PhotoPhishing scams are usually pretty easy to spot. An email arrives in your inbox telling you some urgent action is required and providing a handy link to take you where you need to go.

Of course, where you end up is at the scammer's look-alike site where you are told to enter sensitive information, which the scammer then steals. Or, you click on a link and download malware.

In any event, more people are aware of these schemes and look for the tell-tale signs like misspelled words, incorrect grammar, and broken syntax.

The email that arrived in my inbox this morning was a clear departure from the norm, and I have to admit I did a double-take. It appeared to be from Amazon.com security.

“At Amazon we take your security and privacy very seriously,” it began. “As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. For your security, we have assigned a temporary password to your account.”

For real?

At first glance, that might be plausible. And nearly everyone in the world has an Amazon account.

The rest of the email told me I needed to reset my password by going to the Amazon.com site. It didn't tell me to click on a link, but in the body of the email, everywhere “Amazon.com” appeared, it was in the form of a link, which would have been easy enough to spoof. Many people might simply click on one of the links, rather than type in the URL.

But wait a minute, could my years of consumer reporting be making me overly paranoid? Couldn't this be real?

Maybe, except for one thing. I have several email accounts. This helpful email arrived at an address I have never associated with my Amazon account.

Password not changed

I also went to a computer I had never used to access my Amazon account and had no problem logging in using my existing password. It had not been changed, as the email claimed.

I have forwarded the email to Amazon's real security department, at stop-spoofing@amazon.com and asked that it confirm the email is not from Amazon. If it turns out to be real, I'll be both surprised and embarrassed.

But perhaps it goes to show the level of sophistication and cunning employed by today's fraudsters that many consumers are reluctant to trust anything.

Meanwhile, Amazon – which is a frequent object of phishing scams – has this advice for trying to figure out whether an email is real.


Share your Comments