Amazon is not a company I have personally used for many, many years due to their purported UK tax evasion (e.g. Amazon’s main UK division pays no corporation tax for second year in a row or Amazon’s biggest UK firms pay NO corporation tax – despite making £193-a-second)
And this Amazon Prime phone scam is based on a very common problem created by Amazon which has its foundation in what has been said to be a ‘failure to address non-consensual subscriptions’ and usage of ‘cancellation trickery’ – basically, you’ve made a purchase and ended up with Amazon Prime without realising it (FTC Takes Action Against Amazon for Enrolling Consumers in Amazon Prime Without Consent and Sabotaging Their Attempts to Cancel)
This is a problem that only affects Amazon customers. There is an easy way to be sure you don’t have Amazon Prime, Just sayin’
If you get an unexpected phone call from anyone claiming to be from Amazon (or your bank, etc.) no matter what they’re saying, you should put the phone down and call back using the official number available on their website.
Starts with a phone call
You get a call purporting to be from Amazon saying something along the lines of:
- Your Amazon Prime subscription is starting today, do you want to cancel it?, or
- Someone has accessed your Amazon account, or
- Your Amazon Prime subscription is renewing today,
You think to yourself something along the lines of, “I didn’t sign up for Amazon Prime! Oh no! I must have done it by accident!!!”
You’re told this is an urgent problem that needs sorting out now
There is usually a time sensitive element to this too, by telling you something along the lines of:
- If you don’t cancel now, your Amazon Prime subscription will be activated
They ‘prove’ they’re calling from Amazon
The next thing they will do is say is they’re going to send you a text message – and you then receive one from Amazon. Must be legit, eh?!
What do 2FA and OTP mean?
A ‘One Time Passcode’ or OTP is a unique code which many banks and websites use these days to double check you are who you say you are. Anyone could potentially have your username and password, but it’s unlikely they’d have your username, password and access to your mobile phone. Increases the level of security.
2-factor-authenictation (or 2FA) is just a short-hand way of describing this was of logging in – using a combination of at least username and a second device – usually your mobile phone
With Amazon, the 2-factor Authentication bypasses the need for a password. In other words, you can log in using only your email address and mobile phone. In other words, you simply use your email address and a short code that Amazon send yo by text message.
The problem is, with the OTP and email address, anyone can log into your account.
They’ve now proved they’re from Amazon, haven’t they? now what!?
So you received the text message from Amazon meaning the call must be legitimate, right? Well, actually no.
Anyone who tries to access your account with your email address can generate an OTP. If it wasn’t you, simply ignoring the message should mean your account is safe
The caller simply typed in your email address and requested an OTP whilst you were on the phone – anyone can do that
Whatever you do, don’t give them the OTP, or anyone else for that matter, ever! You will never be asked for an OTP on the phone by any legitimate call. This is proof it’s a scam
If you’ve got this far, put the phone down now. If you’re worried about your account, log in and change your password directly. If you need to check if you do actually have Amazon Prime, use this link
How did they get my phone number and email address?
Sadly, there have been many, many data breaches over the years and the chances are your email address and mobile number are freely available on the internet
For example, if you’ve had an account with any of the following companies, there is a good chance your data was taken by hackers:
|Company||Number of customer records affected|
|Dixons Carphone (Jul 2017 to Apr 2018)||14 million personal records and 5.6 million payment card information|
|Equifax (2011-2016)||15.2 million records|
|EasyJet (Oct 2019-Mar 2020)||9 million customers and 2,200 credit cards details|
|The National Health Service (NHS) (Jul 2011-Jul 2012)||1.8 million records|
|Virgin Media (Mar 2020)||900,000 customers affected|
|JD Wetherspoon (Jun 2015)||650,000 customers affected|
|British Airways (Jun 2018 – Sep 2018)||500,000 payment card details|
|Wonga (Apr 2017)||270,000 customer records|
|Three Mobile UK (Nov 2016)||130,000 customer records|
|TalkTalk (Oct 2015)||157,000 records|
Why do the hackers do this?
They will be able to order from amazon using your saved card details but to their address, or, order using stolen credit card details or a hacked PayPal address
*** UPDATE FROM AMAZON ***
Amazon seem to have recognised this problem and have emailed to help customers identify this and similar scams. Here is their email verbatim:
|Scammers are creative and they constantly devise new schemes, exploit new technologies and change tactics to avoid detection. Stay safe by learning to identify and avoid scams. Prime membership scams: These are unexpected calls/texts/emails that refer to a costly membership fee or an issue with your membership and ask you to confirm or cancel the charge. These scammers try to convince you to provide payment or bank account information in order to reinstate a membership.|
Amazon will never ask you to provide payment information for products or services over the phone. Visit the Message Centre on Amazon.co.uk or on our app to review authentic emails from Amazon. To verify your Prime Membership status or make payments, log into your Amazon account, and go to Your Account. Account suspension/Deletion scams: Scammers send texts, emails and phone calls stating that your account will be suspended or deleted and prompt you to click on a fraudulent link or verbally provide information to “verify your account.” Customers who land on these pages or receive these phone calls are then lured to provide account information such as payment information or account login credentials.
Amazon will never ask you to disclose your password or verify sensitive personal information over the phone or on any website other than Amazon.co.uk. Please do not click on any links or provide your information to anyone over the phone without authenticating the email or phone call. If you have questions about the status of your account, go directly to Amazon.co.uk or on our app to view your account details, including the Message Center which displays a log of communications sent from Amazon.
Here are some important tips to identify scams and keep your account and information safe:
1. Trust Amazon-owned channels. Always go through the Amazon mobile app or website when seeking customer service, tech support, or when looking to make changes to your account.
2. Be wary of false urgency. Scammers may try to create a sense of urgency to persuade you to do what they’re asking. Be wary any time someone tries to convince you that you must act now.
3. Never pay over the phone. Amazon will never ask you to provide payment information, including gift cards (or “verification cards,” as some scammers call them) for products or services over the phone.
4. Verify links first. Legitimate Amazon websites contain “amazon.co.uk” or “amazon.co.uk/support.” Go directly to our website when seeking help with Amazon devices/services, orders or to make changes to your account.
For more information on how to stay safe online, visit Security & Privacy on the Amazon Customer Service page.
If you receive communication — a call, text, or email — that you think may not be from Amazon, please report it to us.