Beware of Fake Amazon AWS Suspension Emails for Unpaid Bills

Posted by & filed under Security Alerts.

In this article we take a look at a phishing campaign that pretends to be an Amazon AWS suspension notice for unpaid bills that looks good enough to trick many users.

A billing notice from a vendor, especially one like Amazon, that states that your account has been suspended for unpaid bills, may confuse a user enough to click on the email link.

Attackers are capitalizing on this confusion by sending emails that pretend to be from Amazon AWS Support at and that use a subject of “Your service has now been suspended”.Phishing Scam

Fake Amazon AWS Suspension Notice
Fake Amazon AWS Suspension Notice

This email states that your account has been suspended because you are “Overdue on Payment” for a bill of $4.95 USD. It then prompts you to click on the “payment page” link to reactivate the service.

The full text of this email is shown below.

This is a notification that your service has now been suspended. The details of this suspension are below:
Product/Service: Unlimited Starter
Amount: $4.95 USD
Due Date: 10/07/2019
Suspension Reason: Overdue on Payment
You can pay now using the payment page to reactivate your service.
If your account was suspended for reasons other than non-payment of outstanding dues, contact AWS customer support Contact Us

When you click on embedded link you will be brought to a fake Amazon AWS login page located at a site whose URL starts with, but is actually hosted on a different domain. If you are viewing the email on mobile, the full link won’t be shown and users may be more easily confused.

Fake Amazon AWS Account Login
Fake Amazon AWS Account Login

When a victim enters their credentials, the information will be saved for the phishers to retrieve later so that they can access your account. The user will then be redirected to the legitimate AWS login page.

While some users may have felt that the emails are safe because they are coming from a legitimate Amazon email address, it is always important to remember that the From email address can always be spoofed to be from any account an attacker wants.

Therefore, even if a phishing email looks legitimate, it is important to pay attention to the URLs of the landing pages before entering your login credentials in a displayed login form. If you are on mobile, you can press on the link until the full URL is displayed to make sure its not a fake landing site.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.