Having an Amazon account hacked is the nightmare scenario for any user of the service. It’s impossible to say how common the problem is but there have been enough anecdotes on public websites in the last year to say that the risk of hijacking is real.
As we noted in an article looking at Amazon security settings last year, users can turn on two-step verification (see discussion below) via SMS or through an app but only if they are using US Amazon.com accounts. UK and other non-US users can only access the same security feature if they sign up for US accounts first and then enable it for the Amazon.co.uk site. It’s a workaround but a needless one that Amazon should put right as soon as possible.
Amazon account security – types of Amazon fraud
Amazon fraud can be broken down into several types; purchase fraud against buyers, fake goods scams (caveat emptor), and fraud against sellers (caveat venditor) in the firm’s Marketplace. The latter is a complex topic that could consume several articles so we’re going to focus on the former in which accounts are hacked and goods are fraudulently bought and sent to third-party addresses at the account holder’s expense. Since Amazon watches for out-of-character goods fraud some attackers avoid detection by asking for refunds on goods already ordered.
How do hackers compromise Amazon accounts in the first place? The commonest method is some form of phishing through which criminals get their hands on a user’s Amazon ID and password. Once they have control of the account it can be surprisingly difficult to get it back. Amazon’s customer’s service seems to be chaotic at times and finds it hard to distinguish between people who have genuinely lost their account access and those who merely think they have because after receiving a bogus shipping email (see below).
It’s rarer but still possible that old-fashioned keylogging malware, in which the user’s account details are stolen remotely from their PC, could be to blame. This makes account resets a particular trial as the hacker will know the new credentials and keep changing them to block access.
If they have got hold of Amazon credentials, attackers will try other accounts that might use the same password (people often re-use them). That means PayPal, Gmail, e-commerce store accounts – you name it and the hackers will try it.
Amazon account security – phishing attacks
No matter how immune you believe you are to phishing attacks, you almost certainly aren’t. The criminals know this and use a number of techniques to hook people. Common examples include:
– A spoofed email that appears to be from Amazon for an imaginary order for a sizable sum which should be queried using a bogus login page.
– In a variation on this, a bogus dispatch confirmation message.
– Notification of a refund after an order was double billed with a request for address confirmation.
There are numerous others (including ones that push other threats such as ransomware) but we publish these to illustrate the point that phishing messages can be hard to resist. Any regular Amazon user confronted with what appears to be an order confirmation message for something they haven’t bought will be concerned. It is that psychological vulnerability that makes phishing so successful.
Anyone who enters their username and password into the phishing page will have handed access to their account to criminals who will then use to change registered addresses and purchase goods to send to them using linked credit or debit cards.