Millions of people will be on the hunt for great deals when Amazon’s annual Prime Day sale kicks off this week, but the tech giant and third-party cybersecurity experts both warn that scammers will also be trying to capitalize on the event to snap up consumers’ money and personal information.
Ahead of the massive sale, which starts Tuesday, researchers for the cybersecurity firm Check Point say the number of Amazon Prime-related phishing campaigns spotted by their systems jumped 16-fold in June compared with the month before.
Some of the scam emails say that the recipient’s Prime membership has been put on hold because of a billing issue, while others say that they need to update their profile or their account will be frozen. All of them were designed to either steal credit card numbers or Amazon account usernames and passwords.
On top of that, Check Point researchers also spotted 1,500 new Amazon-related domains, the vast majority of which appeared to be potentially malicious or scammy.
Meanwhile, Amazon itself pointed to a variety of scam emails and text messages reported to its security team that look like shipping notifications, order confirmations and account problems.
All of that could prove disastrous for shoppers who might not think before they click on a link in an unsolicited email or text, then be duped into entering personal or financial information into a website that’s stealing from them instead of providing a great deal.
Impersonation scams, where cybercriminals snooker consumers by pretending to be legitimate companies, are on the rise and don’t just involve Amazon. According to the Federal Trade Commission, these kinds of crimes cost American consumers $660 million last year, up from $453 million in 2021 and $196 million the year before that.
In addition to impersonating online retailers like Amazon, scammers also tried to pass themselves off as tech support for companies like Microsoft, shipping companies such as UPS and officials from government agencies like the IRS.
Scott Knapp, Amazon’s director of worldwide buyer risk prevention, says his company is constantly fighting back against cybercriminals who seek to impersonate it for nefarious reasons.
Last year, Amazon said it initiated takedowns of more than 20,000 phishing websites and 10,000 phone numbers being used as part of impersonation schemes. It also reported hundreds of purported cybercriminals around the world to local law enforcement authorities.
The company also has developed strong relationships with law enforcement and government agencies over the years that help it combat phishing campaigns and scam websites, Knapp says.
For example, when it comes to SMS or text-based campaigns, Amazon can collect reported phone numbers, investigate them, package them and send them off to the Federal Communications Commission, which will then get the numbers taken down “pretty quickly,” he says.
That said, it’s a never-ending and uphill battle.
“Their ability to create new phone numbers outpaces, sometimes, our ability to get them taken down,” Knapp says. “We’re working with industry trade groups to make that better.”
For Amazon, the stakes are especially high leading up to Prime Day, where there will undoubtedly be a huge spike in online shopping, both on Amazon’s site and those of other retailers holding competing sales. In many of those cases, shoppers will know that they have to act fast to get those deals, making them more susceptible to fraud.
Despite that, it’s important for shoppers to take a beat and think, especially if the “deal” that just popped up in their inbox or on their phone showed up out of the blue. The same goes for messages that look like confirmations for orders you didn’t make or warnings that there’s a problem with your account.
“Always take a pause before you click, you text, or you call back anybody to make sure the message you received makes sense,” Knapp says.
Tips for safe Prime Day shopping
Here are a handful of tips from Amazon and Check Point for how to stay safe while shopping for Prime Day deals.
Double-check domain names. If a site’s address doesn’t start with “Amazon.com” it could be a fake. The same goes for other online retailers. Look for misspellings, additional punctuation and anything else that might seem a little off in the address.
For Amazon purchases, stick to the company’s website, app and stores. Amazon will never ask for payment over the phone or by email. It also won’t ask you to make them by bank transfer or through a third-party site.
Go straight to retailer websites. You’re better off typing in the URL directly than clicking on a link that might be shady. If a message says you ordered something that you think you didn’t, skip the link and just check “My Orders” in your Amazon account to see if that’s true.
Use a good password and 2FA. Hard-to-crack passwords are musts for all retail sites. That means they need to be long, unique and random. Don’t be tempted to recycle even a great password if you’ve used it for another account. And whenever possible, enable two-factor authentication. Adding this extra form of authentication could save your bacon if your password does end up compromised.
Treat urgency with suspicion. Yes, a lot of Prime Day deals are limited-time, but any offer that says you need to buy right away needs a closer look. Cybercriminals are banking on you clicking before you think.
Look for the lock. Any legitimate retail site uses SSL encryption by now. It’s signified by a lock symbol at the start of the URL. If it’s missing, shop elsewhere.
Use a credit card. If fraudulent charges show up, you won’t be on the hook for the cost.
Keep your personal information personal. Retailers don’t need to know your Social Security number, birthday or other unchangeable personal details. If they ask for them, say no.
Report scam messages. Most email programs have buttons that let you report spam or phishing. Scam text messages can be reported by forwarding them to 7726 (SPAM).
If it’s too good to be true… Yes, we’ve heard this so many times it’s officially a cliche, but any mind-blowingly amazing deal should be treated like a scam, because it probably is. If you can’t verify it on the company’s site, steer clear.