Dave, I got an email receipt from Stripe that someone had used my Amazon Pay to buy $1000 worth of Amazon gift cards. It looks legit! Is it, or is it yet another scam? I certainly can’t afford to pay such a huge sum.
There’s no way around it, scammers are getting more sophisticated in their efforts. One reason is that the same AI tools that we like to explore for our own productivity also offer opportunities for spammers and scammers to create slicker fake emails, voice messages, even direct messages through social media channels. We are all going to need to become quite a bit more diligent in the next decade or so, particularly older members of the family who are statistically more vulnerable to these scams.
But even spam email messages sometimes seem to have done a really good job with their bogus messages. Most spam email is ridiculous so it’s easy to know you didn’t, in fact, win a free Fire Tablet or become the recipient of a long-lost royal relation’s inheritance. Heck, most spammers make it easy by having misspellings, emoji in the middle of words, or just terrible grammar. But not always.
The scam you got is very good, actually, and I know because I also received one and for a minute or two felt anxious that someone had hacked my Amazon account somehow and figured out how to use Amazon’s Pay system to grab money out of my account. A bit of research proved it was bogus, however. Let me walk you through the steps…
THE [BOGUS] AMAZON PAY SERVICE RECEIPT EMAIL
Google had already filed this in my spam folder, a first sign it was likely bogus, but I skim my spam folder in case something is erroneously moved into that folder (which happens at least once every day). Here’s the message I saw:
Seems pretty legit and it looks very professional too, as you would expect from Stripe (a credit card processing service and the ostensible origin of this receipt). There is a grammatical hiccup in the second portion of the message – “through your Amazon pay.reflect on your statement”, but nothing egregious.
Scroll down a bit and you can see what the receipt is “for”:
Five $200 Amazon gift cards. That would indeed be how criminals would take money from an account, a process that can have the balanced turned into a purchase (or transferred) in seconds and then impossible to reverse. Concerning!
ANALYZE THE EMAIL ADDRESS INFO
The first step to ascertain if it’s legit is to click on the tiny triangle adjacent to “to me” in the top portion of the message so you can see the header and routing information (different email programs have “show headers” or similar that offers a similar function):
Why would “Amazon Pay” come from a @stripe.com email address? Odd. But it’s the reply-to that’s more interesting: firstname.lastname@example.org
Why “amazonpayservice.com”, not “amazon.com”? That’s the first really big clue it’s a scam.
DOES AMAZONPAYSERVICE.COM EVEN EXIST?
Notice that the domain is also referenced in the email itself. Let’s see if it’s legit and owned by Amazon! That can be done at whois.com, a simple domain lookup site:
The results are surprising!
Why bother sending a carefully crafted email scam when the return email address won’t work? Because recipients will be panicky and not thinking straight anyway, and they’ll pick up the phone to call once they find the email doesn’t work.
GOOGLE THE PHONE NUMBER BEFORE CALLING
The phone number shown in the email message is +1 833-554-0501. Seems a bit weird that Amazon wouldn’t have a real 800 or 888 number, but it’s possible. What does Google say?
No great matches and it shows up on a page of phone numbers from a .RU (Romania, Eastern Europe) Web site? Definitely not a good sign. If it were an Amazon number it would show up on some Amazon support pages and then be indexed appropriately. Don’t believe me? Try doing a search for 1-888-280-4331 to compare results.
EVEN BETTER, CHECK YOUR AMAZON ACCOUNT
The real way to diffuse these scams is to remember that any of these are going to have a record in your actual site account. For example, if you did an actual transaction through Amazon Pay (it’s not called “Amazon Pay Service”), it’d show up on that page of your account. I decided I would check, so I typed in amazon.com to go to the site, then clicked on “Account” from the top right “Accounts & Lists” link. Lots and lots of choices:
Search the page for “Amazon Pay”, or just scroll down to the “Other programs” section:
Sure enough, there’s an “Amazon Pay” link. One more click and you’ll immediately know if the receipt is legit and you were somehow charged $1000, or it’s a scam. For me, no surprise, it does not show up:
Notice also that the URL here is “payments.amazon.com”. As I said earlier, why would Amazon use non-Amazon.com domains?
The long and short of it is that the email is a pretty well-assembled scam, a way to get me to call that phone number and then be pulled into some sort of con, perhaps them warning me that my Amazon account is also going to be shut down immediately if I don’t share my password “with their security team”. The moral of this story? Take a deep breath and think it through, ensuring you can prove through safe and trustworthy external sources whether it’s legit or a scam. Stay safe out there!
Pro Tip: I’ve been writing about online scams for many years. Please check out my spam, scams and security help area while you’re visiting. Thanks!