Scamming Amazon’s customer support is apparently not very difficult.
Self-proclaimed Web technologist and teacher Scott Hanselman took to his blog to
recount the tale of how some random stranger almost scammed Amazon by using social engineering.
For the unfamiliar, social engineering is a type of security breach in which an individual manipulates someone else into divulging personal and confidential information.
On Monday, Hanselman received an email from an Amazon customer service representative notifying him that a replacement Kindle was on its way. One problem though: He never asked for a replacement e-reader.
Hanselman contacted the company’s customer support to get to the heart of the matter. A conversation with a very helpful representative revealed that someone had pretended to be him on Amazon’s live chat system and had successfully requested a replacement device after reporting a malfunction. On top of that, the scammer was also able to have the Kindle sent to a completely different address.
All of this was accomplished without Amazon verifying the scammer’s identity. The only pieces of information they asked of that person was Hanselman’s name, physical address, and email address.
In the end, Amazon’s fraud team was notified and the order was canceled. Hanselman tried to get the chat transcript from the company but was unsuccessful. It didn’t matter, though. The issue was resolved. Or so he thought.
The following morning, he got another confirmation email from Amazon notifying him that the package was on its way.
“I call Amazon again and re-explain what’s up,” he writes. “I ask for the chat transcripts again but they won’t send them.”
“Simultaneous to this phone call I email Amazon Customer Support and ask for the chat transcripts (via email, just to be clear) and the chat transcripts show up quickly in my inbox. Doh.”
The chat log (Hanselman republished on his blog) is replete with clues that suggest it’s not Hanselman who’s requesting the Kindle. For example, the impostor claims that he or she doesn’t have the order number on hand despite sitting in front of a computer.
It also revealed the fraudster’s address, which contained strange numeric code that connected it to a global shipping logistics company. Or as Hanselman explains:
“An address with a number after it allows folks to have a package mailed to them in the US, then the package is transparently forwarded overseas. This number points to an account they have with a post office in a country in Southeast Asia. They received packages from all over, consolidate them, then ship them on masse [sic]. This allows governments and companies (and apparently bad guys) to order stuff from companies inside the US, then pay the international shipping and tariffs as a large shipment when it’s sent overseas.”
Hanselman is not alone. As we wrote about in December 2012, the exact same thing happened to Chris Cardinal.
“I love that (Amazon’s) policy is whatever makes the customer happy,” he told us.
“Nearly-no-questions-asked replacement orders are fantastic when there’s a legitimate problem, and it’s something they have to know is abused but they’re chalking up to the cost of doing business. But the scammer isn’t the customer, and if I need to make a legitimate claim that an order wasn’t received, I run a significant risk of getting blowback from Amazon because of history on my account.”
As Hanselman notes, unless the company changes its security policies, incidents like these will only keep happening.
The Daily Dot reached out to Amazon, but a representative for the online retailer has yet to respond.
Photo via texqas/Flickr