HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Scammers Impersonate Amazon Support to Hijack Customer Accounts

LiveThreat™ Intelligence · 📅 April 10, 2026· 📰 malwarebytes.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
HIGH
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
malwarebytes.com

Scammers Impersonate Amazon Support to Hijack Customer Accounts

What Happened

Cybercriminals are running a high‑volume “spray and pray” phishing campaign that pretends to be an Amazon product‑recall notice. Recipients receive an email claiming an item from a recent order is unsafe; the embedded link leads to a counterfeit Amazon login page that harvests usernames and passwords. The campaign has persisted beyond the holiday season and targets Amazon’s 310 million active customers.

Why It Matters for TPRM

  • Credential theft from a major SaaS provider can cascade into downstream supply‑chain attacks on any organization that integrates with Amazon services (e.g., AWS, Marketplace, procurement).
  • Reused passwords or compromised Amazon accounts expose corporate expense cards, internal procurement workflows, and employee personal data.
  • The sheer scale of the campaign highlights the need for continuous vendor‑risk monitoring of phishing‑resistant authentication controls.

Who Is Affected

  • Retail and e‑commerce businesses that rely on Amazon for order fulfillment or marketplace sales.
  • Enterprises using Amazon Web Services (AWS) or Amazon Business accounts for procurement.
  • Employees and consumers who maintain personal Amazon accounts that may share passwords with corporate systems.

Recommended Actions

  • Review all internal processes that depend on Amazon credentials and ensure MFA is enforced.
  • Validate that phishing‑detection and web‑protection tools are active and up‑to‑date across the organization.
  • Request from Amazon a confirmation of their current account‑security best‑practice guidance and any incident‑response support they offer.
  • Conduct a credential‑reuse audit for any accounts that share passwords with Amazon.
  • Educate users on verifying recall notices via the official Amazon Message Centre rather than clicking links.

Technical Notes

  • Attack vector: Phishing email with a fake product‑recall lure → malicious link → credential‑harvesting login page.
  • CVEs: None reported.
  • Data types exposed: Amazon usernames, passwords, and potentially linked payment information.

Source: Malwarebytes Labs – Scammers pose as Amazon support to steal your account

📰 Original Source
https://www.malwarebytes.com/blog/news/2026/04/scammers-pose-as-amazon-support-to-steal-your-account

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →