Bulletproof privacy in one click
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon
People who were unaware of such scams were grifted for tens of millions of dollars over the past year. In the United States alone, the FBI reported that the pace of attacks went up from 114,702 recorded incidents in 2019, to 241,324 recorded incidents in 2020; more than double year-on-year.
And although the hot subjects for phishing are usually work related, with IT and health benefits being the number 1 and number 2 most common themes, the number 4 subject line for phishing E-mails in Q4 2020 started with 'Amazon: Action Required'.
In this article we'll cover the trends that led to the popularity of Amazon phishing attacks. We'll also talk about some of the warning signs, the best protection against Amazon scams, and how individuals can protect their privacy online and avoid being a target.
There are many reasons why Amazon phishing attempts are on the rise, and though they're all related to Covid in some way, they're not all related to the normal numbers games.
According to an award winning paper from the Brookings Institution, the peak age for money management is 53. After that, many older people lose perspective on their finances. On average, the age of E-mail scam victims is 74 years old. This is called 'age associated financial vulnerability', which is why scammers target older people whenever possible. And of course, the older generations hold more of the accumulated wealth than the young, making them more attractive targets.
What is the relevance of age to scamming in the age of Covid, and Amazon phishing in particular? Isolation.
When an older audience is forced to go online for their every need, and they are forced to isolate themselves away from friends and family or else be ravaged by a public health risk, they lose their sounding boards. They have nobody to get a second opinion from. So during the height of the Covid-19 pandemic, the age group that was most vulnerable to cybercrime was left to fend for themselves.
With everyone, young and old, flocking to Amazon for the things that they needed, the blueprint for scammers couldn't be clearer. Amazon phishing would prove to be a highly successful, highly lucrative route for them to take. Most of their victims would be aged 70 and above, but there would also be plenty of bored, angry, depressed, confused, and lonely people in all age brackets that they could attempt to victimize.
Once the safety nets for older folks come back, the success rate of Amazon phishing scams should go back down to normal levels. Then the much more attractive corporate targets will reclaim all of the top spots. But until then, scammers will always go after the most vulnerable first.
What all of this means is that it is more important than ever to know the warning signs of an Amazon phishing attack. This knowledge not only increases personal online safety, but can be used to keep loved ones safe as well.
The official Amazon advice for E-mail phishing attacks is clear:
“Amazon e-mails will always come from an address that ends @amazon.com (e.g. shipment-tracking@amazon.com, auto-confirm@amazon.com, no-reply@amazon.com).
Note: If you purchase from another Amazon international website, the e-mail domain will reflect the country you are purchasing from (e.g. Amazon.de will have all communication coming from @amazon.de.).”
This means that if the sender isn't from the exact addresses appropriate to the country the user is dealing with (@amazon.co.uk for the U.K. @amazon.com for the U.S., etc.), then beware the contents of the E-mail. Most E-mail programs will allow the user to click on the sender's name to get all of their details:
The same warning given above goes for all of the links inside of an E-mail. If they're taking the user to an unfamiliar destination, they should not be clicked on.
However, enhanced E-mail and webmail programs have ways of disguising the true destination of a link. Before clicking on the link, the user can hover their cursor above it. This should display the true destination of that URL in a bar at the very bottom of the browser. For example, placing the cursor over this link:
Will display the true destination in the grey bar at the bottom of the browser:
This allows users to check the legitimacy of the domain that they're being sent to. If the domain name doesn't end in the exact corporate or service address that the user believes they're dealing with, they should avoid it at all costs. Legitimate companies that have always operated out of a .com domain don't suddenly purchase a .biz domain and send official E-mails from it.
In Amazon's own words:
“Links to legitimate Amazon websites start with https://www.amazon.com or the equivalent if you're visiting an international Amazon site (e.g. https://www.amazon.fr if viewing the French site). Legitimate Amazon websites also have a dot before "amazon.co.uk" such as https://www."something".amazon.co.uk or "something".amazon.co.uk. For example, Amazon Pay is pay.amazon.co.uk. The wording before the dot will never be an IP address (string of numbers), such as http://123.456.789.123/amazon.co.uk/ .”
Finally, Amazon never asks for personal information via E-mail, and they never
request payment information that is not linked to an Amazon order already placed or a service already subscribed to.
If anything looks fishy at all, it's probably a scam. Contact Amazon support to be sure, going straight to https://www.amazon.com (or whatever is appropriate for the country in question) by typing it into the address bar on top of the browser, and not by clicking on any links in that E-mail.
Even when aliased, a user's real E-mail address is most likely linked to their identity. But one time use E-mail addresses, run through a strong spam filter of course, are one of the best answers to both the Amazon phishing epidemic, and spam in general. If a single use E-mail is utilized to sign up for new services, any resulting misuse can be filtered or terminated with a single click of the mouse.
The problem is finding an easy way to organize and administer the dozens or hundreds of addresses that are generated from such a system. After all, some E-mails are going to be legit, and will need to be forwarded on to the user for action.
Hoody is currently developing an encrypted email feature that will allow users to generate a unique email and identity per website.
Amazon scams are often impersonally targeted. In other words, they're scattershot, relying on volume rather than accuracy. E-mail addresses that end up on mass-privacy breaches, such as the ones that can be checked on Have I Been Pwned, are frequent targets. Given the fact that about a third of the world has an Amazon account in one form or another, the math works out in favor of the scammers.
In order to quickly recover from a security and privacy breach on a user's primary E-mail address, while keeping passwords from associated trusted sites in order, a central password manager is suggested. Services like LastPass require the user to memorize only a single strong password, and provide a way to instantly and easily change the randomly generated passwords on any site that has experienced a data breach.
Between Hoody Privacy App and a good password manager for 'real' or primary accounts, all of the bases should be covered. Amazon phishing relies so heavily on volume, those who simply limit their exposure are far less likely to receive the scam E-mails in the first place.
Many of the Amazon phishing scams try to get users to do things that they normally wouldn't by creating fake urgency or outrage. The three most common actions that lead to trouble are:
● Following links that harvest personal details. Amazon has all of this information from the user's initial signup, and would have no need to ask for them again. Refer to the section above to spot the warning signs that the E-mail and links might be fakes.
● Calling a telephone number: This is always a mistake, and not just because it verifies that the scam is working and gives the scammer a 'live' telephone number. Some of the numbers listed are paid services. Calling the wrong premium line can cost hundreds of dollars for just a few minutes.
● Replying to the Scam E-mail: It might be tempting to treat the scammer to a good screaming session in ALL CAPS. But verifying that the message got through is simply helping them to hone their spam evasion methods, and confirming that they have a live E-mail address to try in the future.
At first glance, some of these scam E-mails are badly written. There are misspellings, sentences that cut off in the middle, badly formatted tables, partial mailing addresses, and the like. A careful examination of such an E-mail will commonly reveal half a dozen of these mistakes or more.
Those errors are intentional. Well structured scam E-mails can be more easily detected by anti-spam and anti-scam filters. But if the suspicious calls to action are a bit garbled, and the tables are badly formatted, they can often evade filtering. Scammers use tricks that prey upon the human brain's ability to see patterns and automatically fix errors. Quickly reading a scam E-mail, it's likely that some or all of the intentional errors will get ignored or glossed over.
Interestingly, even without the possibility of evading spam filters, scammers have a higher success rate when there are some mistakes in the E-mail. Skeptics and trolls will interact with well written phishing E-mails just to screw with the scammers, unless they consider the scam to be 'beneath' them. By seeding the phishing E-mail with intentional errors, they attract less time wasters.
Amazon phishing attempts have been on the rise because it has become a massive central hub of activity during the pandemic. Millions of new users, often in the older demographics, have flocked to the service in 2020 and 2021. This has caused a feeding frenzy for perpetrators of Amazon scams.
Other than basic awareness of how phishing attempts try to fool the reader, there are some excellent automated services that can prevent a primary E-mail address from being targeted.
2021 has seen more phishing and scamming attempts than any year in history. It is unlikely that this surge of criminal activity will end anytime soon. Users need to remain vigilant and use every method of protection available to them.
Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.
Chapter 14: IoT Hacks
Dive into the unsettling world of government-controlled GPS tracking!
Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies
It’s time to uncover how government surveillance gets personal.
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon