Site icon Easy Prey Podcast

Top 10 Amazon Scams with Abigail Bishop

“Over 50% of the scams reported are order confirmation scams. Scammers are saying that you’ve purchased something and they want to confirm the purchase.” - Abigail Bishop Share on X

Scammers are creatively trying to deceive and manipulate Amazon customers by getting them to do activities outside the Amazon ecosystem through texts, emails, and phone calls. Hopefully by looking at how the top scams are implemented, we can create more awareness and prevent loss.

Today's guest is Abigail Bishop. Abigail is the Head of External Relations for Scam Prevention at Amazon, where she leads the organization’s outreach work to protect customers from falling victim to scams globally. 

“The best thing that consumers can do is to first, validate the transaction on your Amazon account. You are safe when you shop on Amazon. You can always check your account and message center on your account. If you are still… Share on X

Show Notes:

“All of our work around scam prevention is fueled by the ambition of being the most customer-centric company.” - Abigail Bishop Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Abigail, thank you so much for coming on the Easy Prey Podcast today.

Thank you so much for having me, Chris. It's great to be here.

I'm glad you're here. Can you give the audience a little background about who you are and what you do?

Sure. I'm the Global Head of External Relations for Scam Prevention at Amazon. What that means is that I have an opportunity to work really closely with like-minded organizations and individuals who are similarly committed to preventing scams externally out in the world and also working really closely with our 12,000 Amazonians internally who are working on different facets of preventing scams within Amazon. 

I serve as a bridge between those two worlds and have entered this sector like so many with a personal set of anecdotes of being reached out to by scammers. Whether it's from text messages or emails, we all have at this point experienced, unfortunately, scams. 

Whether we've been victimized or we've just deleted them, it doesn't take a lot to feel really passionate about this work because it is so tangible and so pervasive across all age groups and geographies. We're all susceptible to scams to some extent.

We're all susceptible to scams to some extent. -Abigail Bishop Share on X

Did you get into the role because of a particular passion for scam prevention, or was it just the natural course of your career that you got into the role and developed the passion?

I probably have a little bit of a non-traditional path to this role. My background is actually in public affairs and corporate strategy roles. Although the through-line—which I think is super applicable to my current role—is working in a cross-sector capacity to address super gnarly human challenges. 

That is, I think, on the money for scams. It is a cross-sector challenge that is just beyond complicated and requires a lot of collaboration and creativity in addressing the challenge.

Did I hear you right in saying that there are 12,000 people at Amazon in some capacity working towards some form of scam prevention?

Yeah, there are. It runs the gamut. We have machine learning scientists, software engineers, and expert investigators working on enforcement and accountability activities with law enforcement globally. There's a whole set of folks behind the scenes that are working on several dimensions of scam prevention.

I will probably normally ask this later in the conversations, but I want to ask this upfront because Amazon does have such a large global footprint. Do you feel that that gives you guys an advantage of being able to work with what would be local law enforcement in so many different countries because you have a presence in all those countries?

If you were a US company and you were having an issue with someone impersonating your company out of France—“Gosh. Now we’ve got to find lawyers in France and people who have contacts with law enforcement.” But if you already have the footprint there because of the business, does it make it easier for you guys to engage with local law enforcement entities?

It's always a challenge. In some instances, it's so specific to the country and also sometimes the relationships between different countries, so while we have a broad reach, I have not seen that be necessarily something that has made things so, so much easier for us or even for the partners in law enforcement. It remains something that is tricky to do working across borders to find these perpetrators.

I was just wondering if that was some benefit of that more global footprint than maybe some other entities have.

My experience has not signaled that. I think I would ask some of my expert investigators who are on the ground whether they've experienced anecdotes of success just given our footprint, but I haven't seen that be the case.

Let's jump into what are some of the biggest scams that you're working with the public on addressing. What are you doing about it? What are those scams? How can we fight them?

There are two types of scams that I'd want to ensure—especially as we go into this holiday season—that consumers are aware of. One is we are seeing that over 50% of the scams reported to us are order confirmation scams. 

We are seeing that over 50% of the scams reported to us are order confirmation scams. -Abigail Bishop Share on X

Whether that's coming through on email, text message, or any other communication method, this idea that scammers are saying you purchased something, they want you to confirm the purchase, you have not in fact made this purchase, and you're being asked to either send information over email or call a customer service hotline to verify the purchase is one MOs that we are seeing a real uptick on globally that consumers should be aware of.

Then, the second piece is not so much the lure of the MO but the monetization technique of the scammer, which is around gift cards. That comes in a number of different ways, but one of the things that we want consumers to know is that we will never ask you to pay with a gift card and to purchase a gift card, so if you are receiving communications of any kind that is asking you to do either of those things, it is likely not from Amazon. You're engaging with somebody else and should cross-reference that transaction on our message center.

One of the things that we want consumers to know is that we will never ask you to pay with a gift card and to purchase a gift card, so if you are receiving communications of any kind that is asking you to do either of those things,… Share on X

I can get into all of the types of things that we're doing across Amazon to prevent scams and address scammers. If you want me to, I could definitely go into all the details, but before I go into that, any feedback on those two things?

I think that's really clear. It's what the IRS says. “We're never going to call you” is what the IRS says. The IRS says, “We're never going to take payment in gift cards, so if someone says a gift card around the IRS, just hang up the phone.”

Knowing that you guys will never ask people to buy or pay with a gift card is very useful information. I know one of the common things is, “Oh, you've got to refund. In order to issue the refund, we need to access your computer.” 

I assume that anytime you're dealing with a legitimate customer service person from Amazon, they will never ask you to install an app or allow them to access your computer.

A hundred percent. Another line in the sand for us is that we are not going to ask you to download software to speak with customer service to resolve those things to your account. 

Another line in the sand for us is that we are not going to ask you to download software to speak with customer service to resolve those things to your account. -Abigail Bishop Share on X

The best thing that consumers can do is to first validate the transaction or communication on their Amazon account. The good news is that you are safe when you shop on Amazon. 

As we know, a lot of these scams happen off Amazon, which we can go into a little bit more detail, but you can always check your account to validate. We really encourage customers to do that. 

You can also check your message center on your account to see what communications have come from Amazon. 

If you still are curious or concerned that you've had malicious communication, you can report that to amazon.com/reportascam, and we will get back to you on that. There are a number of different ways that consumers can go in and validate that an interaction is legit.

FAKE AMAZON EMAIL – Look who the sender is from… they want you to click on the payment link.

And obviously, never click on a link in an email that you think is potentially not from Amazon.

All of those tried and true best practices continue to be so important. Including being wary of false urgency, this idea of, “Act now or miss out, or you're going to be charged $1000 if you don't call me right now.” 

If there's something like that, that's when you check all those cross-reference things. You go back into your account and do your due diligence. That is the right way to handle the pressure of some of these scam techniques.

We want to empower and support consumers to know that they should do that. Then, if you're feeling this pit in your stomach of, “Oh, man,” we've all been there. We get these text messages and emails, and we're like, “Oh, shoot.” 

Our lives are moving so quickly, and we're inundated with communications. We're all living in this super fast-paced world that it's OK to slow down and just take a second before you take action.

One other question about Amazon-will-never. Will your customer service people ever—not in response to an issue that the consumer has raised—call a customer?

There are very, very few instances where that would happen. Chances are if you're receiving a phone call from someone claiming to be from Amazon is that you're not. But that is one that is a little bit trickier with lots of nuances around it.

But someone from Amazon will be able to provide an order ID or something specific that you can identify.

Even more so, you would, in that instance, go back to your Amazon account—whether on the app or the website—and verify the information against your account. That would be the way to engage with anyone who's reaching out to you whether it's a phone call, text message, or any communication method.

Yeah. Customer service is not going to call you and ask you to confirm your Social Security number.

I should hope not, or your mother's maiden name or something. These are really, really serious pieces of information that people are exploiting. We have to make sure that people know—to the extent we can—what information we're going to be asking our customers and how we're going to be doing it.

I think from a bottom-line perspective, you are safe when you shop on Amazon. If you have questions about any interaction you've had, you can check on your message center, account transaction history, or amazon.com/reportascam, and we can validate an interaction. Those are the best ways to cross-reference any communication you get.

Let's talk about some of the things that Amazon is doing to try to prevent scams. We've been talking about mitigation and educating the public. What are some of the other things that Amazon is doing behind the scenes to try to reduce the opportunity for scammers to pretend to be Amazon?

I think it's worth taking a step back for a minute before I go into all the things that we're doing and just provide a little bit of framing on why we're doing this. 

As many people know, we strive to be the Earth's most customer-centric company, so all of our work around scam prevention is fueled by that ambition. We spend a lot of time thinking about ways that customers need to be protected, how we can support them, and how we do right by them should they fall victim to scams and support prevention more broadly.

The other piece is that we feel a sense of responsibility to protect all consumers. As much as we're committed to our customers, we see an issue like preventing scams extending beyond our customer base to consumers more broadly, so where there are opportunities to learn from other organizations to share our work with other similarly committed shops, we want to be able to do that. That's just the spirit that we're coming into all of our scam prevention work with.

The work that we do on scam prevention can fall into one of three buckets. First, we've talked a little bit about the consumer education side. We have efforts to educate consumers as part of the customer journey, so we will send regular emails to customers to remind them of some of the best practices, tips, and also some of the trends that we're seeing. We've just done this ahead of the holiday season across the globe.

Then, there's also work we do in partnership with other organizations. We partnered with the Better Business Bureau to do consumer education work and National Cybersecurity Alliance to amplify best practices around two-factor multi-authentication, password protection, and things like that to reach a broader audience and learn from folks who know a lot about scam prevention in their own right. We're working really closely with those organizations, and we'll continue to do that.

Then, the second bucket is around ensuring that customers know it's really us. What we mean by that is when you're getting communication from Amazon, how can we make sure that you know that it's truly Amazon reaching out to you and not a scammer? 

There are a number of ways that we do this. One example of some of the progress we've made on this front is around adopting an email authentication tool that validates by having our smile logo in the picture box on your email along with an amazon.com email address. Those two things together mean that that's an authentic email from Amazon. 

We've adopted that across several email providers in over 20 countries, and we'll just continue to find opportunities to offer our customers that validation of ensuring it's really us.

Then, the last bucket is around all of our accountability and enforcement work where we see phishing websites or phone numbers. We've shut down over 20,000 phishing websites just this year, and over 10,000 phone numbers that were associated with phishing attempts, have made over 100 referrals to law enforcement across the globe, and continue to invest a ton of energy into holding these bad actors accountable.

Between those three things, we are spending a lot of energy and effort to educate, validate, and hold accountable those bad actors along the way. We have a ways to go. This is a challenge that is ever-changing, and we are not done yet.

When you refer to 20,000 sites shut down, are you referring to emails that consumers receive saying, “Go here to log into your account used for credential gathering”?

Exactly. It's 20,000 websites that in some way, shape, or form are trying to gather your personal information or financial information.

If you could tell me, do you know the average time from your discovery of an Amazon phishing site until you can work with the host to get it shut down? What is that timetable normally?

I don't have those numbers off the top of my mind, but I will say that it ebbs and flows, and it is ongoing. I think it's safe to say there isn't necessarily an average that happens. Each case is pretty specific.

Shutdown notices are always going to vary by the company that's hosting, what country they're in, how responsive their departments are, and all that kind of thing. It was just more of a curiosity to know how fast the whack-a-mole game is.

It is so hard. It's going to continue to be a challenge. As we get more creative in the way that consumers are paying for things and communicating with companies or entities that they're purchasing things from, there's just increasing vulnerability, susceptibility, and risk of those things being exploited. 

You get challenges along with some of these advances that continue to keep moving the proactive and reactive line in the sand of when have you tackled the challenge, because the second you think that you have addressed something or wrapped your arms around it, the scammers are really creative. 

They're super inventive and well-resourced. These folks are oftentimes part of massive criminal enterprises and networks. They are so creative in the way that they think about things. They are so good at figuring out where consumers are susceptible in their interactions with trusted entities—whether it's a company, the government, your friends, or family—and what are the things that are going to push you into having that knee-jerk reaction into giving away too much.

I would assume that as much as world events play into other scams, they are going to play into Amazon-themed scams. Let's say during the pandemic, I would assume there was a rise in impersonation emails from Amazon saying, “Hey, we have lots of masks in stock. You're an insider customer. We're going to give you first priority if you order through this special link.” And then it's just a scam.

Exactly. Any of those timely moments that they can exploit, they need to be on top of. They are listening, aware of what's happening in the world, and are very savvy at exploiting it. 

Any of those timely moments that they can exploit, they need to be on top of. They are listening, aware of what's happening in the world, and are very savvy at exploiting it. -Abigail Bishop Share on X

At the same time, the good news is that organizations like Amazon and others are putting resources and energy into preventing it, making it more difficult and ensuring that consumers know what's happening out there, can protect themselves, and are working with law enforcement globally to hold these folks accountable for their crimes.

Do you feel that because of the size of Amazon, you've got a little bit more sway in working with, let's say, phone carriers? You’ve got someone who's sending out text links saying, “Hey, we couldn't make your Amazon delivery today. Click on this link to reschedule it.” 

Do you think that because of the size of Amazon, you've got a little bit more sway with phone companies in being able to deal with those in a more timely manner than maybe some smaller entities are?

I think that we have a responsibility to lead where we're able and to help work really closely with those who are also in the wake of these crimes. 

You mentioned telecommunications companies and email providers. You also have financial institutions of every shape and size, payment apps, or peer-to-peer financial services. 

With any of these organizations, Amazon is keen to link arms and work together. We're all a part of this network to fight these bad actors and to make sure that we're protecting our customers because we're all being looped in and exploited through the process of how these schemes are implemented.

I think one of the advantages of having 12,000 people on the scam prevention side is that you can collaborate with a lot of different entities. You've got a lot of resources to be able to work with other entities and try to find solutions.

Yeah. We also have a lot of ground to cover ourselves. We want to go deep and make sure that we are, again, really protecting and supporting our consumers. 

Because we've experienced success and scaled, we have a responsibility to leave the world better than we found it, so we want to make sure that we are living those principles that we espouse.

Without disclosing any insider trade secrets, so to speak, are there tools that you're building that benefit other resellers and other organizations that are benefiting because of the work that you're doing?

There are a lot of really interesting activities out there and a lot of innovation that is underway, which is really encouraging. We're exploring the merits of a lot of different approaches and technologies.

BBB Scam Tracker

Some of the stuff that we've done very publicly in recent months especially is working closely with some consumer organizations. In particular, the Better Business Bureau, as I mentioned earlier.

We launched this fall a scam tracker tool that we partnered with the Better Business Bureau and Capital One Bank to update the tool, make it mobile friendly, easy for consumers to report scams, track trends, and also see if there are others who have experienced a similar scheme.

Sometimes, you wonder, “Am I going crazy here? Is this just me? Is anybody else seeing this?” Then, we do that gut check. You can do that on this tool. There's a lot of information that is available there. Things like that, we've already put out there.

We've already adopted email verification technology. We'll continue to do things like that, but as I said earlier, the world is just getting more complicated. The moment you think you tackled one challenge, there is another one that comes up, so we have to constantly ensure that we are protecting our customers with every technology and convenience we're putting out in the market.

I know that a lot of the password managers out there are now using a built-in […] where they're looking for compromised credential combinations. Is that something that Amazon has implemented on their side? If you were made aware of these breached databases and whatnot that, “Hey, Customer A's username password combination is out there in the wild,” is that the thing that you'll notify the consumer, “Hey, your password may have been compromised,” in the same way a password manager might do it?

I'd want to follow up with some of our tech side who manages the standard operating procedures for different breaches, risks of account takeover, or any of those activities. I just am not the person who's doing a lot of those procedures, so I'm probably less knowledgeable to speak on them. You don't want me to start implementing code, SOPs, and things like that.

No, I totally appreciate it. I just didn't know if that process was in place and you knew if there was a standardized email that consumers would get so they would know that this is a legitimate notification from Amazon about something, like this versus just another phishing attack.

We implemented this last year. We've started to do a lot more communication with consumers and customers on scams just across the board. Even so far as to when you report a scam, you will receive communication back saying, “We've logged this report. Thank you for submitting.”

There are things like that that we are doing much more of. We'll continue over the next year or so to do a lot more proactive communication and get on the front foot with our customer, communication in particular.

With your report-a-scam tool or link, how would you know how many are getting reported on an annual, daily, weekly, or monthly basis through that tool?

We have those numbers, and we have a lot of missions. We just launched this tool last year, so we're still getting a baseline of the trends in consumer reporting. 

I think one of the things that makes this so tricky—and we've alluded to it a couple of times in our conversation, but just to underscore—is that these impersonation scams are happening most often outside of our store, so we rely very heavily on consumers and customers reporting these scams to us to track. 

The numbers that we have and the reports we get, our ambition is that they are going to get more of a steady baseline as we educate consumers and customers that this type of reporting tool is available.

I'm highly suspicious, and my hypothesis is that we are not getting all of them and that there are a lot of crimes out there that we have no line of sight into just given the nature of these types of scams. We have a lot more work to do to really understand across the industry—not just Amazon—how deeply these schemes are impacting consumers. I don't think we really know.

If I think through it, I get scam text messages. They ebb and flow. I don't think I've ever reported a single one of those to anybody. I just delete, delete, and delete. 

For the most part, I think as I've gotten older and my time has become more valuable to me, I've personally taken less and less time to report phishing scam emails and things like that, not that I don't think it will do anything but like, “OK, well, this is the 15th one today.” Do I really want to spend another 15 minutes trying to find the FedEx report-a-scam tool? It just becomes complicated. 

I know that I can report stuff to IC3, and it'll go into some database somewhere, but I don't have that feeling of, “Well, I've done something.”

That's a really good point and a real challenge the sector has in trying to wrap your arms around the challenge and getting customers and consumers to share their experiences and take action on it. It makes it very difficult to prevent it if you don't know what's happening.

Particularly since the tool is fairly new, if you do see a sudden uptick in something, is it because there really is an uptick in the scams involving that, or are people just reporting more of them?

Exactly. I think it's a fair question and something that we're evaluating right now. We're still monitoring trends, causality, and all that. One of the inputs that deliver the output, we can call through all the data to figure out what's real and what's not. We're still learning.

If you could put a call out—“We want you to submit your reports”—what would those be? Anything that's suspicious that has the word Amazon in it?

There are a couple of places to report. I would encourage all consumers to report any suspected scam activity to the BBB Scam Tracker tool. 

I would say for Amazon specifically, any scam where you are being asked to pay Amazon in Amazon gift cards. If you're being asked to verify an order or a purchase that you have no record of making, those are the types of things that I would really underscore consumers to share with us and to make sure that we know it, but it's not limited to that. 

There are sweepstakes and a join-a-product-testing route. There are all these different things that come through. 

It's perfectly fine. I want to destigmatize that not knowing what these things are is a very natural human response to getting something hinky. It's OK to cross-check it and reach out to us regardless of what it is, but in particular, order confirmations and gift cards, please be mindful.

Perfect. Are there any particular resources you want to mention as we wrap up? I know you mentioned the BBB Scam Tracker tool. Do you happen to know the URL off the top of your head?

I think it's at bbb.org/scamtracker.

If not, we will find it and put it in the show notes along with your guys' link. Any other resources people should be keeping their eyes on?

I think for Amazon purposes, please check your account. You are protected when you're on amazon.com. Check your message center and all of your communications with Amazon to validate that your communication is authentic. If you have any more questions about your communication, you can always go to amazon.com/reportascam.

I know this is a challenge and will continue to be a challenge, but I am optimistic that we can make some real inroads on this challenge in collaboration. 

We will continue to find opportunities to link arms with organizations that are facing some version of this challenge within their own organization. It is not over. We are working really hard on this challenge. The more that we can get cross-collaboration with all the stakeholders involved, the better.

As we wrap up, do you see any trends where we're seeing this rise of this new type of scam, new methodology, or new approach that you're like, “Hey, we need to make people aware of this new trend”?

For us, impersonation scams just generally are the scam that we are seeing most prevalent. I know I mentioned it, but within there, the order confirmation is super popular. Over 50% of the scams reported to us are order confirmation scams. 

Over 50% of the scams reported to us are order confirmation scams. -Abigail Bishop Share on X

Some combination of those two for now are the scams that we are really hoping that consumers and customers at large are able to avoid this holiday season in particular.

Got you. Abigail, thank you so much for coming on the Easy Prey Podcast today.

Thank you. It's great talking to you, Chris.

Exit mobile version