Amazon Prime scam: This phone call is conning people

July 23, 2020

By Kim Komando

It seems like scams are lurking around every corner these days. Even if an area code, email or website seems familiar, it never hurts to look a little closer to make sure it’s not a scam call or a phishing campaign in disguise.

Case in point, scammers are now impersonating major banks to trick people into ponying up financial information. But a quick look at the sender field in one of these sketchy emails will show its all a trick. Tap or click here to see the signs to watch out for.

But it’s not just banks being impersonated by phishing campaigns. A realistic-looking email claiming to be from Amazon has been fooling people into sharing sensitive financial information. What’s more, they’re also attempting to deceive people through scam phone calls that pretend to be from Amazon employees. Here’s what you need to watch out for.

What the heck is Amazon MusicKey? Spoiler: It’s fake!

If you’ve recently received an email telling you your “Amazon MusicKey” trial is about to expire, you’re not alone. Hundreds of people have reported getting a message from Amazon telling them they’re about to be charged around $36 for this streaming service unless they follow a link and cancel it.

Forgetting to cancel subscriptions happens to everybody, but do you even remember signing up for Amazon MusicKey? If not, don’t worry — you’re not crazy. The service doesn’t even exist! Tap or click here to see which streaming service is best.

According to reports from Express, this unusual email has been targeting inboxes in the U.K. with urgent notices of impending charges. Once a victim attempts to cancel the service (by verifying card information, of course), that data is immediately harvested by the scammers, who can then use the card or account information to steal money.

How are people falling for it? For starters, the email is extremely authentic-looking. If you’re not paying close attention to the sender field, you could easily mistake it for a real Amazon message. And unless you know the details about every streaming service Amazon offers, you could be forgiven for not knowing that MusicKey doesn’t exist.

An Amazon spokesperson told Express that any customer who receives the message should report it to stop-spoofing@amazon.com. “The best way,” they said, “to ensure that you do not respond to a false or phishing e-mail is to always go directly to your account on Amazon to review or make any changes to your orders or your account.”

If you get this call from Amazon, just hang up

Phishing emails aren’t the only way that scammers are attempting to hijack accounts. The U.K.-based Chartered Trading Standards Institute (CTSI) is informing citizens and Amazon subscribers alike of a new phone campaign aiming to trick people into giving up access to their computers.

Just like with the email scam, the call alleges to be from Amazon customer service. The “agent” on the other line will claim that the victim had an Amazon account opened fraudulently in their name, and will request access to their computer via remote desktop software to “fix” the issue.

If you make the mistake of allowing the person on the other end of the line to access your computer, they then proceed to scan your system for usernames, passwords and all valuable personal data.

As bad as the email scam is, this one is much worse in how it targets both Amazon customers and non-users. This expands the potential pool of victims, which means more chances for the scammers to wreak havoc.

Am I at risk for this hack? What can I do to avoid it?

Thankfully, the majority of complaints about these scams appear to come from the U.K., but that doesn’t mean they won’t be coming our way soon. Scammers often take their operations globally after finding local success, so don’t be surprised if you get an email or call about your “subscription” in the near future.

If you get a phone call like the one above claiming to be from Amazon, keep in mind that Amazon never cold-calls users or anyone for that matter. A statement from the other line that says the call is from Amazon is your signal to hang up immediately.

That said, if you want extra peace of mind to make sure you didn’t miss anything significant, you can always dial Amazon after hanging up the incoming call at 1 (888) 280-4331. Once you’re connected, tell them what the person on the previous call said, and have the Amazon agent confirm or deny whether they’re telling the truth. Most of the time, it’s a lie.

If you get a suspicious email like this that you weren’t expecting, avoid opening it and check your Amazon account instead. Take a look at the email address of the sender, and completely ignore it if it ends in anything other than “@amazon.com.”

If you do happen to make the mistake of opening a link from one of these emails, take a quick glance at the URL and avoid clicking on anything else. You’ll quickly see it’s not Amazon at all, but something else.

You can use this same trick to identify other phishing attempts on your account since it’s difficult for hackers to hijack an official company email address for mass-mailing campaigns. The same can be said with phishing websites, which don’t even bother to compromise or spoof domain names most of the time.

Attack patterns like magecart attacks are much more dangerous to your finances, as they embed themselves into existing webpages with trusted URLs to scan what you type. Tap or click here to see what a successful magecart attack can do.

If you want to avoid getting caught a phishing campaign, here are some easy steps you can take to stay safe:

1. Avoid opening emails if you don’t know the sender. It’s one of the easiest ways to avoid getting suckered into a phishing campaign. If you never open malicious messages in the first place, they can’t hurt you.
2. Never download attachments unless you’re 100% sure of what they are and who they’re from. If an email comes in from a trusted friend or relative, it’s worth calling them to make sure they actually sent it. Email attachments are one of the most common methods for malware infection, after all.
3. Always check the sender’s email domain. If the email claims to come from a trusted source, use your best judgment and look at the sender field. If it’s from a mismatched URL, that’s as big of a red flag for phishing as any.
4. Don’t ever click unknown links in emails. Just like with attachments, it’s worth getting in touch with the email’s sender to make sure you’re not visiting any malicious or dangerous websites.
5. Check the URL for any site you visit. You can do this by hovering your cursor over a link before clicking on it. This doesn’t just apply to links from emails, but anywhere else you visit on the web. If a URL appears mismatched to the contents of the page, get as far away as you can.
6. If an email asks for personal data or login information, ignore it. Most businesses and platforms will never ask for your information point-blank, and will usually give you the option to reset these things on your own.

If you follow these steps, there isn’t much a campaign like this can do to you other than keep trying to trick you. But as bad as this all is, we have to give the scammers credit for creativity. It’s just up to us to be even more creative.

We may receive a commission when you buy through our links, but our reporting and recommendations are always independent and objective.