Beware of Amazon 'one-time passcode' scams
Cold-calling fraudsters are impersonating Amazon and claiming that there has been fraudulent activity on your account.
This is known as the 'one-time passcode scam' as the scammers use key information they already have on you to convince you to grant them access to your Amazon account.
Which? has previously warned about a similar scam when fraudsters impersonated phone company O2 to try to access customer accounts through scam calls.
Read on to find out how this Amazon scam works and how you can spot, avoid and report it.
What is the Amazon one-time passcode scam?
The scam begins with a call from a scammer claiming to work at Amazon. The call will most likely come from a spoofed mobile number, meaning that it will appear as if it’s being made from a number that it isn’t.
The caller will most likely know your name and tell you that there has been suspicious activity on your account and may even name fake high-value purchases that have been fraudulently made using your account, such as iPhones.
The caller will go on to say that you’ll receive a text to your mobile that will come from Amazon, and that message will contain a passcode. While this text message will be a legitimate text from Amazon, it will have been sent as a result of a fraudster on the phone attempting to get into your account.
How this Amazon scam works
When you try to log in to your Amazon account, you sign in using your mobile number or email address. It's likely that the scammer already has these details before they call, possibly from a data breach or previous scam attempt.
If you attempt to sign in from a new device or location using your phone number, the two-factor authentication on your Amazon account will trigger a text to be sent to the number registered on your account and it will contain a one-time passcode. The passcode serves as an additional security layer, confirming that you're the one trying to log in. If you attempt to sign in using your email address, the passcode will be sent to your email.
By giving this code to the fraudster on the phone, they will be able to access your Amazon account.
Avoiding one-time passcode scams
Which? reported this scam to Amazon, and it said: 'Scammers that attempt to impersonate Amazon put consumers at risk and we will continue to invest in protecting consumers and educating the public on scam avoidance.
'We encourage consumers to report suspected scams to us so that we can protect their accounts and refer bad actors to law enforcement to help keep consumers safe.
'We may ask you to verify your identity if you call customer service for support, but Amazon will never contact you first to ask you for your password, verification passcodes or security question.'
Scammers target customers through scam calls designed to incite panic and get you to act quickly. If you receive unsolicited calls that claim to be from brands or banks that you have accounts with, be suspicious. It’s always best to verify information yourself by logging into your account independently, using only the official websites and not following any website link you have been given.
Whenever you do receive a one-time passcode from a company, never share this with anyone else. Amazon employees will never ask for this.
You can check if your email address or password has been leaked in a data breach on the Have I Been Pwned website.
Report scam calls received on your mobile by forwarding the number to 7726.
If you lose any money to a scam, call your bank immediately using the number on the back of your bank card and report it to Report Fraud (formerly known as Action Fraud) or call the police on 101 if you’re in Scotland.
