Amazon. com Help About Phishing Report Subject Lines

About Identifying Whether an E-mail is from Amazon

E-mails from Amazon will never ask you for personal information. If you receive a suspicious (sometimes called phishing) e-mail, here are some tips to determine if it's an e-mail from Amazon.

If you received correspondence regarding an order you didn't place, it likely wasn't from Amazon. co. uk. Please send the e-mail as an attachment to stop-spoofing@amazon. com. If you are reporting a suspicious URL, put it in the body of the email and send it to stop-spoofing@amazon. com. For more information, go to

To help identify phishing e-mails and for tips on safe online shopping, see our short Help Video:

Examples of what to look out for if you suspect a Spoof or Phishing email are:

An order confirmation for an item you didn't purchase or an attachment to what looks like an order confirmation.

Note: Go to Your Orders to see if there's an order that matches the details in the e-mail. If it doesn't match an order, the message isn't from Amazon. Amazon never includes attachments in order confirmation e-mails.

Requests for your Amazon. co. uk username and/or password, or other personal information. Personal information includes things like: your National Insurance number, your credit card number, PIN number, or credit card security code, or your security question answer (e. g. your mother's maiden name).

Note: Amazon will never ask for personal information to be supplied by e-mail.

Requests to update payment information through a link in the e-mail. Emails from Amazon will never request you to update payment information via a link. Instead, we would include instructions on how to verify your account information, including payment options, through the Amazon. co. uk website.

Note: Go to Your Account and click Manage Payment Options in the Payments section. If you aren't prompted to update your payment method on that screen, the message isn't from Amazon.

Links to websites that look like Amazon. co. uk, but aren't Amazon.

Note: Legitimate sites have a dot before "amazon. co. uk" such as Http://"something".amazon. co. uk (usually "www"). Please note, the legitimate site for Amazon Pay is pay. amazon. com/uk. We'll never send e-mails with links to an IP address (string of numbers), such as "Http://123.456.789.123/amazon. co. uk/".

Attachments or prompts to install software on your computer.

Typos or grammatical errors. Be on the lookout for poor grammar or typos. Many phishing e-mails are translated from other languages or are sent without being proof-read. As a result, these messages can contain bad grammar or typographical errors.

Forged e-mail addresses to make it look like the e-mail is coming from Amazon. co. uk.

Note: If the "from" line of the e-mail contains an Internet Service Provider (ISP) other than @amazon. co. uk, then it's a fraudulent e-mail.

Reporting a Phishing or Spoofed Email:

If you suspect that you have received a Phishing or Spoofed Email, please refer to Report a Phishing or Spoofed Email for guidance on how to report this.

If you have clicked on a Phishing or Spoofed email and are concerned that your account information may be at risk, please refer to Protect Your Account for guidance.

Email sextortion scams are on the rise, and they're scary

"You can panic," reads the subject line of one fake sextortion email.

Another has a victim's real password in the subject line, in an attempt to establish authenticity.

These low-tech frauds spiked in 2018, according to the FBI's Internet Crime Compliant Center (IC3), netting millions for scammers.

Last year, electronic extortion complaints rose 242% to 51,146 reported crimes, with total losses of $83 million.

While the FBI does not break out sextortion from the total number of extortion crimes reported, a spokesperson told CNBC, "The majority of extortion complaints received in 2018 were part of a sextortion campaign in which victims received an email threatening to send a pornographic video of them or other compromising information to family, friends, coworkers, or social network contacts if a ransom was not paid."

The advice from experts: Don't fall for it.

"They play on our basest levels of psychology," said Priya Sopori, a partner at the law firm of Greenberg Gluster and a former assistant U. S. attorney who prosecuted cybercrimes, including sextortion.

"You will read personalization into any generic statement. And if you believe that there are hackers out there that know every aspect of your life, and maybe they even know your life better than you do, you might actually pay even if you've done nothing at all."

The power of shame

While there are examples of real sextortion, especially involving the theft of real nude photos or videos, hoax sextortion emails have no basis in reality.

Scammers send these emails out as form letters. They include claims about supposed improprieties, often including claims that the sender has evidence of your affairs, has hacked your webcam to take damning photos or videos of you or has evidence of pornographic material you've viewed.

Here's a sample letter, courtesy of antivirus software company Malwarebytes, which researches this and other scams:

I am well aware [REDACTED] is your pass words. Lets get right to point. Neither anyone has paid me to investigate you. You may not know me and you are probably thinking why you're getting this e-mail?

Actually, i installed a software on the adult videos (pornographic material) web-site and do you know what, you visited this website to have fun (you know what i mean). While you were viewing videos, your web browser began working as a Remote Desktop that has a keylogger which gave me accessibility to your display and also cam. Just after that, my software gathered every one of your contacts from your Messenger, Facebook, as well as email. after that i created a double video. 1st part displays the video you were viewing (you've got a nice taste haha), and next part shows the recording of your cam, yeah its you.

You have not one but two choices. Shall we read up on these options in aspects:

First alternative is to just ignore this message. in such a case, i am going to send out your actual video to every single one of your personal contacts and think regarding the awkwardness you will definitely get. and definitely if you happen to be in a loving relationship, how it would affect?

Number 2 solution is to pay me $889. Lets name it as a donation. in this situation, i most certainly will asap remove your video footage. You could carry on daily life like this never occurred and you surely will never hear back again from me.

"First, have a healthy level of skepticism," said Malwarebytes CEO Marcin Kleczynski.

"Then, remember, they almost certainly haven't been recording you or have access to this type of information, if it even exists."

His company has looked at bitcoin wallets associated with criminals perpetrating these schemes, Kleczynski said, where criminals ask victims to send what are often unusual sums -- $514, $607 and $618 in three recent examples. Apparently they spark enough panic to net the criminals $10,000 to $20,000 per week, according to Malwarebytes research.

"There is an incredibly low barrier of entry here. It's a commodity attack," he said. Criminals don't need any hacking skills at all to pull off sextortion. They can simply rely on leaked email addresses stolen from huge companies and email providers in the last decade.

Related video: How to avoid the latest phishing scam targeting direct deposit

The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

Attack Vectors

Select a topic from the index below

We define phishing as the “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information,” (Hadnagy & Fincher 2).

An estimated 98% of social attacks are phishing, or pretexting, and 96% of social attacks involve email according to the 2018 Verizon Data Breach Report. Phishing can involve an attachment within an email that loads malware onto a computer or a link to an illegitimate website that can trick an individual into handing over personal information. There are many different forms of attack commonly used via phishing. We have highlighted several, but this is by no means a complete list. Also remember that one key to phishing is for the attacker to appear to be something/someone they are not, which ties into the topic of impersonation as well.

NOTICE: This information should never be used to perform illegal acts! We discuss these details to help organizations think offensively about possible social engineering attacks and to help mitigate against these attacks.

URL and Email Manipulation

One reason why phishing schemes work so well is that people tend to trust messages that appear to come from an important entity or one that appears legitimate. The attacker can easily manipulate a URL to look very close to a name-brand, fooling the victim into clicking on it. For example, when a user scans over a URL like http://www. company. com, it looks almost identical to http://www. cornpany. com if the font is right. Another example would be a slight difference that still looks legitimate, such as support. amazon. com versus the more dangerous support-amazon. com. Chances are slim that the average user would be able to determine which is safe. By purchasing a domain that closely resembles the legitimate URL, the attacker sets up an email account and spoofs the website with very little time or effort involved.

Phish can get even more confusing when you are checking your email on the tiny screen of a smartphone or other mobile device because you can’t hover over a link (to see where it goes) or see the whole email address of the sender. Criminals are smart and have figured out a few ways around those common safety tips but there are still plenty who count on you not performing these simple checks and given the amount of people who check their email on their phone, they are correct.

Common Phishing Vectors

We’ve outlined four common phishing vectors, which we will explore in more depth. They are:

Current Events and Charities Tech Support Financial Government

Current Events and Charities

Often attackers will take advantage of natural disasters, large public events, holidays, or even massive data breaches to phish large groups of targets for information. An example of this is the 2017 Equifax data breach. Shortly after the data breach, The Better Business Bureau (BBB) issued an alert that scammers created 194 phishing websites just one day after the breach and launch of legitimate help websites. The BBB also warned about phishing emails requesting verification of transactions or to check account status.

Another example took place after the devastating Woosley and Camp fires in California that left countless families homeless and grief-stricken. Attackers were quick to take advantage of this distressing tragedy. Agari issued an alert warning that criminals were specifically targeting workplaces. Posing as the targeted enterprise’s CEO, the attackers sen t emails to employees in accounting, finance, or administration with instructions to purchase gift cards purportedly to provide financial assistance for clients who are fire victims.

These scams are not limited to email and you might see them on Twitter or text/SMS as well. For more information on that check out: SMiShing

Tech Support

Impersonating tech support is an example of a classic attack vector that hasn’t changed much over time because it still works. The ubiquitous Microsoft tech support scam has been making the rounds in Indiana, USA. As reported by RTV6 , a work at home senior received a pop-up message on her computer saying Microsoft had locked her computer due to malware and spyware. Her reaction? She panicked. “I was just like ‘let’s get this taken care of so I can work.'” In another report, a woman lost over $30,000 because of the Microsoft tech support scam.

Posing as a financial institution is a common tactic of malicious attackers. Criminals may not know what bank you use but they do know that if they send out a round of emails posing as one of the well-known banks, the probability that it happens to be your bank is pretty high. In some cases, they might know that it’s your bank and have your name or even address to include in the email. All they need you to do is click that link or sometimes even open an attachment.

A phishing campaign impersonating Bank of America was recently spotted. Small to medium sized businesses appear to be the primary target. Some of the email subject lines are “Notice Concerning your CardMember Account”, “Reminder – We’ve issued a security concern (Action Required)”, and “REMINDER: A concern that requires your action.” The recipient is prompted to open an attached HTML phishing form requesting online account credentials, card number, security code, expiration date, mother’s maiden name, mother’s birth date, birth year, first elementary school name, and security pin.

Government

Phishing emails and ransomware can look like they come from government agencies such as the IRS or law enforcement agencies.

Criminals have posed as the IRS frequently enough to warrant the IRS setting up their own page to report such scams which include some great safety tips for how to avoid being defrauded. In this tax scam currently making the rounds, attackers pretend to be from “IRS Online” and send emails with an attachment labeled “Tax Account Transcript.” When the attachment is opened, malware is unleashed. In another tax scam, attackers send phishing emails with the instruction to “update your IRS e-file immediately.” When the intended victim clicks the link, they are taken to a fake website that spoofs the official IRS website.

Ransomware

Criminals are also targeting municipal government with ransomware, holding data and/or systems hostage, bringing city operations to a stand-still. Such was the case in Del Rio, Texas after a ransomware attack effectively closed – down City Hall servers.

Spear Phishing

Due to the success of phishing attacks, malicious phishers have developed a refined technique known as spear phishing. A spear phishing email is far more targeted than a general phishing email. Instead of sending out thousands of emails randomly hoping a few victims will bite, spear phishers target higher profile people who have access to something the attacker wants. Often attackers will spend some time conducting OSINT to craft an email that specifically caters to the recipient’s job, personal situation or preferences. Spear phishing emails leverage a certain level of information about an individual that makes the phish very difficult to detect or resist.

The pervasive use of social media has provided a gold mine of personal data to be used by attackers. Because of our culture of sharing, individuals are equipping attackers with all the information they need without realizing it. The tiniest bit of information, sometimes even apparent in profile pictures, can put the attacker on track to creating a solid phish.

A spear phishing campaign that is making the rounds specifically targets HR employees. In one example as reported by VadeSecure, an HR director in the construction industry was targeted. Posing as the COO, the criminal initiated contact with the HR director. The request? The “COO” wants to make changes to his Payroll Direct Deposit Account. By posing as the COO the attacker is hoping for two things; the HR director will feel pressure to respond quickly, and there will be a higher payout.

W haling is a highly-targeted attack vector that is designed to strike at an organization’s “big phish.” A big phish is a high-value individual whose credentials or access to resources, if compromised, could endanger the entire business. Whaling attacks typically select targets specifically because of their position within the organization. Similar to spear phishing, these attacks can be more difficult to detect because of their stealth and because they are generally sent on a one-time basis. Because the target is so high value, it’s important for the attacker to do their research on the intended target in order to identify possible interests to craft the right phish. Prime whaling targets include senior executives, high-level officials in private businesses, or even those with privileged access to government (or top secret) information.

The City Treasurer of Ottawa, Marian Simulik became a victim of a whaling attack. On July 6, 2018, she received the following email purportedly from her boss, city manager Steve Kanellakos and approved the transfer of funds.

“Okay, I want you to take care of this for me personally, I have just been informed that we have had an offer accepted by a new international vendor, to complete an acquisition that I Have been negotiating privately for some time now, in line with the terms agreed, we will need to make a down payment of 30% of their total, Which will be $97,797.20. An announcement is currently being drafted and will be announced next week, once the deal has been executed, for now I don’t want to go into any more details. Until we are in a position to formally announce the Acquisition I do not want you discussing it with anybody in the office, any question please email me. Can you confirm if international wire transfer can go out this morning?”

Penetration Testers and Social Engineers

Phishing is a well-used social engineering attack vector for penetration testers (or pentesters). Penetration testers should employ these methods Without the malicious intent to show a company how devastating these attacks can be. Many companies will spend thousands of dollars on IDS systems, firewalls and other protection devices to monitor the network, but one skilled phishing attack can lead to total devastation in a company without having to employ technical hacks.

Pentesters primarily use phishing for three different purposes. The first reason would be as part of a pentest which usually leads to a controlled compromise of the organization’s digital or human network. Any vulnerabilities are then reported in detail to allow the organization to harden their security. The second purpose of phishing would be as part of a security awareness program throughout the year that is focused on educating users on the different levels of phishing. The third purpose for which pentesters use phishing, is to set a baseline for assessing user susceptibility to phishing attacks and to justify future training on the topic.

Reference:

Hadnagy, Christopher, and Michele Fincher. Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails . Indianapolis: John Wiley & Sons, 2015. Print.

Your Amazon. com Password Has Been Changed

I received and email the other day with the subject line of “Your Amazon. com password has been changed”. This is the sort of email that I don’t like to get because it’s typically either SPAM or represents a problem. In this case, it represented a BIG problem.

After I’d determined that this email WAS in fact from Amazon. com and not some phishing scam I read through the body of the email and was taken aback:

Hello Greg Bellan,

This is an important message from Amazon. com

At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. So we have taken the precaution of resetting your Amazon. com password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your Amazon account.

The email went on to tell me how to update my password and re-secure my account. I appreciated Amazon proactively reaching out to its customers, especially since this is an email address that I rarely use for account.

Another Security Breach?

I didn’t think anything of this until I received an eerily similar email from the Internet Movie Database a few days later.

Subject: Your IMDb password has been changed

This is an important message from IMDb. com

At IMDb we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not IMDb-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. So we have taken the precaution of resetting your IMDb. com password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your IMDb account.

Needless to say, I went through similar steps to update my password on IMDB and realized just how linked Amazon and IMDB were…. not that that’s necessarily a bad thing. While I was going through the reset process with IMDB, I ran across this page that talks about Upcoming changes to IMDb login process.

The Bottom Line

If you’re a user of either Amazon. com or IMDB. com, I’d suggest you go and update your passwords immediately. There have been several high profile security breaches recently (Target, Home Depot, iCloud, etc.) and you need to make sure you take the necessary steps to secure your information.

Have you received a similar security email recently? Let us hear from you!