Amazon is ripe for scams. The online retail juggernaut has grown even larger during the pandemic as more people shop online. It’s no surprise that scammers are taking notice.
A scam need not involve a direct attack on victims. A cybersecurity group found millions of records showing deals between sellers and reviewers designed to pump up a product’s ratings and appeal. Tap or click here to see how to spot these fake reviews.
This is not to say you’re safe just by avoiding products with fishy ratings. Crooks are reaching out to their victims directly using Amazon as bait. Keep reading to find out the latest tricks and what to watch for.
Voice + phishing = vishing
Phishing is when a scammer impersonates a brand or company to get personal information and/or money from their victims. These attempts typically come through email, text, social media, etc. Vishing, on the other hand, is a type of phishing that focuses on voice calls. They could call directly or leave phone numbers in emails and other types of messages.
Cybersecurity researchers at Armorblox detailed two Amazon vishing attacks happening right now, targeting victims’ credit card numbers.
The first attack
The first attack came through Gmail in a message titled “Invoice:ID.” It contained an invoice number and visual cues resembling messages from Amazon and was sent to about 9,000 inboxes.
The message stated that an order for an LG television set and an Xbox gaming console had been placed, totaling nearly $1,000. Unwitting recipients who know they didn’t place such an order might call the provided phone number to sort things out. That’s where the scammers strike.
The Armorblox team called the number and got an actual person on the line who pretended to work for Amazon. The scammer asked for the customer’s name, order number and credit card details before cutting the call. The team believes that if they had been able to keep the crook on the line, more sensitive information may have been requested.
Look closely at the following two words contained in the message: “AMAZ0N TEAM.” Notice something strange? The zero in the word “Amazon” helped scammers bypass spam filters and blocklists that look for impersonators.
The second attack
The second email scam came from a fake address, “firstname.lastname@example.org,” and hit about 4,000 inboxes. The title was “A shipment with goods is being delivered.” The message included an order number for an item amounting to nearly $600.
As with the first email, this one did not include any functional links but just a phone number to call for assistance. When the team called the number, they got just a ringtone. They took down the number a few hours later, but the perpetrators could easily set up another line and use the same email with that phone number.
The scam email got through because it didn’t contain any links or brand names that could be flagged.
What you can do to stay safe
- Don’t take action simply because you recognize a brand. Take the time to read everything.
- Look for red flags such as brand names that seem off, spelling errors, unnecessary punctuation and bad grammar.
- Don’t give away your sensitive information over the phone. If you’re unsure, hang up and seek out official sources for contact information.
If you do receive an email or phone call claiming to be from Amazon, don’t blindly trust it. Instead of calling the number included in the message, make sure you’re contacting Amazon through its official means. Tap or click here to safely contact Amazon.