Amazon Phone Number Scam - Abnormal Security

Amazon Phone Number Scam

In this attack, scammers impersonate Amazon to steal valuable account and payment information from targeted consumers.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: Less than 10,000
Payload: Text, Phone Number
Technique: Impersonation

What was the attack?

Setup: During the pandemic, the e-commerce industry has not only seen a dramatic rise in sales, but also in consumer-targeted email attacks. This attack features an impersonation of Amazon, utilizing an increasingly popular vector for malicious engagement: phone calls.

Email Attack: The sender’s name is presented as “Arnazon” (with an “r” and an “n”), an attempt by the attacker to both impersonate an automated Amazon notification and bypass other email security solutions that look for brand impersonations. Attackers anticipate such typos will go unnoticed as sender information is often overlooked and only the email content is read thoroughly. The email is originating from the domain ‘’, a recently registered domain that is not associated with Amazon. Additionally, the links in the email body redirect the recipient to “” rather than to Amazon itself.

Payload: The email mimics the frequently seen Amazon order notification email, asking the recipient to contact the “Amazon Billing” phone number to resolve any issues. The fake order receipt is meant to spark concern, as the recipient did not place the order, leading them to call the provided billing support number. However, further investigation reveals that this number does not match the customer support phone number found on the Amazon website. Instead, it is a misdirection so consumers release sensitive account information to phone scammers posing as Amazon support specialists.

Result:  If the recipient falls victim to this attack, they may ultimately release sensitive account details, as the attackers can leverage the credentials needed to access their account and the card to which their supposed refund would be directed.

Why is this attack effective?

Urgency: The email is a fake receipt for a “recent Amazon purchase”, fostering a sense of urgency in the account owner to cancel the purchase and address a possible account breach before any other “orders” are made. The potential money loss will likely motivate the target to act quickly.

Convincing email: The email looks like a legitimate purchase notification from Amazon, displaying Amazon logos hosted on Amazon domains, as well as a detailed description of the purchased product. Additionally, the email is personalized, providing an address to where the supposed order is being sent and contact information for questions regarding the order.

Timing: Due to the surge in online sales seen during the COVID-19 pandemic, consumers are presumably receiving purchase confirmation emails from many different online vendors, so are more likely to quickly skim over the sender email information and fall victim to impersonations.

Trend: We have seen an increase in tech support scams that use a phone number as the attack vector, often going undetected by email security solutions. This is because, similar to social engineering attacks, this strategy for malicious engagement does not include easily identifiable threat vectors such as links or attachments. As the pandemic continues to push consumers toward online shopping, scammers may be seeing more success with this discrete vector approach.

Related content