Unfortunately, with the world we live in, especially with any type of highly visible promotions or sales, scammers will try to take advantage of the situation. Remember last year’s Amazon Prime Day phishing scam? Consumers around the world received an email promising a $50 bonus for writing a product review, or an email stating there was a problem with their payment method or shipping information. When they clicked on an embedded link, they went to a bogus login page designed to harvest their credentials.
While our primary focus is enterprise security and protection, we do feel that we have an obligation to highlight these types of potential consumer fraud type of threats. We are all in this together, and all of us are consumers who shop, sometimes while at work, each and every day.
So, if there’s another scam this Amazon Prime Day, July 16-17, it could become everybody’s problem. History repeatedly shows us that the best way to combat these types of problems is through awareness and education. If your business uses a phishing awareness solution like Cofense PhishMeTM, your users would know NOT to click on email links or attachments—365 days a year, not just on Prime Day. They’d also know to report any suspicious emails to your security team. However, due to the broad nature and potential impact of these types of consumer scams, we at Cofense™ wanted to review some examples of last year’s scams, in addition to providing some handy tips that could help you, your friends and family, and your users.
Here’s an example of one of the 2017 Prime Day emails:
Amazon Prime Day Tips: What Users Should Look For
Fake Orders—If you receive an email claiming to be from Amazon confirming an order that you did not place, it’s a scam. Instead of clicking links within the email, type Amazon.com into your browser, sign in and go to the Your Orders page to verify your purchases. If you didn’t buy the item from the email, it’s a phishing scam.
Credential Request—Amazon does not send emails requesting your username and/or password. If you receive an email like this, it’s a scam.
Request to Update Payment Information—You should never click a link within an email asking you to update your payment information. Instead, go to your Amazon account and click Manage Payment Options in the Payment section. If you are not prompted to update your payment method on that screen, the email is not from Amazon.
Fraudulent Links—If you receive an email with a link that supposedly goes to Amazon, hover over the link with your cursor. If it does say that it’s going to direct you to Amazon, it’s a phishing scam.
Attachments—Emails purportedly from Amazon that contain attachments or prompts to install software on your computer are scams.
To this list let’s add: Fake notifications about an Amazon Prime subscription, emails regarding shipping issues, and requests to validate your Amazon Prime account.
Our Additional Tips: A Few Other Words to Browse By
Again, these best practices apply all year long, not just during Amazon Prime Day, the winter holidays, or grandma’s birthday.
- When in doubt, skip email and use the Amazon App. Amazon has applications for phones and tablets. When you use the App, you know you are interacting with Amazon.
- Check the sender’s email address (not just the display name). While email addresses can be spoofed, or faked, often attackers will just spoof the display name, not the actual email address the email came from.
- Remember that Amazon, and most online services, won’t send you an email requesting your username or password.
- If you receive an email stating you made an order, and you don’t recall or are sure you did not place the order, open up a browser and manually log in and check your order history. Do not click on any links in the email.
- When possible, use unique passwords for difference services. This will minimize the impact and exposure if your account or password is ever compromised. Password manager applications make this a breeze.
- Most emails that come from Amazon will never contain an attachment. If you did purchase something from Amazon that requires a download (music, software, video game, etc..), it is safest to log into your Amazon account manually and download the item directly from there.
It’s all pretty standard stuff, but unfortunately people fall for it all the time. An ounce of prevention is worth avoiding a pound of cyber headaches. Happy Prime Day!
To learn more about the emotional motivators attackers lure users with, view the 2017 Cofense Resiliency and Phishing Defense Report.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.