Amazon launched Prime Day in 2015 during the company’s 20th anniversary. And they’ve been stepping up their game ever since. To date, Prime Day is hailed as the biggest shopping event in the company’s history, surpassing its 2016 Black Friday and Cyber Monday revenue.

Phishing emails are a popular tool for cybercriminals. They are extremely successful at finding new victims with these scams. Recognizing fraudulent messages that look official can be difficult to the untrained eye.

It won’t be a surprise, then, to expect that Prime Day 2018 will be even bigger than last year—and cybercriminals may be counting on this.

Watch out for this Amazon Prime Day phishing attack

What we're talking about is an Amazon Prime Day phishing email scam that is spreading like wildfire. The email thanks the recipient for a recent order on Amazon.com. It goes on to say you're invited to write up a quick review on the product, for your time you will receive a $50 bonus.

Here is what the phishing scam looks like:

As you can see, there is a link provided inside the email to review and print the reward.

Warning! Do NOT click on the provided link, it's malicious.

The criminals behind the attack can change the malicious links' payload at any time. The link currently takes you to a spoofed Amazon page that asks for your login credentials. It can be changed at any point, leading to malware infecting your computer or even ransomware that will encrypt the critical files on your gadget.

These types of attacks are on the rise. That's why you need to know what to watch for and how to handle the situation when it arises.

Here are suggestions from Amazon on how to recognize a phishing attack:

• Fake orders - If you receive an email claiming to be from Amazon confirming an order that you did not place, it's a scam. Instead of clicking links within the email, type Amazon.com into your browser, sign in and go to the Your Orders page to verify your purchases. If you didn't buy the item from the email, it's a phishing scam.
• Credential request - Amazon does not send emails requesting your username and/or password. If you receive an email like this, it's a scam.
• Update payment information - You should never click a link within an email asking you to update your payment information. Instead, go to your Amazon account and click Manage Payment Options in the Payment section. If you are not prompted to update your payment method on that screen, the email is not from Amazon.
• Fraudulent links - If you receive an email with a link that supposedly goes to Amazon, hover over the link with your cursor. If it does say that it's going to direct you to Amazon, it's a phishing scam.
• Attachments - Emails purportedly from Amazon that contain attachments or prompts to install software on your computer are scams.

If you receive an email from Amazon that you suspect is fraudulent, you need to report it. Click here to report the scam to Amazon.

How to protect against phishing attacks:

• Be cautious with links - If you get an email or notification that you find suspicious, don't click on its links. It could be a phishing attack. It's always better to type a website's address directly into a browser than clicking on a link.
• Do NOT enable macros - You should never download PDF, Word or Excel files attached to unsolicited emails to begin with. If you do open one of these documents and it says that you need to turn on macros, close the file and delete it immediately.
• Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos.
• Use unique passwords - Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it's simple for the cybercriminal to get into each account. 
• Set up two-factor authentication - Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It's like the DMV or bank asking for two forms of ID.
• Check your online accounts - The site Have I Been Pwned allows you to check if your email address has been compromised in a data breach.
• Have strong security software - Having strong protection on your gadgets is very important.

Globally, the impact of a data breach on an organization averages $3.86 million, though more serious "mega breaches" can cost hundreds of millions of dollars. IBM's 2018 Cost of a Data Breachstudy was formulated through interviews with more than 2,200 IT, data protection and compliance professionals from 477 companies and it provides an interesting insight into one of the most serious problems facing companies today.

The potential cost of an incident depends on several factors with the financial impact rising in line with the number of records stolen. On average, each record costs $148 and a breach of 1 million records costs $40 million while a breach of 50 million costs $350 million. The research also found that the efficiency in identifying an incident and the speed of the response has a huge impact on its overall cost. On average, it took companies 197 days to identify a data beach and 69 days to contain it.

Average total costs of a data breach also varied heavily between countries with the United States the hardest hit. In 2018, an average incident costs U.S. firms $7.91 million while in Canada and Germany, the impact is lower at less than $5 million. Indian and Brazilian companies have the lowest average cost of a data breach at $1.77 million and $1.24 million respectively.

Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users.

Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago.

The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts.

"We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached," the company wrote in a security advisory posted on its website.

Social Media OAuth2 Tokens Also Compromised

Moreover, the attackers also got their hands on authorization tokens (keys) provided by other social networking sites to Timehop for gaining access to your social media posts and images.

With access to these tokens, hackers could view some of your posts on Facebook and other social networks without your permission.

However, Timehop claims that all the compromised tokens were deauthorized and made invalid within a "short time window" after the company detected the breach on its network on July 4th at 4:23 PM Eastern Time.

Since the company was not using two-factor authentication, the attacker(s) were able to gain access to its cloud computing environment by using compromised credential.

Timehop has now taken some new security measures that include system-wide multifactor authentication to secure its authorization and access controls on all accounts.

Timehop immediately logged out all of its users of the app after the company invalidated all API credentials, which means you will need to re-authenticate each of your social media accounts to the app when you log into your Timehop account to generate a new token.

The company is also working with security experts and incident response professionals, local and federal law enforcement officials, and its social media providers to minimize the impact of the breach on its users.

Global entertainment ticketing service Ticketmaster has admitted that the company has suffered a security breach, warning customers that their personal and payment information may have been accessed by an unknown third-party.

The company has blamed a third-party support customer service chat application for the data breach that believed to affect tens of thousands of its customers. The customer support chat application, made by Inbenta Technologies—a third-party artificial intelligence tech supplier—used to help major websites interact with their customers.

In its statement, Ticketmaster said it discovered malicious software on the customer support application hosted on its UK website that allowed attackers to extract the personal and payment information from its customers buying tickets.
Ticketmaster said that it has emailed all affected customers, and is offering 12 months of free identity monitoring service for those who have been impacted.

Affected customers are also advised to keep a close eye on their bank account transactions for signs of any suspicious activity, and immediately notify their banks if found any.

Users are also advised to be cautious if they receive any suspicious or unrecognized phone call, text message, or email from anyone saying you must pay taxes or a debt immediately—even if they provide your personal information.

Orlando will not be renewing its contract with Amazon.

The city’s police department had been one of two in an Amazon pilot program to incorporate its facial recognition software, Rekognition, into law enforcement. But the program has come under fire from civil liberties groups and even some Amazon investors over concerns that the technology could be used for mass surveillance.

In a letter to Orlando’s mayor and city council on Monday, the legal director of the American Civil Liberties Union of Florida urged the police department to end its use of the technology.

In a joint statement, the city and the Police Department said the contract “remains expired” but left open the possibility of reinstating it or trying other types of software: “The City of Orlando is always looking for new solutions to further our ability to keep our residents and visitors safe. Partnering with innovative companies to test new technology—while also ensuring we uphold privacy laws and in no way violate the rights of others—is critical to us as we work to further keep our community safe.”

Amazon Rekognition is also being tested in Washington County, Oregon. The technology remains in use. In an email to The New York Times the Sheriff’s Office said, “The Sheriff’s Office has not, and will not, utilize this technology for mass or real-time surveillance. That use is prohibited by both Oregon state law and our own policy.”