Like a dog spotting a squirrel, I can’t help but notice when a fresh text pops up on my iPhone. The little gray notification catches my eye and I’m instantly pulled away from the task at hand. Plus, this one looked important. It was, but only because it helped me identify a very dangerous and pernicious, Amazon shopping scam.
With the holiday shopping season in full swing, such scams are on the rise (opens in new tab) and most of us are doing at least some gift shopping through Amazon (the retailer reported more than $1B in sales (opens in new tab) during Black Friday).
It’s this yuletide blend of frenzied shopping, excitment, and a low-level fear that someone is going to scam you that, naturally, scammers leverage to worm their way into your privacy and personal technology, all with the sole intent of stealing your identity, data, credit cards, log-ins and more.
While I wasn’t successfully phished, I purposely played along with a scammer so I could show you exactly how to identify and avoid a similar attack.
Like other alerts I receive from legitimate sources, this one was brief. It said:
“Your card has charged with $649 for XGIMI Elfin Mini Projector
Order id #EMPY2219 on 05/DEC/2022
N0T ordered by you?
Contact us: +17204813408″
It’ll happen to you
I’m fairly certain all of you will receive a text like this before the holidays are over. Take a good look at this one. It has grammatical and typographical errors that include a zero instead of an “o” and a missing word. No legitimate company would send you a text like this.
What scammers rely on is the alarm such a text might trigger. Perhaps you’ll be so concerned, you won’t read it carefully, and will instead just call the number. But which number? I noticed that the number in the text and the caller ID listed number didn’t match.
To be clear, I decided to call the number to better understand the nature of this scam – for science. My goal here is that from here on out, you’ll read such a text and understand immediately that Amazon, Best Buy, and other online retailers do not work this way.
I decided to call the number embedded in the text, put the phone on speaker, and waited through, perhaps, two rings before a representative picked up.
He started with, “How can I help you?”
“You called me,” I said, “asking about an order.”
The rep quickly recovered and asked for my name. I hesitated but realized my name is not exactly a trade secret, plus, I needed to pull him along further so I could understand the endgame.
Oddly, he didn’t ask me to spell my name but did follow by asking for the order number, which I dutifully supplied from the text.
“Oh, there’s an Amazon order from Ohio and you’re in New York,” he told me as I listened to the faint background chatter of dozens of scam reps like him trying to reel in other callers.
“Have you been to Ohio?” he asked.
“Did you share your Amazon account with someone in Ohio?” he asked.
“There have been multiple orders from Ohio,” he added almost sounding concerned for me. This guy deserved an Oscar.
As he talked to me, I logged into my Amazon account on my desktop. No weird orders, just the stuff I’ve ordered for my wife’s Christmas presents.
“I’m sorry,” I said, trying to sound confused, “but if someone is ordering on my Amazon account, shouldn’t I see those orders in my Amazon account?”
There was a long pause like I nudged him off script.
“Yes……but they’re all on hold,” he told me.
Now it was time to get down to business. The scammer told me that it was important for them to connect me to “Amazon’s Secure Server’ to resolve this matter. Throughout the call, he must have said “Amazon Secure Server” half a dozen times.
“Okay,” I said, still trying to sound confused, “how do I do that?”
First, he said, we need to know what kind of device you’re on. I told him it was an iPhone
“Great, I need you to put me on speaker phone and open the App Store,” he instructed.
I told him, “Sure,” put down my phone, and started taking notes.
“I need you to download this app. Instead of telling me the name, he spelled it out, giving me a word for each letter, “‘A’ as in all, ‘N’ as in Nancy, ‘Y’ as in yes, ‘D’ as in dog, ‘E’ as in every, ‘S’ as in Sam, and ‘K’ as in Keep.”
My scammer buddy wanted me to download AnyDesk, which he said was for connecting to the Amazon Secure Server, but which I know is remote desktop software. It’s the kind of app that lets someone from halfway around the world connect to and control your PC or phone to root around and get all of your stuff.
As we spoke I searched on “Amazon AnyDesk scam” and quickly found a March 22 article that described this exact ruse in detail.
I decided to slow things down a bit so I could deliver a message to my scammy friend.
“Wait, I just realized there’s another name on the account and I’m worried if you don’t have it, this won’t work,” I told him with what I think was real anxiety in my voice. Where’s my Oscar?
Returning the favor
Scam buddy was annoyed. “No, no, just connect to the Secure Server. Download the app.”
I told him I wanted to make sure he had this.
“Fine. Give it to me.”
“Okay, I’ll spell it out. Ready.”
“Yes,” he said and I could hear the exasperation in his voice.
“‘N” as in no, ‘O’ as in over, ‘F’ as in fun, ‘U’ as in under, ‘C’ as in cable, ‘K’ as in king, ‘I’ as in inside, ‘N’ as in Nancy, ‘G’ as in go, ‘W’ as in walk, ‘A’ as in all, and ‘Y’ as in yes.”
At first, there was no reaction. He spelled it back out but since he’d misheard a couple of crucial letters, it didn’t make sense. We went back and fixed them. Then he spelled it out again and there was a moment of silence.
“Why do you say this to me?” he asked plaintively.
“Because this is a scam and you’re a scammer.”
He didn’t argue.
“Yes. yes,” he said quickly and then he hung up.
If you ever see a text like this, your first stop is to log into your own account through a trusted PC or phone and check for errant charges. If you see any, contact the retailer or site directly. Never respond to one of these texts and never install any software, no matter what the person on the other end of the line tells you.
You can further protect yourself with some of the best security software of 2022.