Turns out Amazon Prime Day was a prime time for scammers as well as shoppers. So, while you were fishing for that great deal on Echo Dot and Fire TV Stick, scammers were “phishing” for your login credentials and personal data.
This month’s news about the Amazon phishing scam proves that phishing emails continue to infiltrate consumer inboxes.
According to recent reports, threat actors were using a modified version of the 16Shop phishing kit to target Amazon customers earlier this month, right before the two-day shopping event for Amazon Prime members. It is unclear how many shoppers fell for the phishing scam.
In order to hook gullible users, scammers sent out emails with a PDF attachment that directed recipients to a fake Amazon login page.
The tactic adopted is not novel, as far as phishing scams go, but it is effective.
If an unsuspecting customer fell for the scam and filled in the information requested, scammers would have access to their Amazon login credentials, name, credit card details, birthday and social security number. Let’s say it’s a user with poor ‘cyber hygiene’ who reuses their Amazon password for other accounts — that’s what cybercriminals want.
The same phishing kit was previously used to target Apple users in the U.S. and Japan last November.
Amazon and Apple are appealing targets because threat actors can easily sell their gift cards, said Bryce Austin, CEO at cybersecurity consulting firm TCE Strategy.
“If you can get into someone's account and just start buying gift cards, you can sell them at a very good price on the black market.”
Austin’s word of advice: Do not assume trust with anyone online.
Be on the alert for phishing scams
Phishing scams continue to plague businesses as well as consumers. According to the 2019 Webroot Threat Report, there was a 36 percent increase in the number of phishing attacks in 2018, compared to the year before.
Here’s some advice on how to avoid phishing scams:
- Set up MFA/2FA: Turn on multi-factor authentication (MFA) or two-factor authentication for important accounts to reduce the probability of account compromise. MFA provides the much-needed added layer of security and requires two or more forms of identification or factors in order to give users access to their accounts.
- Fortify your devices: Set all your devices – computers, smart phones and tablets -- to auto-patch/auto-update. Install a strong antivirus program on your computer and keep it up to date. Deploying strong endpoint protection will also help pick up malicious links for you.
- Password hygiene: Stop reusing passwords and refrain from setting up weak passwords. Using a password manager program like Dashlane or Lastpass can help generate strong and unique passwords for various accounts. Password managers also keep your passwords secure by keeping them all under one encrypted vault and requires a single master password to retrieve your passwords.
- Look before you click: While phishing emails have become quite sophisticated, be wary of emails that have bad grammar, misspellings, unfamiliar greetings, and those claiming immediate action or attention. Refrain from clicking on links, opening attachments, or downloading files unless they are from a known sender.
- Fraud alert notifications: Set up alerts on your credit cards; almost all credit card companies will send you an alert, for free, if there is suspicious activity on your account.
- Credit freezes: Freeze your credits with the three big credit rating agencies because it helps mitigate the damage in case of identity theft.
Finally, protect personal data with a combination of antivirus and backup, so files and personal data are protected with point-in-time restore and automatic cloud backup.