Watch Out for This Amazon Prime Day Scam

It's almost Amazon Prime Day, and that means it's open season for scammers and phishers to prey on bargain-hungry shoppers. Security firm McAfee today (July 12) revealed that a phishing campaign has retooled its previously Apple-based scam to now focus on Amazon.

Amazon Prime Day 2019

(Image credit: dennizn/Shutterstock)

The scam, called "16Shop" after the software the phishers use, begins with an email telling you that your account  has problems. There's an attached PDF file, and if you open that and click a link within the PDF, you'll be taken to a very real-looking Amazon login page on a malicious website.

Of course, if you log into the page, the crooks steal your login credentials and can use them to hijack your account. They may get greedier and ask you to confirm your name, date of birth, address, account number and credit-card number, including the security code -- the full Monty of identity theft.

Needless to say, Amazon or Apple would not ask you all this information as the result of a link in an emailed PDF. Anything that behaves this way is a scam. 

To prevent your account being hijacked, be sure to turn on two-factor authentication for your Amazon and Apple accounts, and any other account that offers a 2FA option: Dropbox, Facebook, Microsoft, Twitter and more. If possible, opt for an authenticator app rather than a texted code as the second factor, as text messages can be spoofed.

MORE: 11 Ways to Stay Safe When Shopping Online

The 16Shop campaign was started in the fall of 2018, and is still primarily run, by an Indonesian hacker who calls himself "DevilScreaM" and sometimes even uses what may be his real name. He runs a private Facebook group to sell licenses and provide tech support for the software. (Professional cybercriminals often market and support their products like any other software maker.)

But the 16Shop software, which automates the creation and sending of phishing emails and booby-trapped PDFs in at least 10 different Asian and European languages, has been cracked, cloned and redistributed by other criminals. There's even one pirated version that steals from the thieves, secretly sending all funds collected to a hidden email address unknown to the phisher using the software. 

The Amazon variant of 16Shop appears to be the "real" thing, in as much that the Facebook account thought to be controlled by DevilScreaM has changed its avatar to a modified Amazon logo. Any crook owning a license to the "real" 16Shop will now be targeting Amazon accounts instead of Apple ones.

This won't be the only scam targeting Amazon shoppers on Prime Day, which will actually be two days this year, June 15 and 16. Nor will Amazon shoppers be the only ones targeted, as Best Buy, eBay, Macy's, Target and Wal-Mart plan to offer their own sales for what's turning out to be Christmas in July for U.S. -- and now also Australian and U.K. -- retailers. 

So beware messages that promise great deals that skirt the edges of belief. Emails are the tried-and-true vehicle of choice for scammers, but other methods work too. Text messages, pop-up windows in web browsers, and even Facebook, Instagram and Twitter postings and direct messages can all be used to lure eager shoppers to phishing websites.

Again, if it seems to good to be true, it probably isn't true. And if your curiosity or thirst to get a good deal overwhelms your common sense, at least do yourself the favor of NOT clicking the link in the message. Instead, use a web browser to go to the retailer's website to see if that great deal is for real.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.