Bank card—check!

Shopping list—check!

Lumbar back support pillow—check!

Noise canceling headphones—check!

And, of course, coffee—check!

If you’re an Amazon shopper, then you know by now that Prime Day is nigh!

And if you’re one of the many who dreads bidding the weekend goodbye, this is probably the one Monday of the year you look forward to.

It’s true that Amazon Prime Day isn’t your regular Black Friday/Cyber Monday shopping event, but it has quickly become massive enough to warrant one unintended consequence: catching the attention of online threat actors.

A very big deal

Amazon launched Prime Day in 2015 during the company’s 20th anniversary. And they’ve been stepping up their game ever since.

To date, Prime Day is hailed as the biggest shopping event in the company’s history, surpassing its 2016 Black Friday and Cyber Monday revenue.

Orders placed via mobile devices also spiked, thanks to the Amazon app that many users have downloaded and installed just for Prime Day. And because a huge chunk of sellers on Amazon are small businesses, increases in overall sales also translates to increased profits for small businesses.

It won’t be a surprise, then, to expect that Prime Day 2018 will be even bigger than last year—and cybercriminals may be counting on this.

Prime Day security reminder list: Do’s and don’ts

Regular readers of the Malwarebytes Labs blog know that Amazon has been used in several threat campaigns to target its users. In 2015 and 2016, we documented spam emails that circulated the web bearing the Amazon logo, and their ruses ranged from requesting users to confirm their account information to filling in a survey in exchange for a small fortune and redeeming a soon-to-be-expired $100 Amazon Prime credit.

Then in 2017, Mark Jones (writing for Kim Komando) reported on a phishing email that Komando herself received almost a month after Prime Day ended. The email offered recipients a $50 voucher as a bonus for reviewing a product they recently bought on Prime Day, according to the post. Clicking the link in the email redirected victims to a fake Amazon login page.

More fake Amazon Prime emails could—and likely will—materialize from here on. But these shouldn’t stop users from enjoying Amazon’s services, or another other e-commerce site’s, for that matter.

If you enjoy shopping on Amazon during the Prime Day sale (or any other time), protect yourself by protecting your account credentials and shopping transactions. Below is a list of do’s and don’ts you should keep handy alongside your shopping list.

Do…

…download only the legitimate Amazon app from the Google Play and Apple App stores, which you can find here and here, respectively. In doing so, you’ll avoid getting confused as to which app to install—as there are a variety of them—and which ones to trust—as there may be impersonators. Threat actors targeting users on mobile devices have become craftier; their latest tactic being the use of Unicode, which allows fake apps to use famous names to pass through security scans.


Read: Phony WhatsApp used Unicode to slip under Google’s radar


…setup two-factor authentication (if you haven’t already). This is for added security, of course. If you’re the type of shopper who takes their time, you may find it quite annoying to re-enter your creds and authentication number multiple times. But having this enabled is so worth the extra hassle because it makes blunt-force entry or even using stolen credentials next to impossible for criminals.

…use your credit card when paying for purchases as much as you can. This is because credit cards, and not debit cards, are insured by the bank. Although a type of consumer protection called a chargeback is in place, it is not a legal protection. This means that your card provider may or may not award a chargeback if funds from your debit card are stolen, depending on the case.

…look at emails originating from Amazon with a critical eye. It’s a prevention mechanism we should all be practicing when handling emails, as doing so will save you a lot of headache and firefighting in the long run. Always be cautious. Always question if the email is legitimate or a spoof.

…familiarize yourself on how to report phishing emails and pages to Amazon. Why? Because fellow shoppers may not be quick enough to sport the fake email you just spotted. Amazon has a handy guide on walking users through the reporting process in this Help & Customer Service page.

…buy items from sellers you trust or are comfortable with. Like any other e-commerce site, Amazon has bad sellers, too. And by that, we mean those who (1) impersonate legitimate companies by stealing their brand and the showcase of products they sell, (2) purport to sell products but never ship them and attempt to run away with your money, or (3) sell you counterfeit or knock-off goods.

If you don’t know which seller to trust, check out the third-party supplier’s Amazon page and see when their profile was created. Usually, the scam ones are those that have just been launched and suddenly have pages upon pages of a variety of cross-industry products, which are often just stolen images from real sellers. Also, watch out for third-party sellers with too-good-to-be-true glowing reviews as (1) they may have been auto-generated by bots or (2) they’re paid reviews designed to put sellers in a favorable light.

Don’t…

…reuse passwords. If the Amazon account password you’re using now is the same as your, say, Twitter password, it’s time to change that. You’re just making it easy for criminals to access two or more of your online accounts.

…enable macros. Let’s say an “Amazon” email has convinced you that it’s real. You open the attachment. It asks you to turn on macros. You should consider stopping at this point because doing what it tells you to could open two possible scenarios: one, nothing will happen; two, you just got your computer infected with malware. Think about this.

…fall for Amazon gift card scams. We rarely read about this, but it happens. Usually, questionable sellers ask prospective buyers to pay for an item outside of Amazon in the form of gift cards. If a seller suddenly asks you this, disengage from the conversation and report them to Amazon immediately.

…use public Wi-Fi to shop. You’re only exposing yourself to Man-in-the-Middle attacks. It’s better to shop at home or at work during your break time.

If you make it a point to address our (potential) security issues first and make mental notes of the rest in our list, then Prime Day 2018 shouldn’t be that stressful.

So, what are you waiting for? Ready, set, shop!

Other posts related to Amazon you might be interested in reading: