Voice phishing attack spoofs Amazon to steal credit card information

Voice phishing attack spoofs Amazon to steal credit card information

Impersonating an Amazon order notification, the attackers end up calling victims to try to obtain their credit card details, says Avanan.

As the holidays approach, cybercriminals will be pulling the usual stunts to take advantage of the season. That means we can expect scams that exploit retailers such as Amazon. A recent campaign spotted by email security provider Avanan spoofs Amazon with both a traditional phishing message and a voice call to try to steal credit card information.

SEE:Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

In a report published Thursday, Avanan said that the initial phishing email looks like a typical Amazon order confirmation. However, the price of the alleged item listed in the email is high, which means the recipient is likely to call Amazon to verify or question the order. To further trick the user, the link contained in the email goes to the actual Amazon site.

However, the phone number displayed in the message is not an Amazon number. Calling that number, no one will answer. But after a few hours, someone will call back claiming to be from Amazon. That person will tell the user that to cancel the order, a credit card number and CVV number are required. If the victim takes the bait, the cybercriminal now has their credit card information as well as their phone number through which they can launch further attacks by voicemail or text message.

The phishing email is able to sneak through traditional security scans because it contains legitimate links, such as the one to Amazon’s actual website. The campaign also uses a trick known as “phone number harvesting.” When the recipient calls the number in the email, their own phone number is captured through caller ID. The criminal on the other end now has a number through which they can carry out dozens of additional attacks.

To protect yourself and your organization from this type of scam, Avanan offers the following tips:

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Delivered Tuesdays and ThursdaysSign up today

How to defend your organization against social engineering attacks (TechRepublic)

How a vishing attack spoofed Microsoft to try to gain remote access (TechRepublic)

Vishing attacks spoof Amazon to try to steal your credit card information (TechRepublic)

FBI warns of voice phishing attacks targeting employees at large companies (TechRepublic)

Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)

Lance Whitney Published: Modified:See more SecurityShare: Voice phishing attack spoofs Amazon to steal credit card informationByLance WhitneyLance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.

Editor's Picks