Amazon Warns Attacks Underway—Update Your Account Now
Don’t leave it too late — update now.
Amazon has confirmed its users are now under attack. Fraudulent emails that seem to come from Amazon actually open “a fake Amazon login page.” This steals your username and password, enabling attackers to gain access to your account.
Those emails, Amazon warns, claim “Amazon Prime subscriptions will automatically renew at an unexpected price,” and have been personalized with stolen data “to appear legitimate.” The warning was issued to more than 200 million customers.
If that’s not worrying enough, the security at team at Guardio has also just warned that a separate attack is also surging — up 5000% in just two weeks. This time its texts instead of emails, and fake refunds instead of fake price increases. But the result is the same — a fake login page stealing your credentials to access your account.
Amazon says it has taken down “55,000 phishing websites and 12,000 phone numbers” in the last year, “as part of impersonation schemes.” But still the attacks come. Amazon has now issued “6 practical tips to help you stay safe and avoid impersonation scams.”
America’s FTC warns “scammers are pretending to be Amazon again. This time, they’re sending texts claiming there’s a problem with something you bought.” But there is no refund. “Instead, it’s a phishing scam to steal your money or personal information.”
Amazon is keen to stress that it invests heavily to prevent users falling victim to these attacks. Its responsiveness to these latest attacks is impressive. But the reality is that the only way for account holders to stay safe is to update the security on their accounts.
You should do two things to secure your account and you should do both today.
First, ensure you have “two-step verification (2SV)” enabled from within the “Login & Security” settings, which you can find when you click on “Accounts & Lists.”
The default option is to use your primary mobile number to send one-time passcodes by SMS. This is the worst form of 2SV. Instead you should use an authenticator app from a major provider — Apple’s Passwords or Google’s Authenticator for example.
If you already have SMS 2SV enabled, “you’ll need to clear your two-step verification settings” to use an app instead. “To do so, tap or click disable, then tick the box next to ‘Also clear my two-step verification settings’ on the window that appears. Lastly, re-enable two-step verification using your authenticator app as your preferred method.”
With that done, your account is much safer. But there’s still a chance an attacker can trick you into sharing a one-time passcode through a fraudulent sign-in page. So you should also add a passkey to your account and use that as your default.
Passkeys are “phishing resistant.” They link your Amazon sign-in to your physical device’s security — for example, the biometrics or PIN on your phone. There is no 2SV code to steal or bypass or trick a user into sharing.
You can find instructions on adding an Amazon passkey here.
If you make these changes, it’s not possible for an attacker to steal your username and password and gain access to your account. At a minimum they would need you to open your authenticator app and share the code. They will not know you’re using an app.
Passkeys are still better. And if you make a rule to never use anything but your passkey on one of your trusted devices, you cannot be compromised. Change those settings today, given that attacks are underway. Don’t leave it too late.