MailGuard began intercepting a large volume of scam emails earlier today (AEST) masquerading as Amazon. The fraudulent emails carry legitimate-looking Amazon store branding, with varying messages, although they all ultimately require users to update their account details via a link provided.
In the example below, with the subject ‘Amazon – Your Order Has Been Cancelled’ the recipient is advised that “Your recent order on AMAZON.COM has been cancelled due to fraudulent activity detected.”
![Screenshot from 2019-05-28 10-30-24[1]](https://www.mailguard.com.au/hs-fs/hubfs/Screenshot%20from%202019-05-28%2010-30-24%5B1%5D.png?width=684&name=Screenshot%20from%202019-05-28%2010-30-24%5B1%5D.png)
Some other messages indicate that a recent order was undelivered due to an address mismatch issue. Recipients of the emails are requested to ‘Activate your account by verifying your email address.’
Users are directed to visit amazon.com/verify-my-account or to click on the ‘Verify Email’ button in the message. Once the link is clicked, users are redirected to a page that initially asks them to enter their username and password. The site presents a message advising the recipient that Microsoft has detected suspicious activity on their computer.
![Screenshot from 2019-05-28 10-28-36[2]](https://www.mailguard.com.au/hs-fs/hubfs/Screenshot%20from%202019-05-28%2010-28-36%5B2%5D.png?width=1548&name=Screenshot%20from%202019-05-28%2010-28-36%5B2%5D.png)
The emails use a display name of "Amazon Head Office" or "Amazon Support"
And the “from” addresses include several different addresses. Examples seen are "contact@amazon.com" and "contact@usps.com." These emails actually come from a compromised sending address, which appears to be using a marketing platform (survivalistplan.com) to both send the message and also to host the link redirects.
Ultimately the scam is linking to a phishing / scare site, designed to trick the user into entering their username and password or to contact a phone number listed on the site.
Amazon provides this advice for customers.
Suspicious emails or webpages not from Amazon.com often contain:
- An order confirmation for an item you didn't purchase or an attachment to an order confirmation
Note: Go to Your Orders to see if there is an order that matches the details in the email. If it doesn't match an order in Your Account, the message isn't from Amazon.
- Requests for your Amazon.com username and/or password, or other personal information
- Requests to update payment information
Note: Go to Your Account and select Payment options. If you aren't prompted to update your payment method on that screen, the message isn't from Amazon.
- Links to websites that look like Amazon.com, but aren't Amazon
- Attachments or prompts to install software on your computer
- Typos or grammatical errors
- Forged email addresses to make it look like the email is coming from Amazon.com
Note: If the "from" line of the email contains an Internet Service Provider (ISP) other than @amazon.com, then it's a fraudulent email.
Amazon will never send you an unsolicited email that asks you to provide sensitive personal information like your social security number, tax ID, bank account number, credit card information, ID questions like your mother's maiden name or your password. If you receive a suspicious email, report it immediately. Further details for reporting scams or spoofing attacks to Amazon can be found here.
One click is all it takes
Cybercriminals use email scams to steal sensitive personal information and valuable credentials. All criminals need to break into your business is a cleverly worded message. If they can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive email security.
Talk to an expert at MailGuard today about making your company's network secure: click here.
Stay up-to-date with new posts on the MailGuard Blog by subscribing to our email updates.
