Tuesday, May 19, 2015

Amazon scam

I recently became victim of an Amazon scam that "isn't that uncommon," according to the scammer.  Yes, that's right.  I had an e-mail conversation with the scammer.  More on that later.

The first warning came when I received an e-mail from Amazon thanking me for updating my account's e-mail address.  "What?" I thought.  "I didn't make any changes to my e-mail address for my Amazon account.  This must be a spam e-mail or a phishing attempt."  But no, it's not.  Upon examination of the e-mail, I saw that it was a legitimate message from Amazon Customer Support.

I immediately got to a computer and logged in to my Amazon account.  I usually have the "Remember Me" setting flagged in my browser at home, so when I opened Amazon.com I was greeted with "Hello, Mark."  "Good," I thought.  "My account is probably safe."

But when I clicked on the "Your Account" link to check my e-mail address, Amazon asked me to re-enter my password.  Curiously, the Username field was populated with an e-mail address that was not mine (incidentally, it was a Gmail address for someone named Sir Francis Robble 2).  When I tried to erase that name and put in my real Amazon Username and Password, I was greeted with the dreaded "Your username or password is incorrect.  Please try again."  At this point, I knew I was screwed.

I Googled "Amazon Support Phone Number" and found a toll-free number to call.  The customer rep that I spoke with asked if I had recently chatted with them that day.  I said, "No. of course not."  They asked me to confirm that I was indeed that account holder by providing them with a recent order number.  I had placed an order (and received) a Google Chrome book a couple of months prior so I found the confirmation e-mail and gave the rep the number.  He then asked me to confirm my home address, which I did.  Amazingly, none of that information was changed - only my e-mail address and username (which are, in fact, one and the same with Amazon).

The rep went on to tell me that someone had gotten into my account, changed the e-mail address and username, and then initiated a Chat Session where he claimed to have never received the Chrome Book.  Amazon then issued a Gift Card Balance in the amount of the Chrome Book's purchase price and placed it in my account.

The rep immediately put a freeze on the account, which even prevented me from using it.  The scammer was not able to spend the gift card money because the account was frozen too quickly.  But had I not made the phone call, he would have been able to make a purchase with the gift card balance and have it shipped to a different address than one I have on file.

So now I was locked out of my own Amazon account while the "Fraud Team" took a look at the situation.  I was told that I would be contacted within 24-48 hours by someone from Amazon Fraud Department.  The next day was a Friday, so I didn't expect to hear from anyone until Saturday at the earliest.

In the meantime, I figured I would e-mail the scammer since he was so kind to provide a new e-mail address on my Amazon account.  I basically e-mailed him and called him a name.  Someone named Charlie Muffins responded with this:

"Oh crap yeah I just realized you're not able to get in...
Just give them the billing address and you should be good lol
Well enjoy your $170 of credit."

So I responded with some questions.  I wanted to know "Why me? Why my account? And what did he gain by doing this?"  And I received this reply:

"You buy Amazon accounts which have been used, and check the orders. You then contact amazon and say that you got your order but the box was empty, and then they refund you to a gift card balance.  I was going to use the balance to buy a Moto 360 kek.  Someone was selling your account - and I bought it. It really isn't that uncommon BTW."

Amazing...  So I can just go somewhere online and buy someone else's Amazon account, complain about not receiving a recent order, and receive a full refund in the form of a gift card balance into the account that I purchased?  Wow.  And then you just spend the money on the Amazon item of your choice and ship it to an alternate address, which I'm sure is masked from the real destination in some way.

I asked him if you receive the account's password when you buy the account, and I also wanted to know if he had received the gift card.  (At the time, I assumed a physical gift card was sent back to the scammer.)  The response from Mr. Muffins:

"You buy them with the email and password. They usually include the answers for security questions, if the account needs it.  Not sure how people steal the accounts to begin with. I think they get a list of emails and passwords (dunno how they get those) and run it through a program that checks them for amazon accounts.  And no, the credit was stuck on the account."

After a few days went by (more than the 24-48 hours they told me to wait), I called Amazon again and spoke with another rep who assured me that my account was frozen, no purchases were being made, and that someone would be contacting me soon.  After another day went by and I hadn't heard from anyone (this was a total of five or six days after I first contacted them), I called again and explained that I just wanted to reset my password.  After verifying my identity again, this time the rep allowed me to reset the password and begin using the account again.

I'm not even sure if changing my password regularly would have helped me because it seems like either: A.) it's an inside job (someone at Amazon selling account info), or B.) the scammer can simply initiate a chat session with a tech rep and supply known information about the account (e-mail address, recent order number, home address), and then ask for the refund.

Beware!  Stay vigilant!  Contact support as soon as you are notified about any activity on your account that you didn't initiate yourself.

1 comment:

NOBODY7768 said...

Sounds like the scammer was either sniffing your emails, or perhaps you didn't shred Amazon invoices/printouts.