What does an Amazon phishing email look like?

Phishing emails are designed to elicit emotion, either to make you panic or jump at a time-limited opportunity. When it comes to Amazon, the panic-including ones are more common, like there extremely expensive purported Amazon Prime subscription notification I’m going to break down below.

Quick Safety tips

1. Look closely at the sender’s email address.
2. Hover your mouse over links to check the URL they come from.
3. Always go directly to amazon.co.uk if you receive an unexpected payment notice – sign in and check Your Orders and Your Account to see past and pending payments.
4. Enable two-factor authentication on your Amazon account so that, even if your password is compromised, the thieves won’t be able to get access.
5. If you accidentally visit a phishing site, don’t panic: log in to your Amazon account on the real website and change your password as soon as you can. Remember to check for unrecognised purchases and secure your account via the Login & security settings.

This is a particularly simple spam email, lacking any Amazon logos or graphical content, but those aren’t the critical tells that show us this is a fake: phishing emails can and do come emblazoned with all kinds of corporate logos.

Nonetheless, it’s superficially convincing, listing Amazon.co.uk as the sender, from what looks, at first glance, to be an Amazon email address… or is it?

Read the From field closely, and you’ll see that it’s actually from auto-confirm@amaz0no10.co.uk – that alone is enough to show that this is a fake, but some phishing emails use more deceptive address spoofing, so let’s look for other clues.

Hover your mouse pointer over that Manage/Cancel Subscriptions link at the bottom, which the message’s author very much wants us to click on. In the bottom bar of your email client or in a floating box near your cursor, you’ll see a shortened URL from the bit.do service. The service itself is entirely neutral, albeit currently popular with phishing attacks, but the very presence of a shortened URL is a red flag in an email of this kind.

If you’d like to check the contents of a shortened URL, a number of online services will expand it to show you the real URL it leads to. CheckShortURL does an effective job of this.

It even tries to take a screenshot of the site you’re being sent to, although it hasn’t succeeded in this case. The shortened URL links directly to an IP address, which is home to a faked-up Amazon login page that, if you’re panicking about a large and unexpected bill, is just convincing enough to trick you into entering your username and password, to be used or sold by the thief.

For further information on common phishing tactics, see Amazon’s own guide, which includes contact details for Amazon’s spoof email reporting service and additional information about phishing phone calls and text messages.