I've always wanted a PlayStation. And if I hadn't already bought one during the peak of recent quarantine boredom, I would not have been surprised to receive an email from Amazon confirming my purchase.
Many people do Ambien shopping or just hit the online stores after a few beers and don't even remember ordering some funny and useless stuff. There are plenty of chats where people share the craziest things they bought, without ever recalling doing so.
I don't do much late-night shopping, so getting an email from Amazon was certainly alarming. In fact, not only did I receive a purchase confirmation email - I also apparently bought a ridiculously overpriced PS4 for... $1098.
I knew I didn't buy it. Still, I checked my credit card balance just in case, even though I instantly recognized the email for what it was: a phishing attack. And a very incompetent one, at that. I couldn't even find a phishing link, so there was nothing to click. The only thing hyperlinked was my email address, and clicking it just opened an empty email form with my own address in the recipient line.
The phishing email was sent to my corporate email account, so there might have been quite a lot at stake. After all, by clicking phishing links, unattentive employees risk compromising not only their own data and devices, but also posing a threat to their company.
It's unlikely that anyone would fall victim to the kind of message I got - it seemed to be crafted quite poorly. Out of curiosity, I checked both the Amazon parcel number and the email address referenced in the phishing message you can see below - they don't exist.
However, as people got used to shopping online during lockdowns, cybercriminals began looking to make a profit by impersonating home delivery companies like Amazon, UPS, and others. I can't tell for sure how many parcels should reach me in September - I do buy a lot of my goods, including books and electronics, online. I know that fraudsters tend to try and take advantage of people like me all the time.
With that in mind, I showed this particular phishing email to a couple of cybersecurity experts and asked them to share some tips on how to stay safe online.
"Maybe they want you to call the number, and you'll end up in a "boiler room" type scam. Does seem odd that there is no link," Dave Hatter, a cybersecurity expert at IntrustIT, told CyberNews.
When it comes to these shipping-related phishing emails - especially when the item is prepaid - he suspects attackers have one of two motives: credential theft or malware.
"Most likely, if you click the link, you will be taken to a lookalike webpage where you are required to login so that they can grab your legitimate Amazon credentials and then access your account. It could also take you to a website where they will try to drop some type of malware on your device," he said.
As I mentioned before, the email I got didn't contain any phishing links. However, a better-crafted phishing email will undoubtedly try to trick you into clicking something.
Spot the scam signs
If you, just like me, wait for some home deliveries, an email from Amazon or another retailer won't surprise you. However, make sure it really is from Amazon and not some crook impersonating the company. Here's what Hatter recommends paying attention to:
1. Stop. Think. Did I actually order the item in question?
2. Look for misspellings and bad grammar in the email as red flags. As the scammers get better, this is less common.
3. Mouseover, BUT DO NOT CLICK on the links to see if they actually go to the website the email appears to have come from. If it's not VERY CLEAR that it does, DO NOT CLICK the link.
4. Be extra vigilant and skeptical.
5. If you're not sure, or you did order something, go "out-of-band."
6. Don't click any of the links or call any of the phone numbers (all easily spoofed).
7. Go to the website that purportedly sent the email by visiting it directly. For example, open a new browser window and go to www.amazon.com, www.target.com, www.walmart.com.
7. Login in to your account and use the legitimate site to check on any orders you might have.
8. The same would hold true if the email purportedly came from a shipping company like UPS or FedEx. Go "out-of-band" and visit their site directly to search for the shipping number.
According to Stel Valavanis, CEO of Chicago-based onShore Security, there are some very tricky scams with e-commerce orders.
"Most involve gift cards and other forms of quasi-currency. Less often, you see tricks where orders are placed with a return made in a way that the scammer gets funds returned to them. In some ways, it's more like traditional scams that play on people's greed and the tease of a windfall. It can get complicated, but the victim is tricked into thinking there's a share of that windfall coming to them if they can pony up to make it happen. Today with cryptocurrency and all sorts of online cash-like accounts, it's even easier to find a mark. I love those YouTubers that bust the con men and expose their scam," he said.
Speaking of gift cards, NortonLifeLock recently discovered the entire gift card fraud scheme. Here you can find out more about how gift card holders can be easily scammed.
The FBI's Internet Crime Complaint Center reported that people lost $57 million to phishing schemes in one year.
According to the UK's Federal Trade Commission, here are the four steps to protect yourself from phishing:
1. Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
2. Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
3. Protect your accounts by using multi-factor authentication (MFA). Some accounts offer extra security by requiring two or more credentials to log in to your account. MFA makes it harder for scammers to log in to your accounts if they do get your username and password.
4. Protect your data by backing it up. Back up your data and make sure those backups aren't connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.
More from CyberNews:
Subscribe to our newsletter