Have you ordered anything from Amazon in the past couple of weeks? Are you planning to in the next couple? If either is true, you might easily be victimized by a real-looking email, supposedly from Amazon, explaining that there's a problem with your order and asking you to re-enter some information.
Whatever you do, don't comply.
Both Amazon Prime members and non-members are reporting receipt of a very legit-looking email with the subject line, "Your Amazon.com order cannot be shipped." It begins:
There was a problem processing your order. You will not be able to access your account or place orders with us until we confirm your information. Click here to confirm your account.
It goes on to request that recipients not open any new accounts until the issue is resolved and read Amazon's terms and conditions if they have further questions.
If you click on the link in the email, it takes you to a very real looking "Amazon" page where you are invited to re-enter your name, address, and credit card information. Which, of course, the scammers will now have. Just to keep you unsuspicious, when you're done it will send you on to the real Amazon website.
Here's how to foil phishing scams.
Trying to make you divulge private information such as your password or credit card numbers is called "phishing," and needless to say, this is just one of thousands of scams out there trying to phish from all of us. Here's how to stay safe:
1. Check for the S.
Amazon and other sites dealing with financial information should start out "https" not "http". Floating your cursor over the link should show you which it is, or if your browser hides those prefixes, you can copy and paste. But avoid actually going to insecure pages.
2. Look closely at the URL.
The domain name should begin "amazon.com" or possibly something like "amazon.co.uk" if you're shopping on Amazon outside the U.S. Most retailers start with their domain name and then add on a department. For instance, the URL for Amazon's page for customer assistance begins: "https://www.amazon.com/gp/help/customer/". Watch out for anything like "amazoncustomerservice.com."
3. Examine the email address.
Likewise, the sender's email address should end "@amazon.com" (or something comparable for other retailers). It obviously shouldn't be anything like "firstname.lastname@example.org," but fake domains can be used to create fake addresses, so even if the domain looks like it might be legit, be cautious if it isn't the same domain you would use to visit the retail site. Incidentally, Amazon asks that you attach (or if not, forward) scam emails so their security team can shut them down.
4. Get there by your own means.
We all click through from emails to websites all the time, and most of the time it won't get you in trouble. But if you receive an email announcing a problem with your account and/or asking you for further information, it's much smarter not to click the link. Go to the site using your bookmarks or history, or via search.
5. Use two-step authentication whenever it's offered.
The smartest websites and services help preserve your security by offering two-factor authentication when signing in. You should take them up on the offer.
To set that up, a site will ask for your mobile phone number and then text you a number to enter whenever you try to sign in. (Many sites also allow you to use Google Authenticator and/or a one-time code, which can be very handy if you lose your phone, or it dies, or you're somewhere out of cell range.) You can set your home computer to be recognized so it won't put you through that process every time you sign in, but it will prevent hackers elsewhere from signing into your email, retail, bank, or other online accounts and causing havoc.
That may not help you if you accidentally share your credit card numbers with someone who shouldn't have them, but it will help you a lot if a scammer gains access to your account passwords.