By Eric Howes, KnowBe4 Principal Lab Researcher.
Now that it's the holiday season, malicious parties across the globe are exploiting Amazon's good name and popularity with consumers to swindle unsuspecting victims out of money, personal information, and the credentials to their Amazon accounts.
The number of phishing emails spoofing Amazon that are reported to us every day by customers using the PAB (Phish Alert Button) has exploded over the past few weeks. These phishes run the gamut from offers of free Amazon gift cards...
...to purported information regarding problems with Amazon accounts or updates on Amazon orders and shipments:
And now, it would seem, malicious actors have also turned to spoofing Amazon via well-executed scam phone calls done by persons apparently familiar with Amazon's support scripts and phone protocols.
A Late Night Phone Call
Last evening I received a phone call from someone claiming to be from Amazon. The person calling me was male, and background noise on the call seemed to indicate he was working in a call center of some sort.
This caller stated that he had a message for me from Amazon but needed to verify some security information first to confirm my identity before providing me with the message. He then asked me to provide the email address on my Amazon account. Your email address, it's worth noting, functions as the login name for your Amazon account.
Given that this was an unsolicited phone call and that it had come in at 11 pm, I refused. I also told him that it was highly irregular for Amazon to be calling unsolicited and asking for security information on the account. He then stated that he would need to terminate the call, which he did.
I immediately called Amazon's 888 support number (which I have called several times over the years) and reported the suspicious call. The person I talked to also asked for security information -- which I provided -- and then sent a text with a security confirmation number to the phone number I had entered when I set up 2FA (two factor authentication) on my Amazon account.
A few minutes after ending the second call, I received an email from Amazon Support confirming that the first call I received was in fact fraudulent.
It's important to note that this was no ordinary scam phone call. Some context is necessary here. Last week I called Amazon support over an issue and dealt with a support tech who ended up calling me back. In the process I captured the number he called from on my phone and added it to my contacts list under the name "Amazon Support."
The fraudulent call I received at 11 pm yesterday evening popped up on my phone as "Amazon Support" from the same number I had captured the previous week. That's right: the same number. That tells me that the malicious party behind that fraudulent phone call had gone to the trouble of spoofing the phone number from one of Amazon's own call centers.
All told, the fraudulent phone call I received was very slickly performed. The caller sounded like an Amazon support tech and used the same language I would have expected from a real Amazon support tech. When I refused to provide any security information, he politely ended the call instead of pressuring me for the information. And, of course, the call came from a spoofed phone number.
Lessons Learned & Confirmed
There a several takeaways here.
First, do not provide personal information, account information, financial information, or security-related information in response to unsolicited phone calls, texts, or emails. Do not click links or open attachments provided in unsolicited emails or texts.
Most readers have undoubtedly heard this advice before. But it's one thing to nod sagely at the wisdom of this kind of advice; it's another thing entirely to act on it when you've got a polite-sounding voice in your ear effectively asking you to give up the goods.
Have the courage to say "no." At the end of the day it's your account, your security, and your money.
If you're wondering whether a phone call, email, or text is genuine, then call back using a phone number you know to be legitimate or visit the company's web site directly and engage the company's support services using information provided on that official web site.
Second, if you haven't done so already, set up 2FA on your online accounts -- esp. those accounts that have bank accounts or credit cards attached to them.
Third, be smart. A legitimate company like Amazon is not going to call you out of the blue at 11 pm at night or violate well-known security best practices by asking for security information on an unsolicited phone call.
Christmas is supposed to be time for celebrating with friends, family, and loved ones. It's not supposed to become yet another opportunity to hand over your hard-earned money to the bad guys so that they can give all their own friends and family a merry Christmas at your expense.
Free Phish Alert Button
Do your users know what to do when they receive a phishing email? KnowBe4's Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click!
Phish Alert benefits:
- Reinforces your organization’s security culture
- Users can report suspicious emails with just one click
- Incident Response gets early phishing alerts from users, creating a network of “sensors”
- Email is deleted from the user's inbox to prevent future exposure
- Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
Don't like to click on redirected links? Cut & Paste this link in your browser: