Big business targets big business; it’s an age-old adage. Nobody wastes time with someone who isn’t a threat, until—that is—they suddenly become a threat. It’s one more reason big business took so long to realize just how big a threat phishing was. A bunch of bored teenagers sending out mischief, they thought. But now it’s become big business and the corporates are finally taking notice.

Banks, for example, are faced with the threat of having to reimburse customers scammed by phishing links (they did the transfer willingly, they once said), suddenly they’re warning their customers. And with social platforms becoming channels for company hacking, the Muskian owners are finally showing signs of concern.

But, the moment retail began going online (a trend exacerbated by the stay-at-home Covid pandemic), attackers took notice. However, retail has been susceptible to scams ever since the first stone-age man shortchanged his neighbor with a mud replica hunting knife and comes very slightly better prepared. 

Still, retail IS a huge market, abundant in opportunity for the phisher of wallets—leather or bit

And when best to target a retailer when he’s at his weakest. When the volumes rise beyond coping level. When administrative staff has been mobilized to the floor to deal with customers, and when nobody’s looking at anything but the bottom line.

Scamming the shopper

Online shopping opens doors to scammers on several levels:

  • Bogus companies: the ease of opening a shopping site is astounding. Simply go to the non-paid version of—say—WIX and start creating the shop of your dreams. Then start pushing t through social media.

  • Bogus products and gift cards: it helps to price these at well below market levels. Amazon warns that it will never require a gift card to make a purchase.

  • Bogus reviews: create some bogus shoppers (Twitter still being the platform of choice) and feed them texts. The Washington Post, in fact, estimates that 60% of reviews on the Amazon site itself are fake! A problem, considering that Amazon—betides a shopping site—has actually become a go-to place for product evaluation.

  • Fake payment pages: this one actually is a real problem. Fake payment pages can be installed in someone else’s online shop. Recently, it became a problem with WordPress’ PayPall addon.

In all cases, you won’t be getting what you bargained for.

If to Spoof, then Spoof the Best

For the scammer, of course, nothing could be better than pretending he’s an authentic credible retailer, like Amazon. The company has built trust over years of no-questions-asked-refunds & returns; prices may be higher than some Chinese wannabes; and say what you will of its employee conditions—they DO deliver.

Almost 90% of shoppers use online venues for at least some of their gift-hunting, and one-in-three people fall for phishing links at least once n their lives. Factor in the number of people shopping during the holiday season, and the numbers speak for themselves.

It’s hunting season!

This is Money reports that last year, Amazon scams increased by 34% on Black Friday and Cyber Monday. In July, Amazon Prime Day Sales-related attacks increased by 37%, phishing attacks increased by 86%, and Silicon Republic estimates that 1,900 new fake Amazon-related sites were created in that month alone!

And with the holiday season just starting, this is probably just the left edge of a trend.

The FTC in 2021 issued a warning against fake Amazon sites. Apparently, Amazon accounted for a full third of all company impersonations! Over a one-year period, 96,000 people—three-quarters of them over 60—had been targeted, and about 8% bit the bait. Account compromise, fake gift cards, free raffles, and more—all associated with Amazon—were the most typical scams. The average loss per victim was $1,000 (higher for retirees, lower for the younger audience); the total intake – over $27m.

This year, Amazon has sent out warnings against fake account compromised notifications, requiring the victim to log on and often provide credit card details. Another favorite is an order confirmation email, which the victim immediately clicks, so as not to be debited for something he/she didn’t order.

The company warns that customers should only confirm, cancel, pay for and track items through its own dedicated application and/or website, and never to follow a link from a received notification. They shouldn’t even use the fake phone number some of these offer for offline order/payment confirmation.

On the matter of reviews, Amazon has been proactively battling these, and warns customers against 1 or 2-word reviews, too many 1 or-5 star ratings (no product is perfect), spelling mistakes, etc. 

Still, the scammers are many, their techniques improving, and the best one can hope for is an app that stops the phishing page before it loads.  

- - - - - -

1 Since writing this article, I have been informed by one of our readers of an excellent expose in Safety Detective on fake Amazon reviews and how to detect them.