Megadeals and Cyber Steals
Amazon Prime Day 2019 is nearly upon us, and with it, the annual uptick in cyber threats. The shopping juggernaut starts in the U.S. at 12 a.m. Pacific Standard Time (PST), Monday, July 15, and ends at 11:59 PST, Tuesday July 16th.
It’s a safe bet that thousands of employees will be spending their lunch hour surfing for deals on network computers and other devices, putting organizations at higher risk of cyber intrusions.
The blitz of promotional emails, online ads, and blogs linked to special deals is like Christmas to cyber criminals, who feed on the urgency of time-limited offers and high emotions. Last year, the cyber threats tracked Amazon’s promotions starting in advance of Prime Day and continued well after the event with scams targeting merchandise returns.
Example of a 2018 Amazon Prime Day Phishing Email
What to look for in a phishing email or online scam?
If you look at the "From" field above, you will see that this email is obviously not from Amazon. The risk to employers is that employees aren't paying attention to anything other than the fake lure of a $100 credit. This is why security awareness education is so critical. Programs like Phishgoggles.com teach staff how to identify and avoid online scams and through repetition and reinforcement, make awareness instinctual.
There are other red flags that a communication from Amazon is suspect. Amazon will never ask for the following information in an email:
- Your bank account information
- Credit card number
- PIN number
- Credit card security code
Other red flags
Grammatical and Typographical Errors: A legitimate email from Amazon will be error free. Consider any typos and grammar errors a clear indication that the email is malicious.
The Return/Sender address: All authentic Amazon emails will be sent from an email address ending in “@Amazon.com” or an Amazon landing page with a special offer. It is risky to click on what looks like a landing page, because it could be a page replicated by a hacker, and assigned a close, but not real, domain name.
Website Link Previews: Most of the time you can preview a website or email link simply by hovering over the text or button. If the website domain name doesn’t include “Amazon.com” it is not likely to be legitimate. The following examples show how easily someone can be fooled into thinking a phishing email was legitimate:
- Sellercentral.amazon.com
- Security-amazon.com
- Amazon.com.biz
- Amazon-mail.com
*Info sourced from: https://sellercentral.amazon.com
Web page with a different URL: Even a legitimate-looking link can open a website with a different URL. If you click an “official” link and the website loads something else, click away immediately and report the link to Amazon. If you are at the office, report the possible threat to your IT contact. If you are at home, make sure you have anti-virus and anti-malware software on the device you are using to shop--before you shop, and year round.
Stick with the only safe option
Last year, Prime Day pulled in nearly as much in sales as Black Friday, with a flood of discounts on products people suddenly realized they could not live without. After all, who doesn’t need a Segway, iRobot Roomba Vacuum or Thermal Imaging Camera.
Don’t let a tempting promotion obscure your common sense. If you’re curious about a deal offered in an Amazon email, simply go straight to the official website. Any legitimate deal will be promoted on the site.
One last bit of advice: It’s best to do your shopping before or after office hours. If you are caught in a scam, the impact may be bad, but not as bad as bringing down your IT infrastructure at work. Feel free to download our Top 10 Security Awareness Tips for your staff.
