Be careful what you click: There’s a new phishing scam hitting Amazon listings that look like legitimate deals, offering great prices on “used – like new” electronics.
If you click these links on Amazon, you’ll be redirected to a very convincing Amazon-looking payment site, where the phishy merchant will grab your money and run.
In the case of this scam, the phishy merchant—known as Sc-Elegance—has been a thorn in Amazon’s side for quite a while. According to Comparitech security researcher (and Naked Security Alumnus) Lee Munson, Sc-Elegance has been reported to Amazon several times, only to slink away and hide until popping back up again later.
How the phish works
After adding the super-discounted electronics to your cart, if you try to check out with your items, you’ll be told that the item — suddenly! — is no longer available.
The merchant will then contact you by email, claiming that it was all some kind of mistake and that the item is still available conveniently at a rather Amazon-esque link in their email. But that link, as you might suspect, is a fake, created to look like a legitimate Amazon payment site.
Fake payment sites, including those created by Sc-Elegance, can be quite sophisticated and could fool an unsuspecting buyer easily:
That said, there are a few giveaways that a savvy buyer can identify.
Most importantly: These sites exist outside of the official Amazon.com domain or app—a huge red flag. Additionally, in the case of the example above, the crooks have added some tell-tale typos (“add or confirme”), though not every phishing scammer will be so sloppy.
How to protect yourself
Over the years we’ve seen phishing scams imitating every retailer and organization imaginable, from iTunes to Bitcoin. The phishing campaigns keep coming because spotting fake sites and emails is difficult if you aren’t on your guard.
If you’re using Amazon keep these tips in mind:
- Trust your gut and be on guard: If that deal is too good to be true, it likely is
- Don’t pay for anything on Amazon outside of Amazon.com or the official Amazon app
- If you’re in doubt about a deal by an “affiliated retailer” ask Amazon’s official customer service
For more on how to avoid phishing attacks read Don’t fall for phishing and spear-phishing.