Amazon fraudulent order

As promised, I have three important notices for you. The first one was about phishing that uses your branding to lull you into thinking it must be safe. This one is about your Amazon account and why you should turn Multi-Factor Authentication (MFA) on, in all of your accounts.

First a definition: Multi-Factor Authentication (MFA) is when you are prompted to approve login. This approval is second after your password. It could be your face, a prompt saying “was this really you?” or other type of secondary confirmation that the real you is attempting to log on. The Microsoft authenticator app handles all types of authentication is the recommended solution. Text is another option, though it has recently been shown to be less secure.

The scam

A client received notice from Amazon that an order was placed. Since he had not placed an order, he knew this order to be fraudulent. Shortly thereafter, he received a call from “amazon” letting him know that they had detected a fraudulent order. The order was then cancelled. What great service from Amazon! They are really looking out for their customers! “Amazon security” are my friends! That’s exactly what you are supposed to think. This was not Amazon calling – it was amazon.

Because MFA was not enabled on the account, criminals guessed the password (it takes seconds these days), placed an order, waited a bit for him to notice, then called pretending to be Amazon, canceled the order and gained his trust. I mean, they just saved him from the fraudulent order. Who wouldn’t be trusting them at this point?

From there I’m not exactly sure what the verbiage was to convince him that “amazon” needed to get onto his computer, but that is what he allowed. He then further let “amazon” into his bank account. All in the name of helping him with the security of his account, computer and banking information so his future transactions with Amazon would be protected.

If not for an overhead conversation, where he was answering questions from “harbor, because who else would he have let onto his computer”‘ and getting them into his bank account where upwards of $100,000 could have been lost. If not, for the quick action of another person in the office, slamming the laptop shut, the scam would have worked. If ever there was a case for the open office concept this is it.

How do you keep this from happening to you?

It starts with the good security practices that we always preach.

  • Use MFA on everything, no exceptions
  • If anyone calls you about your accounts (websites, bank, credit card, health, government site) hang up, look up the phone number yourself and call them back. Don’t call back the number that the scammers give you.
  • If the scam comes in via email, don’t click. Type in the website name yourself and log into your account. If there’s something important for you to do, there will be a notification for you.
  • Never reuse a password
  • Run it by us

So, the scammers didn’t get your money but they do have your password. Of course, you’ll change it but if you’ve used that password anywhere else you have to change it there too. Can’t remember ALL of the places where you may have used that password? Don’t let that happen again. Use a password management tool, like Roboform. We can help you get it. There are too many logins to remember. No one should have a computer, a phone and not have a password management tool. No one.

They have your password. They will now try your password on every website on the Internet. Sounds daunting and time consuming but they have automated tools for this so it’s not a big deal for them. Maybe they’ll be able to see your credit card number. SSN, date of birth, bank, maybe they’ll even find another site that you’ve got your bank connected to and use that to withdraw money. Worst case scenario, for them, they sell the personal information that they have gathered onto the dark web. It’ll be bundled together with thousands of others that they’ve run this scam on. Best scenario for them. They get into another of your sites and run this scam on your again. Or they find its unprotected and they simply buy something they want or can sell later on eBay or if it’s your bank, wire transfer.

What if this did happen to you?

  • Fess up. No one can help you if you don’t let us know
  • Allow yourself to be an example to others
  • Make every password you have unique and change them now
  • Use MFA on everything
  • Freeze your accounts (credit services, banking)
  • Enable alerting on all financial accounts and all website accounts where it’s possible for you make a transaction
  • If your loss is significant file a report with the State police cybercrime unit

About Harbor Computer Services

Harbor Computer Services is an IT firm servicing Southeastern Michigan. We work exclusively under contract with our clients to provide technology direction and either become the IT department or provide assistance to the internal IT they already have. We have won many awards for our work over the years, including the worldwide Microsoft Partner of the Year in 2010. Most recently we were recognized as one of the top MSP’s in the nation by ChannelFutures coming in at #40 nationwide. And in 2016 as the top Michigan IT firm for Manufacturing. There are a few simple things that make Harbor Computer Services the best choice for your business. •We are Professionals •We are Responsible •We care about your business

Leave a comment

Your email address will not be published. Required fields are marked *