Hundreds of Amazon Customers Report Unauthorized Charges of at Least £400,000 ($513K)
Action Fraud, the UK's national fraud and cybercrime reporting center, is trying to warn the general public about a new scam targeting Amazon customers. The service, which is run by the City of London Police, has received around 200 reports from victims who have collectively lost more than £400,000 (about $513,000) to the scheme. A further 300 users told Action Fraud that they were targeted by the same scam but managed to avoid springing the trap. Although some people are fortunately able to spot the fraud, not everyone is so lucky, and the scammers are clearly making a pretty penny. But how does the whole thing work?
Hackers compromise Amazon accounts using social engineering and automated phone calls
The only thing the hackers need in order to set their plan into motion is your phone number. They initiate a phone call, but they're in no hurry to actually talk to you. Instead, as soon as you pick up, you hear a recording which tells that you are now subscribed to Prime, Amazon's premium streaming service.
Of course, you're not interested in Amazon Prime, and you want to cancel the unauthorized subscription. The machine on the other end of the line tells you that if you press "1", you'll be able to do it. You are finally about to talk to a living, breathing human being.
You are put through to what you are told is an Amazon customer service representative. The person on the other end of the line informs you that they can issue a refund for the unauthorized Prime subscription. To process it, however, they'll need your personal information, which you must disclose over the phone. Alternatively, you are told that the Prime subscription was made because your computer has been compromised. The Amazon customer service agent can help you secure your PC, but they need you to install a popular remote access tool by the name of TeamViewer.
As you might have guessed already, the person you're speaking to is a scammer, and their sole goal is to steal your information and take over your Amazon account.
The masterminds behind this particular scam have decided to aim their attack at Amazon users for a few very good reasons. For one, the fact that the number of active Amazon accounts sits at well over 300 million means that there's no shortage of targets. Furthermore, many users find it more convenient to save their debit or credit card details inside their Amazon account, which means that as soon as the hackers gain access to the profile, they indulge in a spot of shopping using the victim's financial information. Swapping the delivery address is not difficult at all, and because many people reuse passwords across services, the criminals can often compromise their email accounts as well. As a result of all this, fraudulent orders often remain unnoticed for a while.
When users do see the unauthorized purchases, they usually expect to get adequate assistance from Amazon, but as it turns out, often, they don't receive the treatment they are hoping for.
Reversing fraudulent Amazon purchases is not always as easy as it should be
On October 30, British financial news website ThisIsMoney.co.uk wrote about several Amazon customers who have fallen victim to scams similar to the one outlined above. They all got in touch with the retailer and asked for their money to be refunded, but they all received a negative response.
Usually, the problem lies with the fact that as far as Jeff Bezos is concerned, the items are delivered, and the order is legitimate. Because the hackers change the delivery address before the purchase, however, the victims don't receive the goods and have no way of returning them. It all boils down to who bears the financial cost, and Amazon is reluctant to take it, despite the fact that according to ThisIsMoney.co.uk, the retailer's UK division racked up sales of nearly £11 billion (more than $14.1 billion) in 2018.
It is difficult to say who is right and who is wrong, both from a legal and from a moral perspective. What's interesting, however, is that as soon as the media starts reporting on people who are refused refunds for purchases they didn't make, Amazon tends to change its mind quickly, and the money is soon returned to the defrauded users. This trend is confirmed by a second ThisIsMoney.co.uk report which tells a few more stories of people who had problems getting their money back from Amazon. The world's largest online retailer is also criticized for its login and security mechanisms.
Amazon does nothing to advertise its security systems
Creating an Amazon account is easy. All that is required is an email address and a password, which doesn't even need to be that strong. The password has to be at least six characters long, but there are no requirements for the type of characters you must use, which means that theoretically, you can use "123456" as your Amazon password.
The loose password requirements make for a simpler account creation process, but they can also have serious security implications. And although Amazon does have a system that could fend off most of the attacks, it doesn't seem especially keen on letting users know about it.
The retailer's two-factor authentication (or two-step verification, as Amazon calls it) works with both text messages and with authentication apps, but quite a few people don't even know about its existence. Here's what you need to do to enable it:
- Go to https://www.amazon.com/ and log into your account.
- Click on your name in the top-right corner and select Your Account from the popup menu.
- Click the Login & security button and click Edit in the Two-Step Verification (2SV) section.
- Click Enable to turn 2SV on and configure the system to your preferences.
Two-factor authentication is not a panacea, and it can never guarantee that the hackers will stay away. If you value your Amazon account (and the attacks described above show that you have quite a few reasons to do so), however, you have no excuse for keeping it disabled.