Phishing in the Amazon

October 11, 2016

A case study on how to spot a phishing email

It’s easy to feel skittish about swimming in murky water — especially if you are in the actual Amazon river and know that creatures like this Piranha are lurking just below the surface.

Piranha

It’s no surprise then, that I occasionally receive emails from anxious friends telling me things like, “Amazon just got hacked!” In our modern day world we as consumers are starting to expect a regular stream of news about massive data breaches, leading us to be a little skittish as well. After all, you as a consumer don’t actually know when you’re being surrounded by a “school of hackers” until one of them bites, and it is hard to tell the difference between a phishing scheme and a legitimate email.

How to spot a Phishing email

To my friends and fellow netizens, here is a case study on an email from Amazon.com, with three tips for determining when you have received a phishing email

Is this a real email from Amazon or is it just another phishing scheme?

A typical phishing email would come from a free email service that is quick to set up like Gmail or Yahoo. When compared against the real thing it is obvious to see the difference:

  • amazon-security@gmail.com (fake)
  • security-update@amazon.com (real)

A more sophisticated hacker might go so far as to purchase a near match to the actual domain, making it harder to spot in a quick visual scan, but still obvious on a deeper look. This could be something like:

  • amzn.com (fake)
  • amaazon.com (fake)
  • amazonsecurity.com (fake)

Bad grammar is usually a dead ringer for spotting a phishing email. No self-respecting major corporation would allow an email to go out with the type of terrible grammar displayed in this tip’s title, but for whatever reason this is something that consumer hackers haven’t figured out.

Spear phishing attacks, which are a more targeted and sophisticated method of phishing, however, can be far more difficult to spot. These types of attacks are far less likely to be perpetuated on a massive scale as they require a good deal of research on the individual and a coordinated approach. More on spear phishing here.

In the screenshot from the REAL Amazon (above) there is never an invitation to provide the email sender with your sensitive information or click on a suspicious link. Hackers want you to click on links because that is how they download their malware to your computer, or take you to a spoofed website where they’ll try to get you to enter sensitive information.

This VALID email, however, invites you to follow the typical path you would encounter when logging into Amazon, meaning that they are obviously not trying to get you to click on a link.

If you’d like to speak with a Whistic representative, please click here to schedule a conversation.


About Whistic

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit: https://www.whistic.com.

security data breach hacking Article phishing

About the author

Andrew Watanabe
Andrew Watanabe

Chief Product Officer @ Whistic

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close