New Amazon Scam Phishes Victims with Call Center and Legitimate Amazon Pages

As Americans increasingly rely on Amazon for shopping – particularly with the upcoming holiday season – security experts are warning of a new phishing scam that utilizes a call center to give it more seeming legitimacy.

Beginning in October of 2021, cyber security experts noted incidences of a new type of attack in which fraudsters “spoof” a typical Amazon order confirmation, according to a report published this week by Avanan.

It works like this: recipients receive an email informing them about a high-ticket order they have supposedly placed. The links in the email direct victims to a legitimate Amazon page with an item, usually priced in the hundreds of dollars. Victims panic, thinking the order is an error. The email directs callers to a fake call center unaffiliated with Amazon to fix or “cancel” the order.

While no one will answer the call, a scammer will place a call back a few hours later after “harvesting” the phone number. The goal of the attack is to have the victim read credit card information to the call center. Scammers inform the called party that to cancel the order, a credit card number and CVV number are required.

The phone number for the fake call center is a U.S. based number, according to Avanan, but the scam originates in India. The scam is effective because it uses links to genuine Amazon pages, according to the company.

“In this email, the hackers convincingly spoof a typical Amazon order confirmation notice,” said Avanan on its web site. “All links go directly to Amazon’s site. This means that even the most trained user will click on it. What would set off alarm bells is the actual email address, which comes from a Gmail address.”

Security professionals are advising recipients of any emails about an Amazon order to check the email address of the initial message, and not to call unfamiliar numbers. 

Edited by Luke Bellos