One of the saddest calls we get is from a seller who has been hacked. Some of our clients have lost tens to hundreds of thousands of dollars to bad actors who seemingly can enter their accounts at will…even when the seller cannot.
The problem was out of control last fall. Amazon finally addressed the issue publicly, but the problem was vastly understated The announcement came from the UK even though most of our clients were US-based. What made the last round so bad was that Amazon itself was apparently hacked. Bad actors were able to get into sellers’ accounts through Amazon’s systems, as near as we could tell, and keep entering new bank information and emails without being caught by Amazon.
We brought the problem to Amazon’s attention through some of our contacts. We suspected there were bad actors inside of Amazon making this happen. Amazon denies it. Regardless of who was hacking behind the scenes, the effect was that sellers were told they were hacked, but their accounts were NOT frozen. Bad actors were able to divert disbursements again and again and there was nothing the seller could do about it. They couldn’t get Amazon to freeze their accounts. Some tried to close their accounts themselves to get relief.
Just so you know, Amazon’s process when there is a suspected breach of any kind (embezzlement, hacking, etc.) is to freeze the account until things can be sorted out with the account holder. This protects the seller and Amazon.
Several went to law enforcement and were able to get help from their local cyber crimes department. Others went to the FBI or the Secret Service. Ultimately my clients were helped. Some (not all) eventually got their money back. Most are selling again. We learned a lot from these experiences. Hopefully you will never need this information…but just in case.
Q. I can’t get into my Amazon account! Does that mean I’ve been hacked?
It might. Amazon freezes out sellers from their accounts for suspected hacking, yes, but also if they suspect fraud or other serious crimes on your part. Occasionally people get frozen out because of glitches at Amazon. You should get an email if your account has been hacked or if you have been suspended for fraud. Even though bad actors usually change the email addresses in the hacked accounts, Amazon’s policy is to send warnings like this to the old email as well as the new email.
Q. What should I do to get back into my account?
What you should try first is reaching out to Seller Support online. Click on this link to get to Seller Support from outside Amazon.
They will tell you to call: 206-922-0880. This is the team that will help you reset your password and login if they can.
Once you are in, you will want to see if you can find a performance notification or case log file that explains why you were frozen out. If money has been dispersed or inventory removed without your permission, inform Seller Support immediately.
Q. What if I still can’t get in?
If you’ve exhausted your options with the phone numbers above and if they won’t or can’t tell you why your account is frozen, use Twitter or Facebook. There is a team at Amazon that reads tweets and messages sent by social media. You will need to tag Amazon to get their attention, but they are usually pretty fast. They’ll give you a link where you can write up your problem and then they’ll send it to the right group internally. Most of my clients have received a call back or an email within 24 hours using this tactic.
Q. What if I’ve been hacked?
Amazon will need to verify you as the rightful account owner. After all, the hacker could be spoofing your email and pretending to be you. We see that a lot lately with fake IP retractions. Amazon assumes that all digital data has been compromised. We’ve seen them ask for passports/driver’s license, birth certificates, personal social security numbers and more. They may try to contact a relative to vouch for you. Give them what they need. If you’ve ever had your identity stolen, you will understand what you are in for. Assuming you can get back in, you’ll need to check your bank account, Tax ID and other business data to see what was hacked and if they stole money from you.
Then take these steps:
- Report to law enforcement. Then give the filing number to Amazon as proof that you are taking steps to fix the situation. How interested law enforcement is in your case depends on how much money or property you’ve lost. One seller, for example, had all his inventory removed from the warehouses and sent to an address in another state by the bad actor.
- Document everything. Not only will you need it for law enforcement, you will need it for possible future legal action. You will be asked for the same information over and over and over…so make yourself a PDF of all your evidence of the hack and what was taken. Include a timeline of events.
- Hire a forensic computer analyst. Take your computer, phone, tablet and any other device you use to access your Amazon seller account to an expert. If you have trouble finding one, ask a lawyer. These are the guys who testify in court. Their data preservation techniques and third-party neutrality help in lawsuits, and they help in hacking situations. They are very good at finding traces. You want to make sure that the hacker did not get in by inserting software into your machines.
- Beef up your digital security. If you are not using a VPN when you are out of the office, for example, you should from now on. This includes your phone as well as other devices. Never surf the internet naked again.
- Hire a security expert to examine your network at work and make recommendations for programs on your devices that can detect and protect you from hacking. It could be the same person as #3 above. Your virus protection software and firewall are often not enough to stop a determined hacker.
- Fix your passwords. If you are not using at least 10 randomly generated digits, characters and lower/upper-case letters for your passwords right now, get a program like Roboform or LastPass and never repeat a password ever. There are people out there who still use passwords that are easy for them to remember. You know who you are. Stop it now.
- Look around you. Statistically, most cyber theft like this is embezzlement from a trusted employee or relative. Everyone I ever suggested that to was absolutely furious with me, but it’s true. The best person to know your password and get into your account is someone you see every day. Someone you trust. At least consider it. Because guess what? Amazon can tell if it is someone else at your office/home getting into your account. If you can’t show you have a handle on your security problem, they won’t let you back on. I had a client who refused to consider it despite the fact that Amazon TOLD her it was someone on her network doing this. She never sold again. Put your business first. Your honest friends, family and co-workers will have no problem with you taking extra security measures.
- Turn on your Amazon 2-step verification. A lot of folks turn it off for their main laptop, their phone, etc., and automatically login. It’s a pain, but have it turned on for every browser, every device, every time. Otherwise, someone physically close to you or someone with control over your computer/phone can get into your account when you aren’t looking.
- Put your account on hold. If you gain access to your account, put it in vacation mode until you feel comfortable that it won’t happen again. Once you talk to Amazon about what happened, take their lead. They’ll give you advice about your account. Once they are alerted to the problem, they will be monitoring the situation and will shut down your account if the bank account or email is changed.
Q. How do I report to the FBI or Secret Service?
Justice Department – There’s a page with everything you need to know about reporting a federal cyber crime. Most Amazon hacking is federal because the hack, money or inventory crosses state – and sometimes international – borders.
Internet Crime Complaint Center – a reliable (do you trust the government when they say that?) reporting mechanism to submit information to the FBI. Even if nothing was stolen or the value was low, you should report it. Sometimes these bad actors are part of a larger crime group. Law enforcement may already be working on a case.
FBI find-a-field-office – for those of you who want to look a person in the eye and turn over your evidence.
Secret Service find-a-field-office — for those of you who want to look a person in the eye and turn over your evidence. See below to determine if your case should go to the Secret Service.
Q. Which agency should I go to?
First you should see if your local police force has a Cyber Crime Division and start there. The FBI is the next step (and your local Cyber Crime officer can help you contact them) when there is money or property transported across state lines. This kind of hack is also considered identity theft which is a key initiative by the FBI.
The Secret Service is most interested in international hacking rings and money transported out of the country. If the hacker also inserted software into YOUR machine, then the Secret Service might make sense. They have a database of this kind of hack and can often identify whether the hacker is part of a larger group by how your system was breached. It is most likely the FBI would contact the Secret Service if this is suspected.
Q. What does law enforcement need from me?
- Take a copy of Amazon Law Enforcement Guidelines for them, just in case
- Amazon’s address for legal processes:
Corporation Service Company
300 Deschutes Way SW, Suite 304
Tumwater, WA 98501
Attn: Legal Department – Legal Process
- Amazon’s law enforcement email – these may no longer be accurate, but they were previously: [email protected] or [email protected]. As you know, Amazon keeps changing its emails. Have the police try this before mailing to the address above. It’s faster.
- Timeline of events
- Amount of $ or physical property stolen. You can run reports and/or take screenshots to prove your loss.
- Bank account and email used by bad actor.
- Proof of your identity, your business and your bank account
- Your seller email and seller ID. They will need that to communicate with Amazon about you.
- An affidavit giving Amazon permission to share your seller information with law enforcement. Get it notarized. It will make it easier for Amazon to cooperate with law enforcement.
I suggest having everything on a thumb drive and having physical copies that you can leave with the police. The notarized affidavit will need to be an original, most likely, so sign multiple copies in case you work with multiple groups.
Once you have the police report number, give it to your insurance company and Amazon.
Q. What if the hack is at Amazon and not with me?
In this case, if you are confident that it is not your system or you personally that has been hacked, go to the FBI and report to the Cyber Action Team that you believe Amazon has been hacked and why. If they believe your report is credible, they will reach out to Amazon and take it from there.
One indicator that it is Amazon and not you is if your account is NOT frozen, but the email, password and bank account are changed. You notified Amazon of the theft and your account is still open. That’s what happened to our clients last year. The bad guys kept their account open and kept stealing their money. Once you’ve changed your password and taken greater security measures, it’s more likely to be Amazon.
Q. Should I tell Amazon?
Yes. If they’ve been hacked, literally millions of Amazon seller accounts are at risk. Most likely what will happen is that law enforcement will reach out to them for you, but you can also tell Amazon that you’ve informed the FBI’s Cyber Action team and provide them with a report number/case ID so they can talk to the FBI themselves.
If you have a local Cyber Crime officer working on your case, have him or her reach out to Amazon (see details above). The police are much more credible to Amazon.
Q. What if I was the one that was hacked?
You should tell Amazon, and request they unfreeze your account. Provide them with your case ID from the police and tell them the specific steps you have taken (not “will take,” taken) to make sure it never happens again. Write it like an appeal. Give the root cause, the steps you took and then what you’ve put in place to make sure it never happens again. We help our clients with these types of appeals if you need it.
Q. How much does all this cost?
A lot. Not only are you not selling every day, the forensic search can cost hundreds to thousands of dollars, depending upon the number of devices. Hiring a security expert to review your network for weaknesses will cost a few hundred if you are a small operation. There could be costs for proof of your identity like a birth certificate or social security number (do you know where your card is? Most of us don’t.)
Q. Will my insurance cover my loss?
Obviously, this depends on your policy. Now might be a good time to refresh the details in your mind. Even if your loss is covered, you probably have a deductible and the insurance company usually has a ceiling on how much they pay. Lastly, the insurance company is going to want assurances that this theft was not due to negligence by you before writing a check. Your police report will help, but you may also want to talk to a lawyer before you record your loss on that recorded line. Insurance companies are looking for reasons to say “no,” particularly if the claim is large. You don’t think it is your fault. They might not agree with you.
Some sellers didn’t have insurance, so this loss hit them hard.
Q. Will they eventually trace my money and get it back to me?
Maybe. Some sellers got lucky and eventually their money was traced and retrieved. I wouldn’t count on it though. Sophisticated hackers have already thought out how they are going to hide the money from law enforcement.
Q. Will Amazon reimburse me?
No. Here are some of the relevant passages from our agreement with Amazon:
“…You are responsible for maintaining the confidentiality of your account and password and for restricting access to your account, and you agree to accept responsibility for all activities that occur under your account or password…”
“AMAZON WILL NOT BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM THE USE OF ANY AMAZON SERVICE, OR FROM ANY INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH ANY AMAZON SERVICE, INCLUDING, BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES, UNLESS OTHERWISE SPECIFIED IN WRITING.”
In short, Amazon’s responsible for nothing.
Hopefully none of you will ever need this information. Hacking is rare compared to other Amazon suspensions, but it does not hurt to be proactive. If your security protocol could use improvement, take the time now to protect yourself, and while you may be confident that everyone around you is trustworthy, having 2-step verification always on and changing your passwords is just smart business. I imagine many of you have programs to wipe your phones or laptops if they are lost. This is just one more sensible precaution. Your livelihood is at stake and Amazon is not going to reimburse you if something goes wrong.
HOW CAN WE HELP YOU?
We are known for helping suspended sellers get reinstated, but our goal is to keep sellers from being suspended in the first place. We have more than 25 team members passionately working 7 days a week to protect Amazon sellers like you.