In a report published last week, cyber security firm Armorblox discovered two email scams that spoofed Amazon in an attempt to capture victims’ credit card details.
The attackers use a technique known as ‘vishing’ – in which they direct the email’s recipients to talk over the phone.
Bogus order confirmation scam
The first campaign begins with an email replicating Amazon’s automated order confirmation email. It uses the same layout as those emails, with the greeting styled in a larger font and orange text, and accompanied by a graphic containing the order details.
The message contains other information to make it look believable, such as an invoice and invoice number, as well as a button to manage their order.
Meanwhile, the email is signed from the “AMAZ0N TEAM” with a zero instead of the letter O. Armorblox notes that this is a “simple but effective technique used by attackers to slip past any deterministic filters or blocklists that check for brand names being impersonated”.
A closer look at the email, however, reveals that something is amiss. For a start, the recipient should recognise that they didn’t make such a purchase – which in this case is a 77-inch television that costs almost $900 (about €730).
As soon as they see the purchase that they’ve supposedly been charged for, they will likely take action. For some, this means clicking “View of manage order” – although this is a decoy; the button is simply an image file with no URL.
If anyone tries to click and realises this, it should be a huge red flag. However, it’s possible that they won’t think this clearly given the surprising nature of the email, or that they’ll go directly to the phone number provided.
This is the goal for the attackers. When you call the number, someone will answer pretending to be from Amazon. They will ask for the order number, before probing for the person’s name and credit card details.
If the victim is under the impression that they’re talking to an actual Amazon employee, there’s no reason not to provide this information. They will only learn of their error when the attacker starts to make purchases using their details, by which point the damage has already been done.
A delivery has supposedly been made
In the second campaign, the attackers email the victim claiming that Amazon has successfully delivered an item.
As with the first message, it closely replicates the layout of a genuine Amazon email and includes a phone number if you want to request a refund.
The recipient will presumably notice that no such delivery has been made and may assume that either the email relates to an order they’ve made that’s been delivered to the wrong address, or that they’ve been credited with a purchase they didn’t make.
Either way, the recipient will want to address the issue and is therefore likely to call the phone number provided.
Unlike the first scam, though, no one picked up the call – and a few hours later, the number appeared to have been taken down.
However, the researchers noted that we should be concerned about the technique rather than the outcome. The scammers know that the email is getting past email security systems, so it’s just a case of using a new telephone number and recreating the campaign.
How to protect yourself from vishing
Vishing can be particularly insidious, because potential victims are talking to real people, giving the scam a scam a sense of believability.
Also, once they’re on the line with that person, it can be uncomfortable to accuse them of being a scammer – particularly if up to that point they appear to be helping you with a query.
If you want to protect yourself from scams, this is a weakness you must acknowledge. It’s something organisations must also pay close attention to, as scammers are likely to imitate contractors or employees in other departments in an attempt to access sensitive information.
Although you may be aware of the threat of phishing and provide staff awareness training on email-based scams, it’s just as important to teach them about the threat of vishing.
That’s why our Phishing Staff Awareness Training Programme contains a dedicated section on phone scams – as well as other ways that attackers can trick employees.
This 45-minute course uses examples like those that we’ve discussed here to explain how scammers operate and the steps you should take to keep yourself safe.
The course content is updated each quarter to contain the latest criminal tactics and trends, helping you to reinforce staff awareness as part of your overall commitment to information security.