The end of this post displays an e-mail I received while on the phone with Amazon trying to get a refund completed. As will become apparent, it is hard to see how I could have received this message ex an inside job by Amazon employees, since it contains a combination of information that would not be available otherwise, even by wiretapping. The phishing message was attempting to get me up upload government ID to an external site. Amazon’s customer service representative confirmed they never request government.

So this is a general warning never never never upload government ID in connection with a commercial transaction, and a further warning regarding Amazon refunds as Black Friday is on and the holiday season approaches.

Now to the details. I have to confess to dealing more with Amazon now that I am in Southeast Asia than when in the US. There are quite a few items that I cannot get here (particularly related to Macs, such as compatible USB keyboards; they are a comparative rarity due to price) and Amazon will ship from the US. However, there are also items I use that I find important that no one will send here. So on a recent trip to the US, I bought many things to carry back. Some I got on Amazon because other vendors would not give clear guidance on their shipping and typical delivery times to where I was.

I purchased two of the same item, from an Amazon vendor, to be sent my hotel. When I opened the exterior box, the inner boxes both had label on their outside saying they were the item ordered. Some reviews this product praised the inner packaging (the items were breakable) so I simply put these boxes in with the other checked luggage items.

When I opened them after my return, I found both contained different items from what I had ordered.

I made two calls to Amazon customer service. Both were via Vonage, as in VOIP, over a fiber optic line run in place of an old DSL line, with wired connections from phone to VOIP router, meaning a dedicated pipe. Each time I spoke to two reps, the first a general customer service agent who then had to send me over to a specialist.

The bottom line of the first call was that they would e-mail me a link to use to upload photos of the not-ordered items I had received. I got an e-mail after I did that saying it would take them about three days to review and make a determination.

When I had not heard back after 5 days, I called again. When I got through to the second rep, it seemed she had to go though some hoops to get the return authorized. She reported back that she had succeeded and that I should see the credit on my credit card in five to seven days.

Mind you, both times the only identifying information Amazon got on the phone from me was the order ID, which I provided in the hope to expedite matters, my name and they presumably saw the caller ID on my VOIP phone. They verified me by sending an authorization link by e-mail. Note the authorization link said something about my phone being a mobile phone (not true) in Washington state, and “generic” to boot.

I did not look at my e-mails while I was on the phone with the Amazon agent getting the refund approved. But after I got off, I saw the one with the text pasted below. Note is is from “no-reply@amazon.com”

Even though it has signs of bogosity, like “we noticed abnormal activity on your account,” and “Also, you will not be able to investigate this order issue further,” it had, in the very first line, the exact order number and that I had called Amazon for a refund [or replacement].

While it might be possible to have tapped the call to get the order number and the refund request, the only way to get that plus my e-mail address was via Amazon itself. And Lambert who knows Vonage concurs additionally that Vonage being hacked is very unlikely. So this looks to be an inside job.

I called Amazon to have a hissy. I said if this really was an Amazon request, no way, no how was I uploading government ID. They’d agreed to the refund and I would put in for a chargeback on my credit card. The agent reassured me that Amazon never asked for government ID and e-mailed me a link to send Amazon the fraudulent e-mail.

The idea that this is an Amazon inside job is not as remote as you think. I had a friend who had $25,000 removed from her Chase account via a series of >$200 counterfeit checks over a period of about a week. The thief had to have known Chase’s fraud triggers to pull this off, so a current or recent employee. The checks were honored despite individual check numbers being much larger than for any checks the customer had ordered. Many of the checks were for the same amount, cashed the same day. Yet 8+ checks a day over a series of days from a customer who did not use that many checks to begin with did not trigger an alert.

The customer did get all the money back, albeit having also to work around 10+ days of being locked out of the account.

So be warned! Needless to say, th copy below does not contain live links.

_______

From: no-reply@amazon.com
Subject: Your Amazon.com order
Date: November 28, 2024 at 9:42:42 PM GMT+7
To: XXXXXXXXX
Reply-To: no-reply@amazon.com

Hello,

Thank you for contacting us regarding your order XXX-XXXXXXX-XXXX.

Because we noticed abnormal activity on your account, we need to verify your identity before we can consider your request for a refund or replacement. We may also request additional information before granting your request.

How will you verify my identity?
In order for us to verify your identity, upload a valid government-issued identity document on the secure customer portal. Note that the following link will expire after 6 days:
https://account-status.amazon.com/identity-validation

All personal information that you provide will be handled in accordance with our Privacy Notice. To review our Privacy Notice, go to “Amazon and Your Personal Information”:
https://www.amazon.com/gp/help/customer/display.html?nodeId=G68RWEYX26H3ZXJT

What happens when I submit my ID document?
We will review your order and your account and verify your identity through one our third-party service providers. Once you have submitted your information through the secure customer portal, it will take us 3 business days to determine an outcome. At that point, you can contact us to learn the outcome of the investigation.

What happens if I do not submit my ID document?
You may continue shopping on Amazon, but you will no longer be eligible for a refund on the order 113-2146169-3764231. Also, you will not be able to investigate this order issue further.

Who can I contact if I need help with this issue?
You can contact us through your Amazon profile. To do so, go to “Amazon Customer Service”:
https://www.amazon.com/contact-us

Account Specialist
https://www.amazon.com

This entry was posted in Notices, Technology and innovation on by Yves Smith.