Amazon Prime Day - Beware of Phishing Deluge, Experts Warn

Security experts have warned online shoppers to beware of scam emails and texts over the next couple of days as the Amazon Prime Day e-commerce bonanza gets underway.

The 48-hour sales event for Prime subscribers is said to be an even bigger money-maker for Amazon than Black Friday and Cyber Monday combined.

However, where there is money and consumers, cyber-criminals are usually not far away, warned Charles Brook, a threat intelligence researcher at Tessian.

“The most common tactic will be for scammers to impersonate Amazon in phishing emails, luring consumers with ‘too good to be true’ deals or prize offerings to encourage them into clicking malicious links or entering their details into fake websites,” he explained.

Tessian detected a 133% increase in phishing emails related to Amazon Prime Day or Amazon Store on the second day of the event last year, compared to a normal daily average for the month.

“Another common technique is to impersonate logistics or delivery companies in text message scams, asking consumers to click a link to confirm delivery details, track orders or reroute packages,” continued Brook.

“If you’ve just bought something in the sales, it wouldn’t seem unusual to receive a message like this. But these scams are designed to harvest financial information or account credentials which can be used to access other online accounts.”

The scams may continue even after the event itself has wound down, Tessian warned.

On October 15, 2020, the day after the Prime Day sales last year, Tessian saw a 160% increase in the number of phishing emails citing “Amazon” and “Amazon Prime Day” compared to the daily average for October 2020, Tessian said.

Subject lines tended to include order confirmations, invoices, package delivery updates and messages from ‘customer support.’

Tessian urged shoppers not to click on Prime Day links in unsolicited emails and double-check senders’ email addresses rather than their display names.

“Scammers take advantage of the fact that, on mobile, emails only show a display name which makes it easier for a bad actor to impersonate Amazon and send a message from an unknown email address,” it said.

Consumers should also refrain from clicking on unsolicited text message links, checking first with the company that sent them. Spelling and grammatical mistakes and deals which seem too good to be true are also tell-tale signs of potential fraud.

What’s Hot on Infosecurity Magazine?