Got an Amazon Verification Code You Didn't Request? Here's the Scam

Got an Amazon Verification Code You Didn't Request? Here's the Scam

Your phone buzzes. It's an Amazon text — six-digit code, "do not share this with anyone," expires in 10 minutes. You weren't on Amazon. You didn't request anything. You were eating lunch, or watching TV, or doing anything else.

Thirty seconds later, your phone rings. Amazon security. There's "suspicious activity" on your account. They need to verify your identity.

All they need is that code.

This is not a coincidence. It's not a glitch. It's a two-step account takeover attempt, and it's been surging enough that security researchers are naming it specifically right now. Here's exactly what's happening and what you should do.

What actually triggered that text

The code is real. Amazon sent it. That's what makes this one harder to shake off than a garden-variety phishing text.

Here's what happened in the seconds before your phone buzzed: a scammer had your email address or phone number — almost certainly from a data breach, possibly one you've never heard of — and they tried to log into your Amazon account. They entered your email on Amazon's login page and clicked "forgot password" or triggered a login attempt from a new device. Amazon's security system responded exactly as designed: it sent a verification code to you.

The scammer doesn't have the code. You do. That's why they call.

This technique is called credential stuffing. Attackers buy lists of email addresses and passwords from old data breaches — and because password reuse is rampant, a credential leaked from some 2022 loyalty program breach has a reasonable chance of still unlocking an Amazon account in 2026. Automated tools test millions of these combinations per day without any human involvement. They don't know your name. They're just running numbers.

Your email didn't have to be stolen from Amazon specifically. It could have leaked from any service you've ever used. They're just trying the key against the door.

The follow-up call is the actual crime

The text is setup. The call is where the theft happens.

The scammer calls you — often from a number that looks like a real Amazon customer service line, because phone spoofing costs nothing — and opens with something calm and professional: "We've detected suspicious sign-in attempts on your account. We need to verify you're the account holder before we lock it." Sometimes they already know your name. Sometimes they reference recent orders. It sounds like a security call because it's mimicking one.

Then they ask for the code.

"Just read us the verification code Amazon just sent you to confirm your identity."

If you do, they type it into the login screen they're already sitting at. They're in. From there, they change your password and recovery email to lock you out, browse your saved payment methods, and use your account however they want — placing orders, selling your gift card balance, or pivoting to the email linked to the Amazon account to start resetting passwords on your bank and other services.

Start to finish: about four minutes.

Why this catches people who know better

Real talk: this isn't a dumb scam for distracted people. It's specifically engineered to impersonate a legitimate security procedure, because it borrows the script of one.

Real banks and tech companies do call when there's unusual account activity. They do ask you to verify your identity. The scammer is running that exact script — except they created the "suspicious activity" they're calling about.

A lot of people who would ignore a phishing email will answer an "Amazon security call" from a number that looks right, especially when they literally just got a real OTP text two minutes ago. The code's arrival makes the call feel credible. That's not carelessness. That's the trap doing exactly what it was built to do.

The FTC received over one million imposter scam reports in 2025, with reported losses of $3.5 billion — the ninth consecutive year it was the top fraud category. Tech and retail brand impersonation (Amazon, Apple, Microsoft, Google) are a major driver of that number. The mechanic evolves. The brand impersonation playbook stays the same.

Red flags that should end the interaction immediately

You didn't initiate anything. Amazon sends OTP codes when you request a login or password reset. Getting one you didn't ask for means someone else is attempting to access your account — not a reason to cooperate with the caller.

The caller is asking for the code. Amazon's own security guidance is explicit: they will never call you to ask for a verification code, OTP, or one-time password. Ever. This instruction is printed in the text itself: "do not share this with anyone." The caller is included in "anyone."

The urgency is artificial. "Your account will be suspended in 15 minutes." "This needs to be resolved right now." "I can only hold this case open for a few minutes." Real Amazon security can wait while you hang up and verify. Scammers cannot.

The number looks real but isn't. Phone spoofing lets anyone display any caller ID they choose. An "Amazon" phone number on your screen proves nothing about who's actually calling.

They already know your name or order history. This sounds like proof of legitimacy. It isn't. Your name, email, and order patterns have been in multiple data breaches. Data brokers sell consumer profile lists constantly. Knowing your name doesn't make someone Amazon.

You don't even have an Amazon account. Credential stuffing is a spray-and-pray operation. If your email was in a breach, scammers may test it against Amazon and other services regardless of whether you have an account there. Getting a code for an account you don't have is weird, but the right response is the same: don't share it with anyone, don't click any link, don't call any number provided in the text.

If you already read them the code

First: this worked because it was designed to work. You were not careless. The scam was specifically built to look legitimate.

Now move immediately — this is measured in minutes, not hours:

1. Go directly to amazon.com (not any link from the text or call). Navigate to Account → Login & Security.
2. Change your password right now to something long and unique. If you can't log in because they've already changed it, use Amazon's account recovery process.
3. Check all devices listed under your account and remove any you don't recognize.
4. Review recent orders for anything you didn't place. Flag them immediately through Amazon's help center.
5. Remove or freeze payment methods you don't want used while you investigate.
6. Contact your bank or card issuer if any payment method was stored in the account. Report potential unauthorized use now — chargeback windows close.
7. Check your linked email account and look for any forwarding rules, recovery phone number changes, or sign-in activity you don't recognize. If they got into your Amazon, they may pivot to your email.
8. Report to the FTC at reportfraud.ftc.gov and the FBI at ic3.gov.

If you clicked any link during this — in the original text or from the caller — work through the post-click recovery checklist before continuing.

How to harden your Amazon account so this doesn't work next time

None of this takes more than five minutes:

Turn on two-step verification. Account → Login & Security → Two-Step Verification. Use an authenticator app (Google Authenticator, Authy) over SMS if you can — SMS can be intercepted through SIM swapping; an app-based code can't. Once 2FA is on, a password alone isn't enough to get in — the scammer still needs you to hand them the code.

Use a password unique to Amazon. If your Amazon password is the same one you use on any other site, change it now. One leaked credential from anywhere is all a credential stuffing list needs. Test your current password here if you're not sure.

Check whether your email has been in a breach. Your email address being in a data breach is often why scammers are trying your credentials in the first place. The guide on what to do after a data breach covers how to check and what to change.

Review saved payment methods periodically. Account → Manage payment methods. Remove cards you don't actively use on the platform.

For a deeper dive into how credential stuffing actually works and why reused passwords are the primary vector, the account takeover prevention guide has the full mechanics.

FAQs

Why did I get an Amazon verification code I didn't request?

Most likely, someone tried to log into your Amazon account using your email address or phone number — possibly obtained from a data breach — and triggered Amazon's real security system. It's a signal that someone is attempting to access your account. It is not a reason to share the code with anyone, including whoever calls you next.

Can scammers get into my account if I don't give them the code?

If Amazon's two-step verification is active and they only have your password, they need the code to log in — which means they need you to hand it over. Don't. If 2FA is not enabled, they may be able to complete a password reset without the OTP. Enable two-step verification now so a password alone is not enough.

The caller knew my name and order history. Doesn't that mean they're really Amazon?

No. Names, email addresses, and consumer purchase data are widely available in data breaches and from data brokers. Scammers routinely buy lists that include names, emails, and transaction data. That information proves nothing about who is calling.

Amazon's phone number showed on my caller ID. Doesn't that confirm it's real?

No. Phone spoofing lets anyone display any caller ID they choose. A number that looks like Amazon's customer service line is something any scammer can display for a few dollars. Seeing "Amazon" on your screen doesn't mean Amazon is calling.

What if I don't even have an Amazon account?

Credential stuffing casts a wide net — scammers test email addresses from breaches against dozens of services including Amazon, whether or not you have an account. If you got a code for an account you don't recognize, someone tried to create or access one using your contact information. Don't share the code, don't click anything in the text, and don't call any number it provides.

---

Sources: FTC Consumer Sentinel Network, "New trends in reports of imposter scams" (May 2026); FTC, Consumer Sentinel Network Data Book 2025 — imposter scam losses $3.5B; McAfee "This Week in Scams: Explaining the Fake Amazon Code Surge" (June 2026); Amazon Customer Service security guidance, "How to identify fake text messages/SMS"; Which?, "Beware of Amazon 'one-time passcode' scams."