If You See This Message, Your Amazon Account Is Under Attack

Republished on July 24 with Amazon’s advice to users to combat these attacks.

A new warning has just been issued for millions of Amazon users, as a new wave of attacks on accounts has suddenly surged 5000%. This will come at you by text message, which is nothing new. Between undelivered packages, unpaid tolls and motoring fines, the scale of text attacks sweeping the U.S. and Europe is “out of control.”

The team at Guardio tells me that these new “Amazon refund scam texts” have surged “more than 50 times in the past two weeks.” Even in the world of text message attacks, that’s some increase. “These texts began appearing shortly after Prime Day, which started two weeks ago on July 8,” and spawned plenty of other attacks as well.

The texts are nothing to do with Amazon. The attackers do not even know you have an account. They’re just playing a numbers game because most of you do. “The link in the message leads to a fake Amazon site designed to steal your account details and hack it.”

ForbesMicrosoft’s AI Upgrade—A Reason To Stop Using Google Chrome?By Zak Doffman

Amazon warns that “scammers may send text messages claiming to be Amazon,” and that account holders should be “mindful” if they “receive a text message for orders or deliveries that you are not expecting.” It’s the same for refunds.

Amazon runs an active program to monitor for such impersonation scams, which includes sharing information as and when new campaigns are identified and critically shutting down the bad actors behind these attacks, both technically and legally.

But again this is a numbers game. The attackers are running an industrial scale scam that fires out messages indiscriminately. Targets will be found because countless users will have purchased recently on Amazon and who doesn’t want an unexpected refund? The link is a short-code to beat Amazon’s other warning to watch for misspelled URLs.

If you receive this text, and many millions of you will. delete it immediately per the advice from the FBI and state and local police forces. If you have any doubts, log into your Amazon account using your app or usual methods and check there.

This text attack industry with its billions of messages is driven by organized criminal gangs in China, beyond the reach of U.S. law enforcement. Networks filter out plenty of texts, but attackers use farms of normal phones and SIMs to bypass normal checks.

Trend Micro warns that “30% of consumers have been scammed online, nearly 40% didn’t realize it until they’d already lost money and most didn’t use any tech to verify the scam — relying on instinct alone.” Its new ScamCheck tech is another potential bandaid.

In response to Guardio’s warning, Amazon is keen to emphasize the significant effort and investment being put into tackling such impersonation schemes. While this attack is outside its control, the potential viral threat to user accounts is taken seriously.

You can read more about Amazon’s defense against impersonation scams here. “In 2024,” it says, “we initiated takedowns of more than 55,000 phishing websites and 12,000 phone numbers being used as part of impersonation schemes.”

The company should take some credit for this. This scam text industry is opportunistic and does not target users based on nay prior or relevant data. All that’s needed is a phone number. These are the most basic of scams and yet still they work.

If there is any intelligence applied to the scam it’s in the fake websites that capture user login information. Some of these are designed to bypass or capture 2FA codes and they’re often hosted on legitimate infrastructure to trick defensive filters.

Clearly these texts are outside Amazon’s control, and so users are urged to report scams as they come in. Users should also ensure their accounts are fully protected, at least by two-factor authentication and ideally by passkeys.

ForbesDelete Every Smartphone App On This List—‘70 Million Downloads’By Zak Doffman

Amazon is keen to share its key tips to stay safe with those targeted by these attacks.:

1. “Verify purchases on Amazon. If you receive a message about the purchase of a product or service, do not respond to the message or click on any link in the message; instead, log into your Amazon account or use the Amazon mobile app.
2. Trust Amazon’s app and website. We will not ask for payment over the phone or email—only in our mobile app, on our website, or in one of our physical stores. We will not call and ask you to make a payment or bank transfer on another website.
3. Be wary of false urgency. Scammers often try to create a sense of urgency to persuade you to do what they’re asking.
4. Don’t be pressured into buying a gift card. We will never ask you to purchase a gift card, and no legitimate sale or transaction will require you to pay with gift cards. Learn more about common gift card scams on our help pages.
5. Do not call numbers sent over text or email, or found in online search results… Amazon will not ask you to download or install any software to connect with customer service nor will we request payment for any customer service support.”