Scamazon!

If I revealed which loved one fell for this scam, I think I'd end up sleeping on the couch, so let's just say that this sort of thing can happen to anyone, even if they sat through my presentation on recognizing and avoiding cyber-scams at the American Legion last month!

There are a number of tell-tale indicators that this is a fraudulent message. It didn't come from Amazon, it doesn't refer to any real product or order, it doesn't have anything to do with you personally, and while the link does (eventually) go to Amazon, the layers of malicious software embedded in that process expose your login credentials to the eyes of bad actors.

Let's discuss each of these matters one by one

Many Recipients

This message was sent to twenty people, because that is the maximum amount of people a text message can be sent to at once. Scammers often send messages like these out in batches because it is faster than texting everyone individually.

The big question is: If the message includes one specific order number, then how can this same message be relevant to 19 other people besides myself?

Of course, the order number can't be relevant to more than one customer. And that's assuming it's even real! (Spoiler alert: it isn't.)

Not an official communication method

This is harder to know instinctively, but generally, when a major organization such as a government department or a corporation like Amazon wants to reach out to you about something with grave legal consequences (such as supposed threats from the DMV, or in this case, a safety recall), they will send you a letter, or perhaps an email. Texting very low on the totem pole of 'seriousness' when it comes to interpersonal communications. It's how we confirm plans for dinner or tease our friends; it is sometimes elevated to how we receive delivery updates and e-begging from political candidates; but it is not a method by which Amazon will ever contact you about something as important as a safety recall to prevent injury to your health.

Ambiguity (lets your imagination fill in the blanks)

The text states that the order was purchased in January of 2026, but it isn't more specific than that. This echoes the social engineering psychological trigger of urgency because it sounds recent, and therefore very relevant. This is meant to put you into motion before you think clearly.

But why doesn't it give a specific date? The reason is that if they said "January 28th 2026", you might think, "but I only ordered from Amazon immediately after Christmas...I certainly didn't order at the end of the month," and realize it's a scam. By keeping it vague, they allow your imagination to fill in the blanks. By telling you less, they allow you to believe more. Plus, this allows them to cast a wider net because most of the 20 people they sent the message to are likely to have ordered something from Amazon in January of this year.

The Order Number is a bluff

This sort of thing happens all the time in text-based impersonation scams. They'll provide a fake UPS delivery number, or a fake traffic ordinance you've violated. It looks entirely official, because lots of bureaucratic things in society look official if they look like a droning series of numbers. Look:

CozyTech code no. A001-84823114

That number looks like it could represent a client, or a service, or a product we stock, or a policy we enforce, or a law we are in compliance with. It could be anything! (Of course, it's just a random string of numbers I slapped together for this example).

You can check this yourself by going to your Amazon app or the official website, and looking through your recent orders. You don't have to go far back, since the text claims the order was placed in January. Does anything there match this exact number? (None of your orders will, because this is fictitious.)

Psychological trigger: Fear

This is where the scam gets particularly cruel. Let's say you are an expecting mother, and you've recently received a deluge of baby products from Amazon. This message now makes you afraid that something you purchased could be a threat to the health of your beautiful new baby.

You don't even think. You just click the link and sign into Amazon.

That's precisely what they want. They are abusing the social engineering psychological trigger of Fear, and get you to move faster than you can think by scaring you quite literally out of your wits.

Bonus question: if safety is really at issue, then why wouldn't they shortcut you to safety by skipping this entire charade and just telling you, "it's the baby bottle! don't use the baby bottle!" or "it's the stroller! the wheels could come off! return the stroller, quick!". Again: keeping it vague allows your imagination to do much of their work for them.

See again: keeping it vague

Again, see "this product" instead of information we could actually use if there was really a risk of harm to our health.

MAJOR RED FLAG: Suspicious Link

I was overjoyed that the audience who attended my presentation on recognizing and avoiding cyber-scams seemed not only to tolerate my mini-lecture on the anatomy of web addresses, but even appeared to really understand and appreciate the message.

Sometimes these scams come with especially crafty link URLs (web addresses), but this one isn't even very difficult to figure out. The question we have to ask is:

Is cutt.ly very likely to go to Amazon? Yes, or no?

The answer, of course, is, no. Cutt.ly is a URL shortener, which basically takes a long link like https://abc123.xyz/onetwothree/fourfive/sixseven/eight.nine/ and creates a shorter link which points to it, like https://shortl.ink/abc_123. URL shorteners were created to pack long links into small spaces (like Twitter, back when it only allowed messages to be 140 characters long), but they were immediately exploited for their ability to hide the true nature of where the link was going. I could take the link https://badwebsite.evil/no_good/steal_your_stuff/ into a shortened link like https://shortl.ink/all_good/ and you would be unlikely to know where that link was going until you had already clicked it. In many cases, by that point, the damage is already done.

In this case, we can use a URL expander to open the link on our behalf, and tell us where it goes: https://www.hikmpq.top/bec23bdeff1a589d5bc47a5c/. Ask yourself again:

Does hikmpq.top = amazon.com? (No.)

I used a virtual machine (a fake computer within a real computer, which protects the real computer from harm) to follow the link. It goes through a few referrers (connections which pass you along to something else automatically) before sending you to the real Amazon.com.

Wait. So it does go to Amazon.com?

Yes. Sort of.

It's difficult to tell what is happening here. I won't bog you down in my interrogative process. But I think the three likeliest possibilities are:

1. These redirects originally went to a fake Amazon login page which was used to harvest credentials from people who engaged with it, but it has since been taken down by some authority, so, with the redirect chain broken, you just end up at Amazon, skipping the missing scam page.

2. Cloudflare (the service doing the redirection) realized what was happening, and broke the scam redirects, so that all that's left is for you to arrive at Amazon.com

3. The scam only works on certain devices or under certain conditions. It's possible that when I ran it through a virtual browser, it detected that I wasn't using a phone, and it didn't proceed as usual.

My other idea is "cross-site scripting" or "session ID theft". In these situations, these redirect links add extra computer code on top of your normal interaction with the Amazon website, which allows them to "steal" your current signed-in state, or, to view and "write down" for later your login credentials.

For further practice

The example above comes from the Hardin County Sheriff's Office in Kentucky. You can see that while the formatting is different, all of the component parts are the same. Try to pick them out for yourself:

• Many recipients

• Bonus: message comes from a +51 (Peruvian) country code

• Safety recall to scare you

• Vague, month-year date range to urge you

• Authentic-looking order number

• Bonus: unprofessional-looking emojis

  • Sub-bonus: those emojis use the Japanese yen symbol rather than an American dollar symbol

• Shortened URL going to who-knows-where

  • (We know where. A scam site of some kind.)

Just like I pointed out in my post, CozyTech Was Almost Scammed!, no one is completely safe from this stuff. Not experts like Christopher Hadnagy, author of Social Engineering: The Science of Human Hacking. Not me, your local IT guy. Not even people who attended my seminar on recognizing and avoiding cyber-scams!

All you can do is educate yourself on their tools, techniques and procedures, and stay vigilant! Remember, if you feel urgent or scared, you are exactly where they want you, and you have to stop and think rather than panic and react.

Ask critical questions about what is really going on, and when you are unsure, feel free to give CozyTech a call. We never charge for quick questions like whether something might be a scam. And if you think you've been the victim of a scam, maybe we can help mitigate the damage.

Stay safe out there!