New Phishing Attempt Targets Amazon Users

Last month, a fresh spin on the tried-and-true email scam emerged that targeted Amazon’s more than 300 million active customers. Phishing messages that appeared to be legitimate notifications from the online retail giant attempted to trick users into sharing their account credentials, private logins, and financial information.

The fake requests required a response within 24 hours, threatening to permanently disable access to Amazon if they weren’t met. That extra push worked, tricking thousands of unsuspecting users into clicking an “Update Now” button embedded in the email.

That led to a convincing simulation of Amazon’s login page, which asked for account name and password followed by name, address, city, state, ZIP code, phone number, and date of birth. Next, users were prompted to enter their credit card or bank account information as a final form of identify confirmation, which led to an automatic logout and redirect to the real Amazon website.

Cybercriminals behind this new scheme count on several things: the appearance of a legitimate-looking Amazon web ecosystem, the confusion that sets in when users are threatened to be locked out of their account, and the speed with which action is encouraged.

It’s a classic phishing scenario, one that is repeated time and time again with minor variations on different platforms and websites. But it’s also one that you, your colleagues, and your company can avoid with planning, communication, and cybersecurity education.

CMIT Solutions recommends the following tips:

Whether it arrives in the form of an unsolicited email, suspicious text message, or customer service contact, it’s smart to maintain a healthy sense of skepticism when faced with anything from an unknown sender. Look for typos or bad grammar, along with misspellings in email senders and domain names. When in doubt, mark anything unwanted as junk or forward it to a trusted IT provider to assess the threat BEFORE you click, respond, or accept.

The Amazon scam worked on thousands of people precisely because it came advertised with a 24-hour limit to act or be locked out of an account. Computer users unaware of such strategies may be more susceptible about falling for an “Enter your credit card information!” or “Act now!” prompt than those with basic cybersecurity training.

In the case of the Amazon phishing scam, stepping away from the illicit email and typing www.amazon.com into your browser, then logging in and checking for any notifications related to the email, would have informed many users of the issue. In other words, think before you click ANY link in an email you’re not sure about. It’s always safer to navigate to the page in question manually so you can ensure you’re in the right place.

Oftentimes, the first line of defense rests with the people who work for you. But well-trained and savvy users will quickly recognize the red flags raised by such scams. That kind of awareness adds another layer of protection alongside anti-virus, anti-malware, network analysis, and security incident monitoring solutions.

At CMIT Solutions, we take phishing scams like the one outlined above seriously. We work hard to identify ongoing threats, alert our clients about the problem, and mitigate any consequences before they wreak havoc on computers, mobile devices, networks, and business data.

If you’re looking for an IT provider you can trust, contact CMIT Solutions of Cary-Apex today. We worry about cybersecurity so you don’t have to.