it’s you, and then you’ll be able to see all current logins to your account.  If there are logins you can’t account for, you can sign them out (and then change your password immediately). 

Be Wary but Confident

It’s an unfortunate fact of life that wherever people congregate, and wherever money changes hands, criminals will be there and attempt to take advantage.  That doesn’t mean you need to live in fear, just that you need to be aware of the possibilities and take sensible precautions. 

Following the few simple rules outlined here can help you avoid almost all Amazon-related scams and (for that matter) most online scams in general.  If only the rest of life’s problems were so straightforward!

References:

Amazon – Identifying Whether an Email, Phone Call, Text Message or Webpage Is From Amazon

Detroit Free Press – Amazon Scammers Are Slick, Good at What They Do:  Here’s What To Watch For

Amazon Pay – Internet Scams and Phishing

Check Point Research – Keeping the Gate Locked on Your IoT Devices:  Vulnerabilities Found on Amazon’s Alexa

Amazon – Common Gift Card Scams

Amazon – Report Suspicious Emails, Phone Calls, Text Messages or Webpages

ReportFraud.ftc.gov – Report To Help Fight Fraud!

Amazon – Fixing Things Is Quick and Easy

U.S. Federal Bureau of Investigation – Internet Crime Complaint Center (IC3)

Have I Been Pwned? – Pwned Passwords

Related posts

Finding Your People: How to Make Friends Online

How To Secure Your iPhone From Hackers (and Anyone Else)

How To Secure Your Android Phone From Hackers (and Anyone Else)