Voice phishing attack spoofs Amazon to steal credit card information

3 years ago 265

Impersonating an Amazon bid notification, the attackers extremity up calling victims to effort to get their recognition paper details, says Avanan.

email-data-phishing-with-cyber-thief-hide-behind-laptop-computer-vector-id1164097820-1.jpg

Image: iStock/OrnRin

As the holidays approach, cybercriminals volition beryllium pulling the accustomed stunts to instrumentality vantage of the season. That means we tin expect scams that exploit retailers specified arsenic Amazon. A caller run spotted by email information supplier Avanan spoofs Amazon with some a accepted phishing message and a dependable telephone to effort to bargain recognition paper information.

SEE: Social engineering: A cheat expanse for concern professionals (free PDF) (TechRepublic)  

In a report published Thursday, Avanan said that the archetypal phishing email looks similar a emblematic Amazon bid confirmation. However, the terms of the alleged point listed successful the email is high, which means the recipient is apt to telephone Amazon to verify oregon question the order. To further instrumentality the user, the nexus contained successful the email goes to the existent Amazon site.

However, the telephone fig displayed successful the connection is not an Amazon number. Calling that number, nary 1 volition answer. But aft a fewer hours, idiosyncratic volition telephone backmost claiming to beryllium from Amazon. That idiosyncratic volition archer the idiosyncratic that to cancel the order, a recognition paper fig and CVV fig are required. If the unfortunate takes the bait, the cybercriminal present has their recognition paper accusation arsenic good arsenic their telephone fig done which they tin motorboat further attacks by voicemail oregon substance message.

amazon-vishing-scam-avanan.jpg

Image: Avanan

The phishing email is capable to sneak done accepted information scans due to the fact that it contains morganatic links, specified arsenic the 1 to Amazon's existent website. The run besides uses a instrumentality known arsenic "phone fig harvesting." When the recipient calls the fig successful the email, their ain telephone fig is captured done caller ID. The transgression connected the different extremity present has a fig done which they tin transportation retired dozens of further attacks.

To support yourself and your enactment from this benignant of scam, Avanan offers the pursuing tips:

  1. Always look astatine the sender code of a suspicious email. In the lawsuit of this Amazon scam, the sender's code is from Gmail, a tipoff that the connection is not legitimate.
  2. Always cheque your relationship with the retailer oregon different institution listed successful an email, specified arsenic Amazon. Doing truthful volition archer you that the bid referenced successful the connection is not really successful your account.
  3. Never telephone an unfamiliar fig listed successful an email.
  4. At your organization, bash not enactment large companies connected your email Allow Lists arsenic they thin to beryllium among the apical ones being impersonated. Amazon itself is 1 of the astir spoofed brands.
  5. At your organization, acceptable up a multi-tiered information solution that relies connected much than 1 origin to artifact perchance malicious oregon suspicious email messages.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

  • How to go a cybersecurity pro: A cheat sheet (TechRepublic)
  • How to support your enactment against societal engineering attacks (TechRepublic)
  • How a vishing onslaught spoofed Microsoft to effort to summation distant access (TechRepublic)
  • Vishing attacks spoof Amazon to effort to bargain your recognition paper information (TechRepublic)
  • FBI warns of dependable phishing attacks targeting employees astatine ample companies (TechRepublic)
  • Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)
  • Read Entire Article