Amazon 'iPhone in your basket' scam warning

Cold callers hijack Amazon accounts, learn how to stop this impersonation scam in its tracks
Chiara CavaglieriSenior researcher & writer
Amazon app on mobile screen

Amazon customers continue to be targeted by phone scammers who claim that iPhones or other expensive items have been added to their shopping baskets. 

Which? has warned about this scam and others affecting Amazon users before. The aim is for scammers to take over the device and gain access to bank accounts. Reports of this scam continue to come through on our scam sharer tool, suggesting scammers are still targeting UK Amazon customers.

Here, we look at the tactics being used and explain how you can secure a hacked Amazon account. 

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Sign up

How the 'iPhone in your basket' scam works

All of these scams reported to Which? started with a phone call from someone pretending to be from the Amazon fraud department. They claimed that their Amazon accounts had been hacked by criminals attempting to steal an iPhone 16 costing £799, or other high-value items such as gift cards. 

Many people said the callers addressed them by their full names and they could hear the sounds of busy call centres in the background.

When you log in to your account to check, as instructed, you will indeed find that iPhones or other expensive items have been added to your basket. Several people reported trying to remove these items from their baskets, but they kept reappearing. This is because the scammers have already taken over the account and can simply add these items back in each time. 

In a heightened state of panic, you might be persuaded to give them access to your device 'to secure your Amazon account' or transfer money if they convince you that your bank apps have also been compromised.

How scammers hack your Amazon account

There may be slightly different methods at play, depending on the security of your Amazon account. 

If you don't have two-factor authentication (2FA), a scammer would only need to crack your username and password. It's worryingly easy for login details to be leaked in data breaches and phishing attacks. They can even be 'guessed', where attackers use programs to test a vast selection of words and phrases, as well as commonly used passwords – known as ‘dictionary attacks’. 

If you've added 2FA this provides an extra layer of security to your account, by asking for a one-time passcode (OTP) to be sent to you by text message or email. But scammers won't give up so easily. 

Some phone scammers will have already hacked your email inbox, for example, so that they can trigger an OTP login request and steal the code. 

Others will try to trick you into sharing these login codes over the phone (pretending this is a security measure from their end) or download a remote-access app – AnyDesk and Zoho Assist were apps used in the reports to Which? – to takeover your computer or phone.

If they do gain control of your phone or computer, they can get into other accounts, such as your banking apps.

Zoe, who came close to losing nearly lost a whole month's salary to this nasty scam, told us: 'They were very clever in convincing me I was being scammed by someone in California, sending me IP addresses and claiming they were in touch with my bank. I think the app was called AnyDesk. I am so used to using TeamViewer when I need IT support for my work I didn't question it, stupidly.'

The scammer even became aggressive when she realised it might be a scam at the very last minute and refused to co-operate. 

Once I said I wasn't comfortable transferring all my money to a 'safe account' the scammer became a little bit angry and abusive. By this point, three scammers were involved, all passing me around on the phone, saying they were doing different things while the line went silent. I hung up and was pestered by calls from different numbers all morning.

5 red flags to spot this Amazon impersonation scam

Timing is everything to scammers, as their success often relies on victims being caught at a bad time and struggling to think straight. 

The best advice is to end any suspicious phone call politely and contact the relevant business using a secure method. In the case of Amazon, you can use select 'Customer Services' from the top navigation bar (this is also where you can report something suspicious, including a dodgy phone call). 

Look for these five red flags to help you steer clear of most scam callers:

  1. They seem to know lots about you Callers may reel off lots of information that suggests they're legitimate, but remember they may have already done some digging on you, or gained access to your emails and other accounts. 
  2. They create a sense of urgency and panic Scammers fabricate any scenario to reel you in, including pretending your account has been compromised by hackers looking to steal popular and expensive goods such as iPhones.
  3. They want a security code It's easy for an attacker to trigger a genuine security check from Amazon if they already have your username (your phone number or email address) and password, so never share these codes over the phone (anyone asking for these is a scammer). 
  4. They want you to download an app Victims told us they were asked to download remote-access apps such as AnyDesk and Zoho Assist, or payment apps such as Prezzee (a gift card app), Revolut (an e-money firm), Xoom (a PayPal service for sending money to friends and family) and Zing (an international money app by HSBC). Ignore any cold caller asking you to download apps or files until you can contact the business securely to confirm it's genuine.  
  5. They are rude or persistent Some scammers become impatient when you don't do exactly what you are told. Anyone can be rude, of course, but they are more likely than a genuine call handler to get there quickly.

What Amazon will never do

Amazon offers lots of advice online to help you spot an impersonation scam, but the first step is to add either 2-Step Verification or a Passkey to make it harder for a scammer to hack into your account. 

Try to keep your cool if someone calls you about a security breach. Remember Amazon says it will never ask for payment information over the phone or email – only in the mobile app, its website, or in one of its physical stores – so anyone asking you to do this is a scammer. 

It won't ask you to download or install any software to connect with customer services either and it will never ask you to share security codes over the phone (these should only ever be seen and used by you, when you log in to your account from your own device).

If you're even the slightest bit unsure, end the call and contact Amazon through the official app or website instead. Do not call phone numbers sent to you by text or email as these messages may have been sent by scammers. 

Amazon told Which?: 'Scammers that attempt to impersonate Amazon put consumers at risk and we will continue to invest in protecting consumers and educating the public on scam avoidance. We encourage consumers to report suspected scams to us so that we can protect their accounts and refer bad actors to law enforcement to help keep consumers safe.'

How to secure your Amazon account

If you get caught out by this scam, call your bank immediately using the number on the back of your bank card and report it to Action Fraud, or call the police on 101 if you’re in Scotland. 

You can also report impersonation scams via Amazon's website and secure your account by following these steps: 

  1. Change your Amazon password (we explain how to create a strong one and use a password manager to remember them)
  2. Remove unauthorised devices (from the Amazon dropdown menu, select 'Manage Your Content and Devices' > 'Devices' > 'Deregister') 
  3. Sign out of all Amazon accounts (you can do this under 'Login & Security > 'Compromised account?' > 'Step 3: Sign out all apps, devices and web browsers')

If you lost money and Amazon hasn't refunded you, speak to your card provider – unauthorised transactions should be refunded.

How to secure your device if a scammer had remote access

If your computer or phone has been compromised by a scammer using a remote-access app, take these steps to secure your device:

  1. Disconnect from the wi-fi or unplug the internet cable (for mobile phones, you can also switch off the 3G, 4G or 5G signal) to be sure that you are disconnected from the fraudsters. 
  2. When you've turned the device back on, uninstall the remote control software and remove any other apps that may have been added by the scammer (check for recently installed programs/downloads).
  3. Reset your passwords for online accounts (current accounts, savings, email etc) and enable two-factor authentication where possible.
  4. If you have antivirus software, run a full security scan to check for malware. 
  5. To be extra safe, you may want to do a factory reset of your device, or ask an IT expert to confirm the device is safe to reuse.

More on this

Related articles