BBB Alert: Beware of Amazon.com Fraudulent E-mail

  
     
July 19, 2010

BBB is warning online shoppers about a fraudulent e-mail that appears to be from Amazon.com. Scam artists are sending out the e-mails that state “thanks for your order.” The e-mail has an order number on it, a total price, and a link to click on to check out your order.

A BBB employee received the e-mail this morning. The employee has never shopped on Amazon, so she became suspicious and called the company. A customer relations manager told her that he had received 5 calls on it already, and that Amazon is investigating the fraudulent e-mail. The manager did not know what would happen if you clicked on the link. The link could be a virus or it could be a phishing attempt (to steal your personal information).

Amazon is asking anyone who receives a fraudulent e-mail like this to forward the e-mail to stop-spoofing@amazon.com.

Below are some key points from Amazon.com to help identify e-mails that appear to be from Amazon, but are not:

1. Know what Amazon.com won't ask for - Amazon.com will never ask you for the following information in an e-mail:

  • Your social security number or tax identification number
  • Your credit card number, PIN number, or credit card security code
  • Your mother's maiden name
  • Your Amazon.com password

2. Requests to verify or confirm your account information - Amazon.com will not ask you to verify or confirm your Amazon.com account information by clicking on a link from an e-mail.

3. Attachments on suspicious e-mails - Amazon.com does not send order confirmations or other unsolicited requests that require you to open attachments.

4. Grammatical or typographical errors - Be on the lookout for poor grammar or typographical errors.

5. Check the Web site address - Genuine Amazon.com web sites are always hosted on the "amazon.com" domain--"http://www.amazon.com/. . . " (or "https://www.amazon.com/. . ."). Sometimes the link included in spoofed e-mails looks like a genuine Amazon.com address. You can check where it actually points to by hovering your mouse over the link--the actual Web site where it points to will be shown in the status bar at the bottom of your browser window or as a pop-up. Amazon never uses a web address such as "http://security-amazon.com/. . ." or an IP address (string of numbers) followed by directories such as "http://123.456.789.123/amazon.com/. . . ."

6. Protect your account information - If you did click through from a spoofed or suspicious e-mail and you entered your Amazon.com account information you should immediately update your Amazon.com password. You can do this through Your Account by choosing the option to "Change your name, e-mail address, or password" found under Account Settings. Even if someone has been able to look at your account, they are still not able to see your full credit card information. However, orders can be sent from your account using your credit card. Contact Amazon immediately if you notice any orders that you do not recognize.

If you submitted your credit card number to the site linked to from the forged e-mail message, you should contact your credit card company. You should also delete the credit card from your Amazon.com account to prevent anyone from improperly regaining access to your account.

BBB ALWAYS recommends, if an e-mail looks suspicious, go directly to the Web site, or call the company directly. When in doubt, do not click on a link in an e-mail.

For more consumer tips, go to www.bbb.org.