Two new phishing emails hit consumers' inboxes within the last week, serving as a cautionary reminder for people in the midst of their holiday shopping.
Both emails purport to be from major retailers -- Amazon and Apple -- and confirm a purchase. The only problem is there were no purchases. But after all, that's what the scammer is counting on.
The first email bears the subject line "Your Amazon order #873857 for $866.47 has shipped." Notice the price is included in the subject line. The scammer wants to make sure you see it and react.
If you haven't ordered anything from Amazon that costs $866.47, your first reaction might be to freak out. Your second reaction might be to click on whatever link was included in the body of the email and that would be a big mistake.
The link would do one of two things. It might download malware to your device or it might take you to a website where you would be asked to provide your log-in information in order to see the phantom order. In the worst case, both things might happen.
The second email bears the subject line "Your invoice from Apple #ID 675821." The invoice bears the Apple logo and shows a purchase of the game "Mobile Legends: Bang Bang 1500 Diamonds" for $29.99.
Don’t click on the links
To "report a problem" or to "visit iTunes Support" to question the bill, the invoice provides links. However, the links to not go to an Apple site but to someplace on the dark web.
The Apple email looks much more believable than the one that is supposed to be from Amazon, but both have an oddity in common. The date on the invoice in both instances was 24 hours before the email was received.
The two emails also count on the recipient to panic and overreact. The Amazon phishing email is especially troubling since someone on a tight budget might reasonably be very upset to think they are being wrongly charged that amount of money heading into the holidays.
Consumers who receive emails concerning purchases they didn't make should never respond using links in the email. Instead, navigate directly to the website of the company and contact the customer service department to confirm that the notification is either a mistake or a scam.