Data Privacy Cybersecurity Paralegal

Amazon Phishing/Smishing Scam

Wednesday, August 10, 2022

By: Myriam Sollberger
Web: https://wordpress.com/view/cybersecuritygrcpro.com
Linked: https://www.linkedin.com/in/myriam-sollberger/
Twitter: https://twitter.com/MyriamSollberg1

I would like to share an experience with you all that happened to me yesterday regarding an attempt to obtain my personal information through a phishing/smishing scam. The scammers attempted to use Amazon as the bait company in an attempt to deceive me through my cell phone. I am going to begin this blog by first explaining what Phishing is and what is a Phishing Scam. Phishing is a form of Social Engineering. Social Engineering is a term used to describe manipulation and malicious activities used by Cyber Criminal Crooks by way of human interaction for the sole purpose of stealing your sensitive information. For example, your full name, date of birth, social security number, bank account, credit card, etc. The Cyber Criminal Crook utilizes malicious psychological manipulating tactics that focus on your human emotion to conquer and intimidate you and gain access to your sensitive personal information. To achieve this goal, they have to deceive you. To deceive you, the Cyber Criminal Crook’s weapon of choice is Phishing/Smishing by way of Social Engineering. Social Engineering phishing/smishing tactics are designed to lure you into revealing your personal information by sending you fraudulent messages that will manipulate you and lure you to provide your sensitive information to the Cyber Criminal Crook. For an organization, this same method of manipulation is used to deploy malicious software to their target victim organization and infiltrate their network and steal data. As you can see, everyone is a victim of the Cyber Criminal Crook. No exceptions. Webroot defines phishing as, “a spin on the word fishing, because criminals are dangling a fake ‘lure’ (the legitimate-looking email, website, or ad) hoping users will ‘bite’ by providing the information the criminals have requested – such as credit card numbers, account numbers, passwords, usernames, or other valuable information”(Webroot, 2022).

Smishing is also a form of social engineering. Smishing is a malicious attack by way of text messages. The idea behind a smishing attack is a luring method using a reputable company such as Amazon and trick you into providing your personal information such as the password to that company’s account and credit card numbers. Proofpoint states, “Most of the 3.5 billion smartphones in the world can receive text messages from any number in the world. Many users are already aware of the dangers of clicking a link in email messages. Fewer people are aware of the dangers of clicking links in text messages” (ProofPoint, 2022). Think about it. We are always on our phones. Because we are always on our phones, we all have a false sense of trust in those devices and all the communication transmitted on those devices as well as the types of data we store on those devices. Attaching your credit card to Apple Pay for example. Accessing our banking information on our mobile phones is another example. So, if you were a Cyber Criminal Crook? Wouldn’t the best playground for you to gain wealth is to target the unsuspecting naïve fool through their cell phone? Proofpoint states, “Users are much more trusting of text messages, so smishing is often lucrative to attackers phishing for credentials, banking information, and private data” (ProofPoint, 2022). Furthermore, since most Cyber Criminal Crooks utilize automated scripts to Smish-attack their mobile device target victims, they remain protected and undetected.

What happened to me?

Yesterday, while running errands with my husband, doing our typical household shopping after work, and out of habit, I decided to check our bank account activities using my cell phone banking app. I want you all to know, that it is out of habit that I do this. There is not a day that goes by that I don’t check all accounts. Well, this habit landed me on discovering an unusual unauthorized $100.00 charge on our credit card in pending status. The charge appeared legitimate as it contained the company name (Amazon Digital), followed by an 800 number to call, and the state of Washington. I immediately went into panic mode. I started to call the 800 number displayed on the pending charge line on my bank account. After dialing the number, I was greeted by an eerie robot voice with several prompts. You know! The press 1 for this. Press 2 for that. While waiting for the prompts, I was also checking my Amazon Business account for this mysterious $100.00 charge. There was none. I also do not have Amazon Digital anything as I have Amazon Business for the small business that we own. By the time the automated system reached a prompt for purportedly reporting fraudulent charges or disputing a charge, the system purported to claim that it recognized the phone number from which I was calling. The alleged Amazon automated system continued by associating the number I was calling from with the fictitious Amazon Digital account. The automated system proceeded to send me an alleged verification SMS message to the cell phone number. Once the text message was sent to my cell phone, the system was attempting to have me log into my Amazon account from their link and they would have been able to obtain my username and password.

One the link was sent to my cell phone; I knew right away this was not right. First. The cell phone number I was calling from is NOT associated with my business Amazon account. The trick behind this phishing/smishing scam was to gain access to my account and extract my data attempting to have me log into the fake Amazon website link provided. This is known as SMISHING. According to Amazon, “Smishing scams are becoming increasingly advanced. Fraudsters can now insert their scam messages into a thread of legitimate messages that you might have received from us. Scam texts often say that there’s a problem with your account, ask you for sensitive information like passwords, or state that you’re owed a refund”(Amazon Business Prime, 2022). This is just one example based on my experience. There are other smishing scams outside of the Amazon Digital scam. Another example of a smishing scam involves the Cyber Criminal Crook calling you posing as the IRS, threatening serious legal action, and scamming you into giving them money in the form of Target Gift Cards. Now let’s talk about the bank!

Call the Bank

I immediately contacted my bank and reported the unauthorized charge. This is the not-so-fun part by the way. After authenticating who I was, the Customer Service Representative cold transferred me to the security team for the bank. The security representative of the bank was able to locate the unauthorized charge and quickly shut down my card. This is the part I don’t like, but hey! Better safe than sorry right? As much as I hate the inconvenience of the shutdown of the card scenario, it HAS to be done. It is especially important to let your financial institution issue you another card and shut down the compromised card. The thing is the bank is not at fault for the vulnerability of the compromised credit card. Believe it or not, many organizations do not have the appropriate security protocols in place to safeguard your data. I try to be as careful as I can with our bank cards and credit card, despite my being cautious and monitoring transactions, I cannot control the negligence of the companies I do business with that do not take the necessary precautions to protect my sensitive information.

SO NOW WHAT?

I will no longer use my actual accounts to shop online or for the stores. I am going to get a prepaid card from my bank. The bank recommends using a prepaid card for shopping and online shopping or even to pay bills online. A prepaid card is loaded with whatever amount of cash you load it with to perform your transactions. Once that money is used up, that’s it! There is nothing to steal until you load it again! I hope this article I have written helps you all! Feel free to leave your comments. Stay tuned for information for the upcoming Cyber Safety Workshop. I will be discussing the dangers of social media, Cyber Luring, and Cyber Predators. Whether you are a parent, grandparent, aunt, uncle, or teacher, my workshop will teach you how to protect children and yourself from Cyber Criminal Crook predators who seek out children for human trafficking and exploitation.

If you would like to be included on the invitation list, please send an email to:

myriamsollberger21@cybersecuritygrcpro.com. In your email subject line: Upcoming Cyber Safety Workshop (Cyber Predators/Cyber Luring and Social Media). Body of the email, simply state that you would like to receive an invitation to the workshop. Your email address will be added to the mailing list surrounding the upcoming workshop and you will receive the first invite for the first session.

Thank you!

References

Amazon, B. P. (2022, February 1). Identifying Whether a Text Message or Phone Call is from Amazon. Amazon. Retrieved August 10, 2022, from https://www.amazon.com/gp/help/customer/display.html?nodeId=GAXB2FKGQUUQVWP7

ProofPoint, P. P. (2022, August 3). What is smishing? examples, protection & more: Proofpoint us. Proofpoint. Retrieved August 10, 2022, from https://www.proofpoint.com/us/threat-reference/smishing

Webroot, E. (2022, January 1). Email phishing, Vishing & other types of. Webroot. Retrieved August 10, 2022, from https://www.webroot.com/us/en/resources/tips-articles/what-is-phishing