Industry experts have offered their tips on how to ensure network and personal data is safe from hackers this Amazon Prime Day.
Josh Bartolomie, Director, Research and Development, Cofense
Unfortunately, with the world we live in, especially with any type of highly visible promotions or sales, scammers will try to take advantage of the situation. Remember last year’s Amazon Prime Day phishing scam? Consumers around the world received an email promising a US$50 bonus for writing a product review, or an email stating there was a problem with their payment method or shipping information. When they clicked on an embedded link, they went to a bogus login page designed to harvest their credentials.
While our primary focus is enterprise security and protection, we do feel that we have an obligation to highlight these types of potential consumer fraud type of threats. We are all in this together and all of us are consumers who shop, sometimes while at work, each and every day.
So, if there’s another scam this Amazon Prime Day, July 16 to 17, it could become everybody’s problem. History repeatedly shows us that the best way to combat these types of problems is through awareness and education. If your business uses a phishing awareness solution like Cofense PhishMe, your users would know NOT to click on email links or attachments – 365 days a year, not just on Prime Day. They’d also know to report any suspicious emails to your security team.
However, due to the broad nature and potential impact of these types of consumer scams, we at Cofense wanted to review some examples of last year’s scams, in addition to providing some handy tips that could help you, your friends and family, and your users.
Here’s an example of one of the 2017 Prime Day emails:
Fake orders – if you receive an email claiming to be from Amazon confirming an order that you did not place, it’s a scam. Instead of clicking links within the email, type Amazon.com into your browser, sign in and go to the ‘Your Orders’ page to verify your purchases. If you didn’t buy the item from the email, it’s a phishing scam.
Credential request – Amazon does not send emails requesting your username and/or password. If you receive an email like this, it’s a scam.
Request to update payment information – you should never click a link within an email asking you to update your payment information. Instead, go to your Amazon account and click ‘Manage Payment Options’ in the payment section. If you are not prompted to update your payment method on that screen, the email is not from Amazon.
Fraudulent links – if you receive an email with a link that supposedly goes to Amazon, hover over the link with your cursor. If it does not say that it’s going to direct you to Amazon, it’s a phishing scam.
Attachments – emails purportedly from Amazon that contain attachments or prompts to install software on your computer are scams.
To this list let’s add fake notifications about an Amazon Prime subscription, emails regarding shipping issues and requests to validate your Amazon Prime account.
Additional tips: A few other words to browse by
Again, these best practices apply all year long, not just during Amazon Prime Day, the winter holidays or grandma’s birthday.
- When in doubt, skip email and use the Amazon App. Amazon has applications for phones and tablets. When you use the App, you know you are interacting with Amazon
- Check the sender’s email address (not just the display name). While email addresses can be spoofed, or faked, often attackers will just spoof the display name, not the actual email address the email came from
- Remember that Amazon, and most online services, won’t send you an email requesting your username or password
- If you receive an email stating you made an order, and you don’t recall or are sure you did not place the order, open up a browser and manually log in and check your order history. Do not click on any links in the email
- When possible, use unique passwords for difference services. This will minimize the impact and exposure if your account or password is ever compromised. Password manager applications make this a breeze
- Most emails that come from Amazon will never contain an attachment. If you did purchase something from Amazon that requires a download (music, software, video game, etc..), it is safest to log into your Amazon account manually and download the item directly from there
It’s all pretty standard stuff, but unfortunately people fall for it all the time. An ounce of prevention is worth avoiding a pound of cyber headaches. Happy Prime Day!
Robert Capps, Vice President of Business Development at NuData Security, a Mastercard company
It can be tempting to take shortcuts when making mobile purchases, especially if a good deal is only available for a limited time and the clock’s ticking. Just a few simple steps can help consumers shop safely on mobile – on any vendor, both on Amazon Prime day and every day:
- Be sure the web address begins with https (not http) on any page where you input data. The https signifies a more secure website, ensuring your data is submitted via encrypted pages and that the environment you’re shopping in is safe – both physically and digitally. If you’re not on a trusted and secured network, consider yourself in an unsafe digital territory. And don’t log on to any online site when you are on an open Wi-Fi connection.
- Check your social media accounts regularly. Ensure that information such as birthdays, education, family, friends, pets, home address, etc. aren’t publicly available and that your privacy settings on social media block non-friends from posting to or seeing what you’ve posted. Review which services and sites you have given permission to access your social media accounts. Remove those that are no longer needed or used.
- Keep your phone protected. It’s the gateway to a huge amount of valuable personal information. It should be password protected as a safeguard in the event of loss or theft, and the operating system should be kept stringently up-to-date to guard against attacks. Most phones have the ability to be wiped from another device in the case of theft.
- Consider activating alerts with credit bureaus, your bank, and your credit cards. Most banks and credit card companies offer security alerts as a free service. While the processes differ among various credit bureaus and entities, the goal is the same: immediate alerting of any suspicious activity.
- Stay vigilant: Monitor your bank and credit statements regularly, and be on the lookout for any anomalies – including as small as £1 or even a penny. Likewise, if you’ve had a problem logging into your credit card or banking account, call the institution immediately. Consider purchasing credit and identity protection services that can continuously monitor your account and send you notifications should anything go amiss.