Christmas is here, which only means that it is officially shopping season and considering the supply chain issues, many have started to stock up, especially from Amazon. Unfortunately, this is where hackers find the perfect opportunity to use their expertise to spoof purchase notifications in order to get access to financial information. Typically, a hacker would use a legitimate Amazon link to encourage the end-user to make a phone call instead of cancelling their order. Read on to find out what the hacker gains.
The impact
In this attack, the hacker duplicates an Amazon order notification page via email. The links included in the email directs you to the legitimate Amazon page. Any contact details listed on that page, such as a phone number that links straight to the hacker where the fraud begins — obtaining financial details at the end of the call. Not only do they have access to your financial information, but they also have your phone number in which to perform further attacks via text message, phone call or voicemail.
The remediation
In order to avoid being a target, you should do the following:
- Check the sender address in the email
- Ensure there are no questions raised in your Amazon account about the order
- Avoid adding large companies to your ‘Allow List’ as they are the most targeted
- Do not call unknown numbers
- Implement a multi-tiered security process that relies on more than one factor to block an email
Source: Avanan