As holiday shopping begins earlier this year due to supply chain issues, many are beginning to stock up, especially from Amazon. For hackers, it’s an opportunity to spoof purchase notifications in order to obtain financial information. This attack works by using legitimate Amazon links, forcing the end-user to make a phone call instead to cancel any order.

Starting in October of 2021,  Avanan observed a new attack in which the attacker spoofs a typical Amazon order confirmation.  In this attack brief, Avanan will analyze the company’s most recent discovery of this new Amazon spoof attack, targeting end-users across all roles and sectors.


  • In this attack, hackers are spoofing an Amazon order notification page. The links direct the user to the legitimate Amazon page. When trying to call the number listed, which is not an Amazon number, the scam begins, with the end goal of obtaining credit card information. 
  • This results not only in monetary gain for the hackers but serves as a form of phone number harvesting, enabling them to carry out further attacks by voicemail or text message. 
  • Vector: Email, Phone
  • Techniques: Brand Impersonation, Social Engineering
  • Target: Any end-user



This email is designed to get the end-user to place a phone call and give up credit card information.

It starts as what looks like a traditional Amazon order confirmation. Given the high price, a user is likely to check their account. When they click on the links, it goes directly to the actual Amazon site.

The number listed on the email is not an Amazon number. Though it has an area code from South Carolina, the attackers call back from India.

When you call the number, at first no one will answer. After a few hours, a call back will occur. The person on the other line will say that, in order to cancel the invoice, they will need a credit card number and CVV number.

In the following sections, you’ll see how a seemingly innocuous email can lead to financial damage for end-users. 

Email Example

In this email, the hackers convincingly spoof a typical Amazon order confirmation notice. All links go directly to Amazon’s site. This means that even the most trained user will click on it. What would set off alarm bells is the actual email address, which comes from a Gmail address. 

The hackers do a good job of spoofing an actual Amazon order.

Here’s what a legit order notification from Amazon looks like:



  • This attack bypasses traditional email security scanners in large part due to the existence of legit links. When doing a check against an Allow List, this email passes. When we crunched the numbers for our 1H 2021 Cyber Attack Report, we found that 8.14% of phishing emails ended up in the user’s inbox simply because of an allow or block list misconfiguration. This is an increase of 5.3% from the 2019 Global Phish Report. The problem gets worse depending on the security solution in use. When sitting behind an SEG, we found that 15.4% of email attacks are on an Allow List.
  • Additionally, this attack also lends itself to further attacks. This scam uses what we call “phone number harvesting.” Instead of harvesting credentials for online logins, this attack easily obtains phone numbers through the caller ID feature. Once they obtain the phone number, they can carry out a series of attacks, whether it’s through text messages or phone calls. Just one successful attack can lead to dozens of other ones. 

Best Practices: Guidance and Recommendations

In order to guard against these attacks, security professionals can do the following:

  • Encourage end-users to look at the sender address of the email
  • Encourage end-users to check their Amazon account. They’ll notice the order in question is not in their account
  • Do not put major companies on Allow Lists, as those companies tend to be among the most impersonated. Check Point Research found that Amazon is the second-most impersonated brand
  • Encourage users not to call unfamiliar numbers
  • Implement a multi-tiered security architecture that relies on more than one factor to block email

Subscribe to Our Attack Briefs for More Research