Season 1, Episode 90
Amazon Seller Account Security
[00:00:07] Chris: hey everybody, this is Chris McCabe. Welcome back to Seller Performance Solutions, our illustrious podcast with my colleague Leah McHugh. Hey, Leah, how are you?
[00:00:16] Leah: Good, thanks. How are you, Chris?
[00:00:17] Chris: Good. Today talking about something really, really important, and I hope everyone thinks about this content and what they’re doing and their best practices around preventing account compromises or a hack. I know that word gets used in a lot of different contexts, but we do hear from sellers who say, I was hacked and sometimes they don’t really explain what that means. So we’re talking about account compromises, where you lose control of your Amazon account. Could be from a variety of different avenues and we’ll discuss that in a moment.
But somebody else takes over your account, changes the password, locks you out of it, and then you have to try to regain control of it.
[00:00:55] Leah: Or just changes the bank account details.
[00:00:57] Chris: Yes. Oh, that’s one of the things we’re going to talk about. Sometimes they’re just trying to change those details.
Hopefully you don’t notice from their perspective, you don’t notice. And they get the money transferred overseas, which I think used to be a lot more common than it is now because it happened to so many people. What was that in 2018, 2019 that Amazon was just making sure that everyone would use two factor.
[00:01:26] Leah: Well, they also now send an email to the primary when the bank account details are changed, just to like confirm that that’s been changed. And if that wasn’t you, you should probably let them know. And also, they seem to be a lot quicker to flag an account as compromised than they were previously. So that is getting caught quicker before you lose all of your funds.
[00:01:45] Chris: Maybe we should start there because the problem three, four years ago was that a lot of these investigations were taking too long, they were way behind in the queue. So by the time they saw the email from the seller, from the primary, and of course if the primary email that they got the email from didn’t match the account, they wouldn’t even find the account, right?
But a couple of days might have passed before they saw how much damage was created by the new party who was doing god knows what on the account, trying to disperse the funds, putting up new listings, whatever it was. And they were way, way behind. So they had to change things back then because so much money was leaving the building and it just made them look bad even if it wasn’t exactly Amazon’s fault that the account had been compromised, even if they thought it was seller faulted.
[00:02:37] Leah: Right. And I think that there were a few articles in the media as well about this, which also tends to prompt action from Amazon’s side.
[00:02:45] Chris: And also, if you’re a victim of a crime like this and you go to Amazon and say, well, all the money was sent out, am I getting that back?
I mean, what if Amazon just said no and you were owed 6 figures?
[00:02:55] Leah: I think they did so no in some instances didn’t they?
[00:02:58] Chris: They said no to some people who contacted us. That’s what we remember but as time went on and it happened to more people, they would say yes more often and they might’ve started getting legal demand letters just in terms of the funds disbursements.
Maybe there were some arbitration cases around it. But long story short, Amazon had to up their game when it came to security.
[00:03:19] Leah: Or long story short, an actuary realized that it was cheaper to pay out the money than to arbitrate all of these cases.
[00:03:25] Chris: Exactly, exactly.
[00:03:26] Leah: Who’s cynical? Not us.
[00:03:29] Chris: So, they did pay out a lot of the funds as the trickle became a flood and then on their side, they understood the incentive to bolster their team’s tools and SOPs around account compromises.
[00:03:43] Leah: Well, something that you just said I’d like to point out, which isn’t really about preventing an account compromise, but it’s making sure you have information just in case you are compromised. Make a note somewhere of your merchant token. So if your primary email does get changed at some point you don’t run into the issue that Chris just talked about, about Amazon not being able to find the account that you’re talking about because the primary you’re getting them is no longer the primary.
Have that noted somewhere even just like on a piece of paper in case your computer gets hacked. Just having that noted somewhere. So if need be, you can identify your account correctly to Amazon quickly and easily, rather than having to go back and forth with them not being able to find your account.
[00:04:21] Chris: Right. That’s what I was alluding to when I said you’re emailing from an email that’s no longer the primary and they can’t find an account associated. You’d have to put the merchant token in the subject line and like you said, you might not have that, but I’m glad we’re talking about primary emails because there’s different kinds of account compromises, right?
There’s you lost control of your seller central account and then there’s the type where you’ve lost your entire email inbox. There’s email security too. If you lose control of the primary. That’s a bigger problem, of course, but it just means that somebody else is seeing the performance notifications, the email, the primary hasn’t necessarily changed, but you don’t own it anymore.
[00:04:58] Leah: Yeah, and so that’s why, generally speaking, we recommend that people only use their primary email as their primary email. Don’t use it for anything else. I’m still seeing a lot of sellers where their primary email is like their customer support email address or the SEO’s email address and it’s a publicly facing email. It’s getting a lot of mail and also it makes it easier for hackers to guess which email is the primary on the account. If you’re using it for everything to do with Amazon, you want to only use that email for your Amazon account. We actually had one client who their primary was receive only we had to get them to change it so they could send the emails from that account because they literally only used it for logging into their account and receiving notifications and that is, I mean, you probably wanna have it be able to send as well, but that is how you should be using your primary email.
You want it to be like a secret key to your account that nobody else has access to. Nobody else knows what it is because it vastly reduces the chance of your email being hacked and then also your account being taken over.
[00:06:09] Chris: Yeah, and if somebody contacts Amazon trying to pretend that they’re you in other ways, let’s say if they know the primary email already, they’re way down that path. It’s much better if they have no idea what that primary is or if they can’t even reasonably guess what it might be and if it’s a public facing email, like you said, that’s at least one guess. You might have multiple public facing emails. You might have marketing emails sent. I mean, if they’ve already got your domain, then if they can go on LinkedIn or look on the site and and see what a few names look like. They could do Karen @ and then your domain and then they’re like most of the way there.
[00:06:48] Leah: Well, and a secret email is that you’re not using for anything else is much less likely to receive any sort of phishing emails, which is another way that people tend to gain control of accounts. They send you an email, there’s a link in it that you shouldn’t be clicking, and because you think it’s Amazon, you click it and now they have access to your account, which is my next point. Don’t click any links, in email sent to your primary email address. Go directly to Seller Central by typing it into the url and log in directly. Don’t click any links that are prompting you to update information on your account or prompting you to log into your account. Just type that in separately because otherwise, It’s not highly likely that it’s a fishing exercise but it increases your risk.
[00:07:31] Chris: There’s a ton more of that. I mean, most people know about phishing emails at this point.
They get stray emails that look like they’re from their bank, but might not be. Or you get an email from Wells Fargo and you think, oh, I don’t actually do Wells Fargo. That’s interesting. The worst thing you can do is click a link that you think you’re signing into your bank. Why not just go to your bank’s website and sign in.
[00:07:52] Leah: Yeah. And my cybersecurity friends like to say that the weakest link in cybersecurity is humans. Yeah. So you’re much more likely to be hacked because of clicking something that you’re not supposed to or giving information that you’re not supposed to, rather than somebody furiously coding on their computer to gain access to your account.
[00:08:11] Chris: Yeah, exactly. And also how many people have control of your primary, you know, within your organization. Is it one, is it five? Maybe one’s not so great. If that person’s on vacation and no one can access the primary, that’s a problem. But having tons and tons of people that have access to that email is just increasing the odds of something going wrong.
[00:08:31] Leah: Yeah. And that’s something else that I see a lot of still, where sellers don’t create different user accounts for everybody that’s logging into their account. So everybody’s using the primary. I mean, I still have people offering me their primary to log into their account and I’m like, no, no, no, no, no. Don’t gimme that.
[00:08:45] Chris: We still see that a lot, right? We have a lot of sellers contacting us, saying, I’m just gonna give you my credentials so you can sign in and look at my performance notifications. First of all, if you’re the owner and the manager of that account, you should know how to sign in and where the performance notifications are.
So you can read them yourself for your own purposes, let alone for ours if you need our help. But secondarily, you never want to be sharing credentials like that. You need to create unique user admins.
[00:09:11] Leah: Well, and people have offered me their credentials before they’ve even paid us or signed a contract.
Don’t give out those credentials, your employees should have their own login credentials to log into your account because whoever accesses the primary has control of your account. They can change bank details, they can change the login information, they can change who has access to your account.
So, like Chris said, you really only want you and like a backup person to have the primary login. Otherwise, you’re increasing the risk and also increasing the risk of a related account suspension. Secondarily because you’re getting all kinds of weird IP hits on the primary email.
[00:09:50] Chris: And it might happen at a weird time, you know, midnight on a Friday night. And we’ve talked to people who didn’t know it happened until Monday morning. They didn’t sign into the account. Nobody was responsible for anything over the weekend, I guess, or over a holiday. There’s a reason for the timing.
They’re counting on you, not noticing. And also you can’t just contact Amazon and say, well, this is our primary email. We didn’t get a performance notification. If the primary was changed, you might not have gotten anything so that’s kind of part of it.
[00:10:21] Leah: So keep your primary email to yourself. Think of it like a secret key. That’s how I like to think of it only you and one other trusted person should have that information.
[00:10:29] Chris: Yeah. And then let’s jump into the conversation about service providers having access and the best practices way of handling that, of course, is make sure you interview or examine your service provider for how they access the account, what their procedures are. Are they robust? Are they familiar? Maybe the best place to start, are they familiar with the incident of account compromises and how to prevent them or are they very loose security wise?
[00:10:57] Leah: Well, and same thing if your service provider is using the same email to log into all of their client’s accounts. I mean, one vastly increasing the risk of a related account suspension as well, but two, I mean, that’s a known email. The security there isn’t great either.
[00:11:13] Chris: And if they’re signing into a suspended account, Think of the IP address or the timing of it, or are they going to be using an address on your behalf?
I mean, there’s all kinds of service providers, right? Will they be using a physical address on your behalf for like returns that they’re using for other customers? So that’s an address relation in Amazon’s tools. Are they using the same mobile number, right? Across however many accounts? Well, that’s going to link all those accounts together.
[00:11:44] Leah: Yeah, exactly. And again, you know, the likelihood of that email, if they’re using the same email, that email’s probably getting phishing emails as well and all of a sudden you have, who knows how many compromised accounts. Again, the compromise at least won’t be with the primary, so that’s good. But you still potentially have somebody accessing your account that you don’t wanna have access to your account.
[00:12:03] Chris: Right. And it can take a while to sort this stuff out, even if it seems straightforward, I can prove my identity and the other party can’t. People have wasted time with seller support tickets or cases that go nowhere.
People have sent emails to Jeff at executive seller relations and that takes time to sift through. Some of this can stretch from days into weeks for sellers that aren’t savvy. So the idea that this can be easily remedied within an hour, I mean, I hope that’s true for some people at least, but that could be a minor percentage of cases that we hear from.
[00:12:39] Leah: Yeah, I mean, I’ve even had people where we’ve called into catalog because there was an incorrect change on their listing. And catalog was like, well, the change came from your account so they didn’t make the change. So somebody clearly had accessed the account to change their listings to either try to get them in trouble or make them sell less.
[00:12:57] Chris: Well, and on top of that, we’ve seen some recent examples of either service providers or other interested parties, could be investors, where there’s simply too many people added. There’s just long lists of users added to an account and it’s like do they really need all of those? You’re upping the odds that something’s going to go wrong. And also I think some of those employees or investors, whoever they might be, Aren’t savvy with either computer security or Amazon type issues and so they’re more prone just from a lack of training. Maybe we can talk about training for a minute, just because the more amateur level people that are involved in signing into an account, I think the more likely things are to go wrong.
[00:13:40] Leah: Yeah. And again, the more likely they are to click on a phishing link than somebody who’s a little bit more savvy with how the online world works. so I just wanna recap because these are important steps that people should be taking and I don’t want it to get lost in our cynical discussion about how Amazon works . So number one, note your merchant token somewhere outside of your account just in case. Two, your primary email should only be your primary email. Don’t use it for anybody else, anything else. Don’t send emails to anybody from that email address, you want to be the only person that knows your primary email. You don’t wanna be getting any emails to that account from anyone other than Amazon then don’t click any links that you get emailed, if there’s an email prompting you to sign into your account, just sign into your account separately. Don’t click the link in order to update your details, sign in, whatever the email is prompting you to do. If it’s a real notification, that notification will also be in your account. So you don’t have to use the one that they emailed you. It will also be in your account if it is correct.
And then finally, user management. Don’t have anyone else signing in with the primary email. Each user should have their own email. And also make sure that the people that have access to your account at least have a basic understanding of email security and account security and aren’t just signing into everybody’s accounts and doing god knows what.
[00:15:00] Chris: And these are just Amazon type street smarts. Use your head, it might not have happened in your own life that your identity was compromised or you lost control of your bank. We realized for the large majority of people out there, they don’t necessarily see that within their lifetime, hopefully.
But Amazon, there’s a lot of money at stake. You’ve got competitors watching you. Some of them might be unsavory, some of them might be very well seasoned in black hat tactics or frauds or tools. So this is a lot more common in the Amazon space than it is out in the rest of the world. I just wanted to make that clear.
[00:15:35] Leah: And I should also mention I wasn’t going to because I figured it was well known at this point, but I decided that that’s a bad assumption to make. Turn on two-step authentication on your account for all users. Require two-step authentication. Ideally, you’re getting one of those little, like key chain, key authenticator things that isn’t connected to the internet, that has never been connected to the internet, so that can’t get compromised.
But you definitely want to have two-step authentication required for anybody signing into your.
[00:16:01] Chris: Right, and a lot of these tips we discussed today pertain to things beyond account compromises as well. Related account suspensions often come from, well, sellers tell us, I’ve never heard of the business that account health reps told me I was related to, how am I related to that seller? This must be wrong. They dispute it as an error, and of course that appeal gets rejected. Why did that happen? Because they didn’t realize they were granting access to their account from service providers who were related to a seller who got blocked, and that is the related suspended account.
You would never know it. Just because it’s the name of a customer of some service provider you work with so these are good questions when you’re vetting service providers, any level of scrutiny is welcome because you want to avoid ridiculous appeals and conversations with account health reps about related accounts when that is definitely avoidable.
[00:16:52] Leah: Yeah, and I have a whole section on that in an article I wrote recently about the documentation that you need and how you need to document those relationships so I’ll link that in the show notes as well because you need contracts and termination letters for anybody accessing your account.
[00:17:05] Chris: For sure. Thanks, Leah.
[00:17:07] Leah: Thanks Chris. Talk to you soon. Bye.
Hosts & Guests
Season 1, Episode 124 What do you do when Amazon Forgets that you're Reinstated? In this chaotic final quarter of 2023, sellers are facing an unprecedented challenge with immediate resuspensions following reinstatements. Despite being recently reinstated, many wake up...
Season 1, Episode 123 The Consequences of Bad Legal AdviceThe legalities of the Amazon marketplace are perplexing and have become increasingly challenging for sellers to navigate. In this episode, Chris and Leah discuss the nuances of Amazon’s policies, the risks of...