This phishing attack takes brand impersonation to the next level. Not only has it baited victims with spoofed Amazon orders, it has also produced Amazon customer care agents ‘out of thin air’. No, it is not sorcery, it is simply a multistage phishing campaign. A very clever one at that.
How are spoofed Amazon orders tricking victims?
Over the decade, hackers have learned to press where it hurts. Be it the ongoing Covid-19 pandemic or promises of an award when you desperately need it. Phishing campaigns have started exploiting avenues where people are more likely to react emotionally / without caution.
True to the swish of its logo, Amazon literally has every item from A to Z. Shoppers all over the world have started depending on Amazon for every need, from groceries to fashion to electronics. People have gotten accustomed to receiving notifications on order statuses, discounts, festivals, and payments.
That is why hackers have now impersonated Amazon, by spoofing order notification emails.
So, this is how the scam works. The victim gets an email saying that their (fraudulent) order has a cart total of more than $300. The victim gets alarmed because they haven’t placed the order. To rectify the situations, they try to get in touch with Amazon customer care. Very conveniently, there’s a customer service number with a South Carolina area code right in the email body. But the customer care representative doesn’t call respond the first time the victim calls them up.
The hacker calls back in a few hours – from India – and poses as a customer care representative. They tell the victim that they need credit card details and CVV number to cancel the invoice. This second stage in the attack – scamming over voice call – actually increases the odds for the hackers. Because whether or not they become successful in duping the victim of their ATM card details, they at least get an additional phone number which they can retarget with another attack.
Also, when the victim calls the phony number, they are calling in a heightened state of panic. Which means there’s a higher probability that the hacker will ‘convert’ this potential victim into a sure fire one. Although there is an ensuing awareness among general citizens about cyber scams, the voice call helps dissolve any doubt they may have that the entity is a spoofer instead of the real Amazon company.
But now that you have read this blog, you know better!
Yes, having a high awareness about such phishing techniques is definitely an advantage. But you have bigger fish to fry: running a successful business. Why not automate your email security with Logix Cloud Email ATP? An intuitive and intelligent email scanning tool that will help keep any and all phishing emails away from your inbox. We guarantee a 99.99% uptime, and assure protection against all major known and unknown threats.
More IT and security resources and updates.