Amazon account-suspension phishing scam

Amazon-impersonation phishing is the highest-volume phishing brand in the US — Amazon has more accounts than almost any other consumer service, so even a tiny click-through rate produces large numbers of victims. The pitch is some variation of: your account is suspended, an order is pending, your Prime subscription is expiring, or a refund is owed.

The goal is one of two outcomes: credential capture (you log into a fake page) or remote takeover (a "support agent" gets you to install software or install a "verification tool" that's actually remote-control software).

By email:

"Your Amazon order #112-3344556-7889012 (PlayStation 5 Console) has been confirmed for $629.99 with delivery to 18 Elm Street, Topeka. If this was not you, click here to cancel within 24 hours."

By text:

"Amazon: Suspicious activity detected on your account. Verify your identity to avoid suspension: amzn-secure.co/verify"

By phone (after you click "cancel"):

"Hello, this is Amazon Account Recovery. To remove the fraudulent order I need to verify you. Please install AnyDesk so I can secure your account..."

• The "from" email is from a domain other than amazon.com.
• The URL in the email is not amazon.com or amazon.co.uk — it's a lookalike like "amzn-secure.co" or has a long subdomain "amazon.com.verify-account.io."
• Urgency to act within hours.
• Phone call asks you to install AnyDesk, TeamViewer, or any remote-control software.
• "Support agent" asks for your password or 2FA code over the phone.
• The "order" is for an expensive item you didn't buy, dropped at an address you don't recognize.
• The refund is offered for an order you didn't place.

• Order confirmation phishing. Fake order for an expensive item; click here to cancel.
• Prime subscription renewal. "Your Prime renewed at $199. Cancel here." (Prime is $139/year.)
• Account suspension. "Click here to verify and unlock."
• Refund overpayment scam. Phone variant — "we accidentally refunded $5,000 instead of $50. Please wire it back."
• Amazon job phishing. "Amazon work-from-home" scams (see the task / job entry).
• Amazon seller phishing. Targets third-party sellers with fake "policy violation" notices.
• Echo / smart-home account compromise. Same playbook, leveraged for home-network access.

1. Don't click links in the email or text. Open the Amazon app or type amazon.com into your browser directly. Real account notices appear in the "Your Orders" or "Account & Lists" sections in the app.
2. Real Amazon never calls about routine account issues. Their preferred channel is messages in the app.
3. Verify the sender domain. Real Amazon emails come from @amazon.com, @amazon.[country], or specific subdomains like @marketplace.amazon.com. Anything else is suspect.
4. Forward suspicious emails to stop-spoofing@amazon.com — Amazon's reporting team investigates.
5. Don't install AnyDesk, TeamViewer, or any "verification software" at the request of someone claiming to be Amazon.

• Change your Amazon password immediately from a different device.
• Enable two-factor authentication (preferably via authenticator app, not SMS).
• Review recent orders for anything you didn't place.
• Check linked payment methods for unknown additions.
• Review devices logged in under "Manage Your Devices" and sign out any unknown ones.
• If you gave remote access: disconnect the device from the internet, run anti-malware, and consider a clean OS reinstall if anything was compromised.
• Change passwords on any other accounts that share the Amazon password.
• Place a credit freeze if financial info was shared.

• Do not click "Cancel order" links in emails. Open the Amazon app directly.
• Do not install remote-control software at the request of a "support agent."
• Do not share your password, 2FA code, or device-login code with anyone calling you.
• Do not wire money to "return" an accidental refund. Amazon does not work that way.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.

The email has an Amazon logo and looks exactly like a real notice. Doesn't that make it real? No. Email branding is trivially copied. Real validation is the sender domain, the URL behind any links, and whether the notice appears in your actual Amazon account.

The number called me back when I called "support" — that's their real number, right? The number listed in the phishing email is the scammer's number. Real Amazon customer service is 1-888-280-4331, accessible from the Help section of the Amazon app or website.

What about Amazon-branded gift-card scams ("pay me in Amazon gift cards")? Amazon does not accept gift cards as payment for taxes, bail, customer-service issues, or anything outside Amazon's own platform. Any "Amazon gift card" payment demand is a scam by definition.