Tech Security Alert: A new multistage phishing campaign spoofs Amazon's order notification page

A new multistage phishing campaign spoofs Amazon's order notification page and includes a phony customer service voice number where the attackers request the victim's credit card details to correct the errant "order."

The attack works like this: "The victim receives an email showing their supposed Amazon order that totals more than $300. The victim, realizing they didn't place the order, clicks on a link in the email, which takes them to the actual Amazon website. A customer service number in the phishing email, which has an area code from South Carolina, doesn't answer when they try to call. After a few hours, the attackers call back – from India – and the phony customer service rep tells the victim they need to give their credit card and CVV number in order to cancel the invoice."

Tips:

• InfoSec encourages end users to look at the sender address of the email. In the Amazon case, the sender’s address was a Gmail account, not from Amazon.
• InfoSec encourages end users to check their Amazon accounts. If they truly made the order, then it should appear on the “Returns & Orders” section of their account.
• Do not to call unfamiliar numbers. As with other online scams, check the account you have with the caller (Amazon in this case) site before making any calls.