Recently, Internet evildoers have struck upon a new weakness to exploit: the lack of secure passwords on Amazon Seller Central accounts. The Amazon hackers commit fraud by assuming the third-party Amazon seller’s identity and then diverting the transfer of the funds out of the Amazon account to their account, rather than that of the third-party seller (AKA: stealing). The thievery has plagued EBay for years but with the exponential growth of Amazon, the frauds have now begun setting up quick-buck scams on Seller Central that are akin to creating their own personal cash stations.
Here’s How It Works
Boiled down from recent articles such as “Amazon.com's Third-Party Sellers Hit By Hackers”, it appears to be done in 5 steps:
- The Amazon hackers obtain the username and password of the unsuspecting Amazon account seller and it’s off to the races…
- They tie the Amazon account to their own pop up bank account and publish a price for an item that is impossible for shoppers to resist
- The sales for the item skyrocket and the money pours into the third-party Amazon seller’s account, which then gets disbursed to the bank account on file (now the fraudulent account), typically every 2 weeks
- The thieves close the fraudulent bank account before anyone contacts them or wises up
- They vanish
The victimized third-party Amazon sellers don’t even have to be actively selling; dormant accounts are just as susceptible.
Get a Free Quote Today!
How Are the Amazon Hackers Getting the Password Information?
Sometimes they contact the third-party Amazon seller via a phishing email, other times by a phone call. Sometimes they won’t contact the seller personally at all, using instead a tricky Bot they’ve scripted to get exactly what they want without being detected.
The phishing emails and phone calls are often disguised as contacts from Amazon personnel, asking the third-party Amazon seller account holder to verify their account by providing information. Ironically (and brazenly), they’ll often state they need the info for the seller’s protection. Among the information the sellers are tricked into providing is the true prize sought by the crooks: the Seller Central account owner’s username and password.
How to NOT Be a Victim of Amazon Hackers
Manage the risk by constructing as many roadblocks as possible. You can do this by:
- tightening up on the number of people you permit to access your account, and
- limiting and securing the roles you designate to users, and
- taking steps to beef up those passwords!
About those Emails from Amazon Hackers...
It may look like an email from Amazon, but all third-party sellers need to be sure. Not only might the Amazon hackers seek to elicit info from you by providing a link in the email urging you to go to a web site to fill out a form with your password information, but they may also contain an attachment that has a virus that can impact your account in other ways.
Before clicking on any links provided in the email, or before opening any attachment the email may contain, take a moment to look closely at the source of the email. If it seems suspicious, pass on opening it and contact Amazon seller support directly to verify authenticity of the email. Or copy and paste the link into a browser window to examine it and determine if it leads to where you want to be going (Amazon.com).
Get a Free Quote Today!
Passwords
Hold them close, and go long or go home. Also, change them at least every 3-6 months and don’t recycle them. Also...
- Don’t give out your username and password. Ever! Amazon has that information already and will never contact you to ask for it. Guard it by keeping it a secret. It sounds like common sense, but it is surprising how many sellers give this information to employees. The fewer people you trust with your password, the less susceptible it will be to trickery.
- Use a different password for each site. When any website database is compromised by hackers, they will often try the same email and password combinations on other web sites.
- Make your password long and unique. They should be 12-16 characters and include numbers, punctuation or special characters. The more non-patterned (random), the better. To assure the most random passwords without the risk of forgetting them, use password generator software - most are free and very easy to use.
- Consider Amazon’s Two-Step Verification Option. For extra security you can add a step to the login process. In addition to your password, you would also enter a unique security code in response to a prompt. When you first sign up for this optional level of security, you select how you wish to receive these prompts. You can select to receive the prompts via a voice call, a text message, or authenticator app.
- Consider next-level password management systems. These include brand names like Lastpass, Dashlane, KeePassZ, Sticky Password, etc. These systems generate and store complex passwords in one system. You need remember only one password for everything. Other systems require a single sign-on and are “passwordless.” Your employees never need to know your Seller Central password, instead they use a one-time code each time they sign into your account. Those systems go by brand names such as Okta, Auth0, Bitium, Biomi, Centrify, GlobalSign, OneLogin, etc.
Limit User Permissions
Limiting user permission can go a long way to securing your third-party seller account by making yourself a smaller target. The fewer people to whom you grant user permissions, the fewer vulnerabilities and opportunities for Amazon hackers. Changes in this area for the better may involve keeping current, keeping a vigil and keeping control. Specifically:
- Make sure current users have been authorized only by YOU.
- Check permissions regularly to assure they are what you need them to be; make sure no one has gained access without your authority, and purge old employees
- Make it part of the daily/weekly running of your business to check this
- Don’t enable users to modify their own permission levels; limit admin ability to one or two people
- Don’t grant users the ability to view and edit the seller bank account
- Try not to make lots of changes to your account settings all at once but, if you must, alert Amazon seller support first so your account does not get flagged and suspended for suspicious activity
- “Seller configuration” allows a person to see last 4 digits of a credit card - turn off this setting so others cannot verify your account if they file a ticket with Seller Support
- Create a regular user account for yourself and use that one instead of your admin account as much as possible
Get Alerted
You can set the alert settings within your seller account to notify you if changes are detected to your account.
Take Control
New, high growth commerce channels will always attract new highway robbers. Take control and take steps to block their access as much as possible, and rest assured that Amazon is doing its utmost to provide a risk free marketplace.
And remember, Awesome Dynamic® solves problems for all types of Amazon sellers. Feel free to call us with any questions: (800) 238-1811.
The subject of this blog is touched on in discussions at our “Variation on Amazon and Other Topics” webinar.
Other recent anecdotes are related to this subject matter (by no means is the following list exhaustive):
Thread: Account Hacked - Bank Account Changed - Little Help?
Thread: Help! Seller Account Hacked, $86,300 sent to unknown account in Croatia
Thread: For those who have been hacked
Thread: Amazon Account hacked - Bank Info changed. Money was transfer to different...
