When Ken Gillen received an email from “AmazonCenter” last month instructing him to update his billing records “right now,” it didn’t take him long to decide he would do no such thing.
Even though the Albuquerque resident is a longtime customer of the online retailer, he correctly surmised the email was a fake.
“Just got the following email which is obviously fraudulent,” he wrote in an email to me that contained the original notification. “Thought you might be interested.”
Coincidentally, or perhaps not, the next day I received an “Amazon” email sent to both my personal and work email accounts, this one taking a different tack.
“We have recently updated our website database and new security feature has been added for effective order and shipping,” the email from “Amazon.com Online” read in clunky English. “Please www.amazon.com/update, to update your account information within 24hours (sic).”
Clicking on that link, of course, can put you at risk of downloading malware onto your computer or trick you into providing sensitive personal information to one of the last people on Earth you would want to have it.
As I’ve mentioned previously, there is nothing particularly imaginative about scam artists piggybacking on the names of reputable companies to carry out their abominable acts – it happens all the time. You may recall that was the modus operandi behind the fraudulent Wal-Mart/Target $100 rebate postcard scam I wrote about two weeks ago.
In fact, when I ran the exact wording of my email through a Google search the other day, that same language – right down to the missing space between “24” and “hours” – showed up as a topic of discussion on MacIssues.com, a troubleshooting website for Apple Macintosh users. The only significant difference was “www.amazon.com/update” had been replaced by “www.apple.com/upgrade.”
In that case, the phishing email was described as a “new malicious effort by cyber criminals” to steal Apple IDs. With that information, a scammer can get access to your email, contact lists and other personal information.
But that’s only if you take the bait.
“If there’s a problem with Amazon, I contact Amazon,” Gillen told the Journal. “I think we’ve gotten similar things regarding bank statements, VISA cards … The problem is certainly getting out of hand.”
Gillen said he knew immediately the email was a fake, primarily because companies like Amazon don’t ask customers for personal account information by email.
He also picked up on the poor use of the English language – a common thread in bogus emails – especially the part that said “refusal to update your records will be finished in your account termination.”
“I know how these things work,” he said. “No one ever asks out of the blue for this information.”
Ty Rogers, a spokesman for Amazon, told the Journal in an email that skeptical consumers should read “About Identifying Whether an E-mail is from Amazon,” which is posted in the “Security & Privacy” section of the company’s website (amazon.com).
There, they will learn that fraudulent emails often contain:
- An order confirmation for something you didn’t purchase; it may or may not include an attachment.
- Requests for your Amazon.com username, password or other personal information, such as your full or partial Social Security number, your date of birth or your credit-card number, security code or PIN. If that information is needed, it will be requested through the company’s secure payment site.
- An appeal for you to update your payment information.
- Links to websites that look like Amazon.com but are not.
- Prompts to install software on your computer.
- Typos or grammatical errors as noted above, since many of these email scams are translated poorly from one language to another.
- Forged email addresses to make it look like the email is coming from Amazon.com, which was the case with the emails Gillen and I received. In Gillen’s case, “AmazonCenter” was followed by firstname.lastname@example.org; my “Amazon.com Online” was followed by “email@example.com.”
“Be careful and skeptical, and if you think it’s real, you should really not respond but contact Amazon directly,” Gillen said. “Go to their website and get a phone number or something and say, ‘I got this.’ That’s if you feel it’s legitimate.”
Nick Pappas is assistant business editor at the Albuquerque Journal and writes a blog called “Scammed, Etc.” Contact him at firstname.lastname@example.org or 505-823-3847 if you are aware of what sounds like a scam. To report a scam to law enforcement, contact the New Mexico Consumer Protection Division toll-free at 1-800-678-1508.