The latest Amazon phishing scam is just another illustration of why strong security is important.  Find out more about this scam and how you can protect your business.  

Amazon Phishing Scam

Amazon doesn’t want you or your business to call a number, provide a code, and verify your identity, and if you receive an email claiming that they do, you’re the target of a phishing scam. A phishing scam occurs when someone uses what might seem like legitimate phone calls or emails to get you — or someone in your organization — to respond with sensitive information.  If the scammer can trick you out of usernames, passwords or identifying information, they can engage in hacking, identity theft, and other cyber crimes.

The Risks of the Amazon Phishing Scam

The recent Amazon phishing scam, which is reaching inboxes in October 2017, is a prime example of a common fear tactic scammers user to target individuals and businesses.  The email warns you that someone tried to reset your password and asks you to call a number and provide a code when speaking to the customer service rep.  The number routes you to a non-Amazon call center where operators attempt to get you to provide information regarding your Amazon login.

Many businesses and individuals keep their payment card information stored on Amazon’s servers — along with data such as names, addresses, and phone numbers.  It’s convenient and makes it easy to order things quickly; SMBs might load a single payment card into the system and allow numerous people to purchase supplies via the account, for example.  If your Amazon account is breached, that means all that data is breached too.  It also means that hackers can use that information to potentially breach other accounts or your business network.

One of the dangers of the Amazon phishing email is that it looks quite authentic.  It includes Amazon’s logo, and it’s well written and sounds authoritative.  It even includes a short warning paragraph about phishing emails and tells you that Amazon won’t ever ask you to email your password to them.  It’s so legitimate looking, many people have fallen for it already.

Other Types of Phishing Schemes & How to Combat Them

The ability to pass as legitimate, even under some basic scrutiny, is making these types of phishing schemes more dangerous.  These schemes have targeted people with emails or phone calls from agencies such as the IRS, numerous banks, various online retailers, and sites such as PayPal.  One of the common threads that are seen through phishing emails and calls is that they play on anxieties, worries, and fears consumers and businesses already have.  Today, many people are already worried that their accounts may be hacked.  They’re already worried their money isn’t safe.  Businesses have to deal with potential cyber attacks and threats every day.  When you receive a seemingly legitimate email regarding a danger, your immediate reaction may be to jump into damage control.  Before you do anything, though, take a few minutes to do some research and consider the communication.

  • Conduct a quick Google search. In just a few minutes, you can see if anyone else is receiving these communications and if a known scam has been reported.
  • Look at the email address source. Some elaborate spoofs look like they originate from the internal network of the company in question, but some fakes are easier to spot.  For example, an email that looks like 2d8487!@paypalpal.com didn’t come from PayPal.
  • Hover over any links in the email without clicking on them to preview them. Do they go back to the agency in question, or a spoofed site?  It’s best not to click on links in these emails at all; you can always navigate to the site via your browser bar.
  • Call the agency’s customer service number (the one from their web page, not the one in the email) to find out if the email is legitimate.

Protecting Your Business Against Phishing Scams

Procedure and training are two of the best ways to protect your business from damage associated with phishing scams.  First, create a procedure for responding to any of these types of emails.  Put someone, such as internal IT staff or an administrative assistant, in charge of receiving reports of these emails or phone calls and doing the research to determine what type of response is needed.  That person will begin to recognize phishing scams and may even see the same ones repeatedly, and they can assure other staff that there is no real threat and no response required.

You should also train your entire staff on good password and security protocol.  Requiring staff to change passwords every 60 to 90 days across all sites, platforms, and tools help reduce the chance that a successful phish endangers all of your accounts or networks.  Some tips for strong password management include:

  • Don’t use the same password for multiple platforms, sites, and tools
  • Don’t use words or easy strings of text or numbers (such as ABC or 123) in passwords
  • Passwords should be at least 8 characters — longer passwords are better than shorter passwords
  • Passwords should incorporate letters, numbers, and symbols when possible
  • Workers should not share passwords or write them down
  • If your company uses cookies or password storage software, then consider including multiple forms of authentication on machine and network login screens

By engaging in proactive cybersecurity, you can reduce the risks your business faces from phishing scams.