Spamblasted
Yet another way the bad guys are trying to separate you from your money
The events in this story did not happen to me, but to an acquaintance I’ll call George. George has been heavily involved with computers most of his life. He’s the guy you call when things don’t work right, or when a critical piece of hardware has failed. George understands cybersecurity and his home network is a fortress. In short, he is the last guy on earth you would expect to be vulnerable to a scammer.
Arriving home one afternoon, George found over 300 spam messages in his email, with the count growing dramatically as he watched. You might be thinking that there is a disgruntled ex, who has signed him up for a lot of mailing lists and subscriptions. However George has been happily married for many years, and has many friends that he has saved from computer disasters. In addition, no human could possibly sign someone up for all these lists at the rate that they were pouring in. This is the critical first part of the scam.
Most people confronted with this might simply believe that someone has hacked their email. That’s what you are meant to think. The logical thing to do would be to select all the unwanted emails and delete them. The scammers rely on this. George did not do that, but instead went through the mail one by one. Almost all were for bogus websites, but all included an identical form to be used to cancel. This is a secondary scam. If you fill in the form, they can capture more information and possibly infect your computer with malware. George knew that, and did not attempt to do anything that would take him to any website mentioned in the emails.
After a prolonged period of reviewing the junk, George came upon an email from Amazon. It confirmed an order for two Apple Watches to be shipped to a nearby Whole Foods. The order had been paid for using a card attached to George’s Amazon account, one that had only been used once. Reviewing the charge with the issuing bank, it showed that the verification code (CVC) was invalid, but the charge was processed anyway. Clearly this should never happen, and it’s hard to know whether the fault was the card issuer, or Amazon for not rejecting the order when the code was invalid.
George’s next move was to contact Amazon. If you’ve ever tried to do this, you know it’s probably easier to contact the Pope. First round is a duel with a bot to get you to a human. Next, when all the scripted responses fail, is to escalate to a supervisor. He eventually did this, and asked them to contact the driver for the shipment, which was then out for delivery. Even though Amazon knows how long a delivery takes, down to the second, they claim they cannot contact the driver. Who must have a phone. In the delivery vehicle.
Amazon’s suggestion was to simply return the item. George had already made it very clear that the package was not coming to his address, but to a Whole Foods store, owned and operated by Amazon. Recognizing that Amazon was not going to be of any help, George then called the Whole Foods store that the package was bound for..
At that point the package had not yet been delivered. When shipments are sent to a delivery point, such as Whole Foods, they are placed in a secure locker. To get the package the recipient must have a QR code (one of those squares composed of dots) to unlock it. George asked if they would ask for ID in the event that a pickup was attempted without a code. The reply was that they would “sometimes” ask for ID, but not always.
The first thing George did when he discovered the fraudulent order was to change his Amazon password. That prevented the scammers from accessing the code to unlock the locker containing the package. George then drove to the Whole Foods that where the package was headed. He had an email from Amazon with the unlock code, so he was able to open the locker. It was empty. The moment the door opened, he got a text from Amazon saying the package had been delivered.
George’s first thought was that the scammers had won. Fortunately the person he had talked to on his call to Whole Foods had been watching for the package. Instead of putting the package in the locker, he held it back. George was able to take it to the return counter at Whole Foods, and immediately got credit for the item. By the time George got back home the spam emails had stopped.
Fortunately everything turned out alright, but there are a lot of questions that need to be answered. George’s Amazon password was 15 characters long, with upper and lower case letters, numbers, and symbols. Attempting to crack it online is essentially impossible, since multiple password failures would cause the account to be locked. So how did the scammers get the password? Was it an Amazon hack that was never reported?
Whole Foods brings up another question. If someone attempts to collect a delivery, without having the unlock code, why do they not demand photo ID before giving them the package? On the surface it looks like Amazon is not all that concerned about the proper person receiving a package. Considering the massive amount of transactions they process daily, perhaps they simply don’t want to take the time and expense to make sure all are valid.
Then there is the credit card issuer. What is the point of asking for the card verification code, if the charge is processed even when the code is invalid?
Based on what I’ve been able to find out, this scam is fairly new. It has been used for both Amazon and Best Buy purchases, but could obviously work for any company that allows online orders to be picked up locally. Now that you know about it, if you find yourself flooded with spam, please make sure that there is not an order confirmation buried in the garbage. If you find one, change your password on the shipping site immediately. If you find it early enough, you may even be able to cancel the order. Contact the credit card issuer as well. If you get them before the charge has been approved, you may be able to lock the card to prevent it from going through. In any case, take notes including the date and time you called and the name(s) of everyone you talked to. This will help you dispute the charge if it gets billed.
This whole fiasco is a reminder that the Internet, email in particular, is a vehicle that allows criminals to rob you from anywhere in the world. We have to be vigilant to outwit them.
Thanks Jim, this is a particularly crappy one because some family members pay no attention to their email. I’ll pass along the lesson.
Thanks for the Heads Up! It would not have occurred to me to look for a random Amazon or other charge buried in all that spam. Being vigilant is hard work!