The email smelled as bad as week-old fish: It was a screenshot of a $1,000 cellphone I had supposedly bought on Amazon.
I quickly checked my Amazon account. No purchase was recorded. Then I checked my credit card account. Ditto.
This was clearly a scam and the real action was the “Amazon” order number and phone number, with a Philadelphia area code, included on the email. I dialed the number.
The man who answered sounded unprofessional but he was all business: He immediately wanted to know my credit card information to “verify.” I asked him how he got my email. Agitated, he repeated his demand for a card number. When I told him I knew he wasn’t legit, he hung up.
Turns out, I had been caught up in one of the largest ongoing scams on the planet. It’s estimated that hundreds of millions of potential marks are targeted by the confirm-your-Amazon-transaction ruse each month by email or robocall, according to YouMail, a phone security company.
Although media attention focuses on high-tech operations, such as the recent spate of ransomware attacks on big enterprises, these consumer-based scams appear far more ubiquitous and are less sophisticated than the headline-grabbing cybercrimes. They illustrate how cons preying on people’s trust have evolved from one of the oldest tricks in the book—brand fraud—which used to mean knockoff Rolexes, Louis Vuitton handbags and, much earlier, cattle rustling. Caveat emptor, pilgrim.
Now, after the global coronavirus pandemic made people more homebound, scammers have turned to trusted brands including Amazon, Apple, and warehouse retailer Costco as decoys in their relentless quest. The torrent of fake online inquiries and offers reached spectacular levels during the last year when millions were stuck at home and ordered online.
Costco, for example, is falsely cited in at least 13 different scams targeting online shoppers. Cybercriminals have used a number of methods to gain customer information including a fake customer satisfaction survey promising “exclusive awards of up to $500,” giveaways, free HDTVs, and a “2% reward redemption” and “overcharge reimbursement.” The retailer provides screen shots of the fraudulent offers on its customer service website.
“It is an unfortunate fact of the Internet that at any given time there are numerous illegitimate pop-up ads, surveys, websites, emails, social media posts and advertisements that purport to be from or authorized by Costco,” the company states on its website. “Unsolicited electronic communications from Costco do not ask for your personal information.”
Scammers are also invoking smaller trusted names. Mary Johnson, an analyst for the Senior Citizens League, found that her name was used as a decoy in one scam. “The emails were impersonating me, using a fake phone number,” she said. “These scamsters are getting extremely brazen. I can’t say if the scammer who was impersonating me was part of an Amazon scam. I only know that a scammer had contacted a supporter of The Senior Citizens League, and that individual’s daughter contacted me to check out the phone number used.”
Traditional cons have long played on people’s desire to be the lucky one in the crowd who gets something for nothing, and so these clickbait frauds often invoke key words such as “exclusive,” “survey,” “reward,” “redeem” and “gift cards.” The swindles fall into broader consumer theft categories of identity theft, fake prizes/sweepstakes, Internet merchandise and “spoofing.” Swindlers often use a technique called “pharming” that directs Internet traffic from a legitimate site to a look-alike homepage explicitly designed to grift personal account information, Social Security numbers, PINs and addresses.
The scammers don’t require much more than cheap router to blast out emails and robocalls—it costs $100 to $200 to make 1 million calls—and the unauthorized use of corporate logos.
These frauds are part of an unrelenting, metastasizing cybercrime trend that targets consumers, businesses and government 24/7. And there’s plenty to be worried about: Online consumer threats rose 82% in 2020, according to Atlas VPN, a cybersecurity firm.
Apple’s website warns consumers about fake calls or emails that pretend to alert potential victims through “pop-ups and ads that say your device has a security problem.”
They may also issue bogus warnings of an “iPhone calendar virus,” “iCloud locked email,” or a “breached” account, according to scam-detector.com.
Despite the variety of approaches, the core emotional trap of these scams typically is to scare and implore you to call, click or email to quickly reveal account information. Criminals may even send fake texts with the same intent, a practice known as “smishing.” They may also pretend to be from Apple, Costco or other large retailers.
Although exact numbers are difficult to come by—since the majority of these come-ons are never reported—it was clear that scamsters took advantage of the blizzard of online commerce during the pandemic lockdown.
Plugging “Amazon” into the Better Business Bureau Scamtracker site, which tracks complaints made to the organization, shows reported scams more than doubling between March 14, 2020 through June 14, 2021 from the comparable period starting in 2019—the rise coming roughly from the start of the pandemic to the reopening date for most businesses and organizations. This is just a tiny sampling of the larger problem, though: Online purchase scams made up 38.3% of all scams reported to the BBB site in 2020, up from 24.3% in 2019.
- Free gifts. These fake offers range from PlayStations to “massage guns.”
- Gift cards. They may be falsely tied into Amazon Prime or the company’s anniversary.
- Locked Account. The ruse is similar to other scams that claim to freeze your account. They get you to call out of fear. They even may state that your “Amazon Prime Account was breached.”
- Login attempts, shopping credits, reviews. Again, no one from Amazon will call you on these illegitimate messages. Many of the scams can be spotted by scrutinizing for misspellings.
- Shipping. The scammer will steal an order and ship you an empty box or an email with an incorrect shipping address with a phishing link.
- Confirm a Recent Transaction. This is the one I mentioned above. You call and they want to steal your personal information.
John Breyault, vice president of public policy telecommunications and fraud for the National Consumers League, said that three Amazon-linked scams his organization hears from consumers often about involve “clicking on [email phishing] links, compromised accounts and updating payment information.”
The Federal Trade Commission has frequently warned against the scams—and is empowered to police them—but they are too numerous to crack down on or shut down.
Keep in mind that, like similar swindles falsely invoking the IRS, Medicare or Social Security, giant retailers and government agencies seldom call you directly unless you call them first. The FTC did not respond to a request for comment. (RealClearInvestigations filed a Freedom of Information Act request for specific reports on these retail scams. The FTC’s FOIA system noted that the request was “closed” without delivering any information requested.)
All government watchdog agencies have been overwhelmed by the sheer volume of scams, many involving relentless robocalls and even fake unemployment claims.
“The FTC’s resources are woefully inadequate” to shut down these frauds, Breyault notes. “People were stuck at home and disconnected from their social networks during the pandemic while these complaints increased.”
“We’d like to see stronger enforcement,” Johnson says. “They’re destroying lives when they clean out accounts.” And Johnson would like to see technical solutions that could block robocalls, except in emergencies.
On its website, Amazon makes clear that it’s concerned about all this. “We take fraud, scam, phishing and spoofing attempts seriously,” says the retailer. “If you receive correspondence you think may not be from Amazon, please report it immediately. Note: Amazon can’t respond personally when you report a suspicious correspondence to [email protected], but you may receive an automatic confirmation. If you have security concerns about your account, please contact us.”
All well and good, but shortly after I finished my phone interview with Mary Johnson, she emailed me with a fresh incident: “I received a phone call to tell me that someone had made a $354 purchase on my Amazon account. I hung up and checked. No such Amazon purchase was showing on my account.”