Have you seen an Amazon Invoice phish on your desktop or mobile device recently?
There’s been a recent uptick in mobile vishing and the Amazon Invoice scam that uses a couple new tricks. The latest Amazon phish/vish is a combo social engineering play and doesn’t rely on a link.
This permits the phish to avoid security detection and filters on SEG email gateways.
According to a recent Avanan blog, the phish is designed to trigger urgency and get your immediate attention. What better way to create urgency than to see a USD $1200.00 Amazon charge for that iPad you never ordered. That might get your immediate attention. In this latest phishing template the links go to a legitimate Amazon link but that is going to leave you with a problem when it shows no orders. So the scammers used a little social engineering mojo to have you call a number at their call center located in India. There’s another trick up their sleeve. You can only leave voice mail. The scammers call you back to try to get your credit card info and the CCV security number. If you fall for it, they now they have your name, credit card and security info and your telephone number for future scams. Fortunately there are red flags. The sender address comes from a Gmail account.
You should step your employees through awareness training frequently so they are prepared to spot the red flags on mobile devices. Scammers know it’s harder to view sender emails and URLs on a mobile device. It’s worth taking that extra few seconds to check out the usual red flags and think like a scammer. Have you received these phishes? Discuss it here.