This Amazon scam could trick even the most savvy shoppers

Amazon
(Image credit: Amazon)

Cybercriminal groups are launching new scams designed to capitalize on shopping fever ahead of Black Friday and the holiday season, researchers have warned.

In a blog post, researchers from security firm Avanan described one such campaign, first launched last month, in which fraudsters spoofed Amazon order notification emails.

The objective of these imitation emails is to get the victim to place a call to a fake customer service number, at which point the scammers attempt to get the person to expose their credit card information.

“When you call the number, at first no one will answer. After a few hours, a call back will occur,” explained Avanan. “The person on the other line will say that, in order to cancel the invoice, they will need a credit card number and CVV.”

Amazon invoice scam

According to Avanan, the scammers are able to circumvent email security filters by including legitimate links in the body, which direct to the genuine Amazon website. While some phishing scams use fake landing pages to harvest credentials, in this case the links offer a more reliable path into inboxes, as well as leaving the victim with a false sense of security.

In addition to the theft of payment details, meanwhile, the scam doubles as a form of phone number harvesting, laying the foundations for future voicemail and text-based attacks.

“Once [attackers] obtain the phone number, they can carry out a series of attacks, whether through text messages or phone calls,” wrote the researchers. “Just one successful attack can lead to dozens of others.”

And this is just one relatively simple example. As a result of the global chip shortage and supply chain disruptions, shoppers are expected to make holiday season purchases earlier than ever this year, which will likely spawn a series of scams that aim to capitalize on the level of demand.

To shield against these kinds of attacks, shoppers are advised to interrogate the sender’s email address and the body of the message for anomalies that might betray a scam. Further, it’s sensible to avoid calling unfamiliar numbers unless they are also found on the retailer’s website, and avoid downloading unsolicited attachments that may contain malware.

To protect your devices from attack, meanwhile, check out our list of the best antivirus services, best endpoint protection software and best ransomware protection.

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.