On Wednesday my husband got an email from Amazon asking him to manage a subscription for prime video which I knew to be a scam as he never uses Amazon but has an account through his kindle.
Worryingly the email has our correct credit agricole bank account number.
I have reported the scam to Amazon, changed my codes on C/A log in .
Yesterday I visited the bank for further advice and other than telling me not to click on any links or respond to emails she didn’t seem worried.
I realise that changing our bank account details would be a huge thing but I can’t help but feel vulnerable.
I am pretty sure that a Bouygues security breach 2 years ago has caused this.
If it was a real scam and nothing he might of clicked by mistake I would have them change my account number. That isn’t something that is easy to get and could cause problems. It will be annoying to change it but not worth the risk imo
Does the bank login comprise the email address used in the Amazon email? If so, perhaps worth changing that. Consider setting up a new email address (or an alias) and systematically moving logins across to that starting with the highest risk / sensitivity accounts?
A good thought, my little research however should hopefully put your mind at rest -
This from the European Payments Council website -
The SDD schemes offer complete protection to the payer
Thanks to a number of rules, the SDD schemes put security to the fore.
PSPs must ensure that only trustworthy billers are allowed to use SDD. This is in the interest of the billers’ PSPs, as they would have to cover any losses resulting from fraudulent and / or erroneous direct debits. The risk of any fraudulent or erroneous SDD payment is borne by the biller’s PSP – never by the payer.
As each SDD mandate is uniquely identifiable (based on the combination of the ‘Unique Mandate Reference’ and the ‘Creditor Identifier’), each SDD collection can be traced back – immediately and unmistakably – to the biller. As a result, any biller collecting SDDs can be rapidly and unequivocally identified.
Payers can get their money back: in the SDD Core scheme, a refund is possible up to eight weeks after the transaction without supplying any justification; in the case of an unauthorised direct debit, a refund request can be made up to 13 months after the transaction.
And finally, in the SDD Core scheme, any individual has the right to ask their PSP to add an extra layer of control. The payer can ask their PSP to block collections on their accounts through the use of whitelists or blacklists of billers, to set a maximum number of collections allowed within a certain period or a specific maximum amount per collection. These rights and others are listed in the SEPA Regulation.
Presumably you pay Amazon by credit card? I don’t think this gives access to your bank account but your card may be compromised and should be cancelled.
Even if you only download free Kindle books your Amazon account still has to be linked to some form of credit card. I recently went through the same problem and cancelling a card and waiting for a new one is a pain I could have done without.
Since then, I have taken out a Revolut card. I pay for all internet purchase with that. You simply transfer some money to it to spend and you are only ever at risk for that amount. If it gets lost or stolen you just order another card and write off the amount left on it (unless you can get onto the Revolut app quickly enough to stop it).
A bonus of a Revolut card that I like is that you get an instant notification on our phone when any money is withdrawn from the card,
I am a financial numpty, so perhaps others will correct me if I am wrong but it feels pretty safe to me.
On further thinking, Amazon doesn’t have access to your bank account information. The scammer might have got your bank account number from somewhere else and is simply pretending to be Amazon to get further details.
I have had the same scam but they can’t do any harm if they can’t log in to your account if they have your IBAN number all they can do is make a deposit