This one is about your Amazon account and why you should turn MFA on, in all of your accounts.
The scam
A client received notice from Amazon that an order was placed. Since he had not placed an order, he knew this order to be fraudulent. Shortly thereafter, he received a call from “amazon” letting him know that they had detected a fraudulent order. The order was then cancelled. What great service from Amazon! They are really looking out for their customers! “Amazon security” are my friends! That’s exactly what you are supposed to think. This was not Amazon calling – it was amazon.
Because MFA was not enabled on the account, criminals guessed the password (it takes seconds these days), placed an order, waited a bit for him to notice, then called pretending to be Amazon, canceled the order and gained his trust. I mean, they just saved him from the fraudulent order. Who wouldn’t be trusting them at this point?
From there I’m not exactly sure what the verbiage was to convince him that “amazon” needed to get onto his computer, but that is what he allowed. He then further let “amazon” into his bank account. All in the name of helping him with the security of his account, computer and banking information so his future transactions with Amazon would be protected.
If not for an overhead conversation, where he was answering questions from “harbor, because who else would he have let onto his computer”‘ and getting them into his bank account where upwards of $100,000 could have been lost. If not, for the quick action of another person in the office, slamming the laptop shut, the scam would have worked. If ever there was a case for the open office concept this is it.
How do you keep this from happening to you?
It starts with the good security practices that we always preach.
- Use MFA on everything, no exceptions
- If anyone calls you about your accounts (websites, bank, credit card, health, government site) hang up, look up the phone number yourself and call them back. Don’t call back the number that the scammers give you.
- If the scam comes in via email, don’t click. Type in the website name yourself and log into your account. If there’s something important for you to do, there will be a notification for you.
- Never reuse a password
- Run it by us
So, the scammers didn’t get your money but they do have your password. Of course, you’ll change it but if you’ve used that password anywhere else you have to change it there too.
Can’t remember ALL of the places where you may have used that password? Don’t let that happen again. Use a password management tool, like Roboform. RoboForm: Manage your passwords with ease and security There are too many logins to remember. No one should have a computer, a phone and not have a password management tool. No one.
They have your password. They will now try your password on every website on the Internet. Sounds daunting and time consuming but they have automated tools for this so it’s not a big deal for them. Maybe they’ll be able to see your credit card number. SSN, date of birth, bank, maybe they’ll even find another site that you’ve got your bank connected to and use that to withdraw money.
Worst case scenario, for them, they sell the personal information that they have gathered onto the dark web. It’ll be bundled together with thousands of others that they’ve run this scam on.
Best scenario for them. They get into another of your sites and run this scam on your again. Or they find its unprotected and they simply buy something they want or can sell later on eBay or if it’s your bank, wire transfer.
What if this did happen to you?
- Fess up. No one can help you if you don’t let us know
- Allow yourself to be an example to others
- Make every password you have unique and change them now
- Use MFA on everything
- Freeze your accounts (credit services, banking)
- Enable alerting on all financial accounts and all website accounts where it’s possible for you make a transaction
- If your loss is significant file a report with the police cybercrime unit