Voice phishing attack spoofs Amazon to steal credit card information
Impersonating an Amazon order notification, the attackers end up calling victims to try to obtain their credit card details, says Avanan.
As the holidays approach, cybercriminals will be pulling the usual stunts to take advantage of the season. That means we can expect scams that exploit retailers such as Amazon. A recent campaign spotted by email security provider Avanan spoofs Amazon with both a traditional phishing message and a voice call to try to steal credit card information.
SEE:Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
In a report published Thursday, Avanan said that the initial phishing email looks like a typical Amazon order confirmation. However, the price of the alleged item listed in the email is high, which means the recipient is likely to call Amazon to verify or question the order. To further trick the user, the link contained in the email goes to the actual Amazon site.
However, the phone number displayed in the message is not an Amazon number. Calling that number, no one will answer. But after a few hours, someone will call back claiming to be from Amazon. That person will tell the user that to cancel the order, a credit card number and CVV number are required. If the victim takes the bait, the cybercriminal now has their credit card information as well as their phone number through which they can launch further attacks by voicemail or text message.
The phishing email is able to sneak through traditional security scans because it contains legitimate links, such as the one to Amazon’s actual website. The campaign also uses a trick known as “phone number harvesting.” When the recipient calls the number in the email, their own phone number is captured through caller ID. The criminal on the other end now has a number through which they can carry out dozens of additional attacks.
To protect yourself and your organization from this type of scam, Avanan offers the following tips:
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered Tuesdays and ThursdaysSign up today