Image: iStock/OrnRin

As the holidays approach, cybercriminals will be pulling the usual stunts to take advantage of the season. That means we can expect scams that exploit retailers such as Amazon. A recent campaign spotted by email security provider Avanan spoofs Amazon with both a traditional phishing message and a voice call to try to steal credit card information.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

In a report published Thursday, Avanan said that the initial phishing email looks like a typical Amazon order confirmation. However, the price of the alleged item listed in the email is high, which means the recipient is likely to call Amazon to verify or question the order. To further trick the user, the link contained in the email goes to the actual Amazon site.

However, the phone number displayed in the message is not an Amazon number. Calling that number, no one will answer. But after a few hours, someone will call back claiming to be from Amazon. That person will tell the user that to cancel the order, a credit card number and CVV number are required. If the victim takes the bait, the cybercriminal now has their credit card information as well as their phone number through which they can launch further attacks by voicemail or text message.

Image: Avanan

The phishing email is able to sneak through traditional security scans because it contains legitimate links, such as the one to Amazon’s actual website. The campaign also uses a trick known as “phone number harvesting.” When the recipient calls the number in the email, their own phone number is captured through caller ID. The criminal on the other end now has a number through which they can carry out dozens of additional attacks.

To protect yourself and your organization from this type of scam, Avanan offers the following tips:

  1. Always look at the sender address of a suspicious email. In the case of this Amazon scam, the sender’s address is from Gmail, a tipoff that the message is not legitimate.
  2. Always check your account with the retailer or other company listed in an email, such as Amazon. Doing so will tell you that the order referenced in the message is not actually in your account.
  3. Never call an unfamiliar number listed in an email.
  4. At your organization, do not put major companies on your email Allow Lists as they tend to be among the top ones being impersonated. Amazon itself is one of the most spoofed brands.
  5. At your organization, set up a multi-tiered security solution that relies on more than one factor to block potentially malicious or suspicious email messages.
  • How to defend your organization against social engineering attacks (TechRepublic)
  • How a vishing attack spoofed Microsoft to try to gain remote access (TechRepublic)
  • Vishing attacks spoof Amazon to try to steal your credit card information (TechRepublic)
  • FBI warns of voice phishing attacks targeting employees at large companies (TechRepublic)
  • Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)