Amazon account abuse is usually financial abuse. Attackers move through the inbox tied to Amazon, the password, shipping addresses, payment methods, subscriptions, and payment authorizations. If you leave any one of those control points exposed, the account can look fixed and still be reusable by someone else.
| Situation | First move | Why |
|---|---|---|
| You still have access on a trusted device | Change the password, turn on two-step verification, and review Login & security and Your payments | A live session is the fastest way to cut off reuse |
| The email or phone number changed | Secure the email inbox and phone first, then return to Amazon | Those channels control resets and alerts |
| You see suspicious orders or charges | Check Amazon Pay activity, payment methods, and the order record before anything else | Money can move before the account looks fully broken |
| Subscriptions or authorizations changed | Review payment authorizations and merchant agreements | Recurring charges keep running until you stop the right link |
| The problem started from a message | Treat it as phishing, not just a password issue | The message is part of the attack path |
Key idea: secure the inbox tied to Amazon before you spend time on orders or cards. If the inbox stays exposed, resets and alerts can be intercepted.
Lock the control plane first
Amazon recovery and security alerts route through email and sometimes your phone number. If those channels are weak, you can change the Amazon password and still get pulled back into compromise. Start with the inbox, then move to the account.
- Change the email password and enable two-factor authentication.
- Remove forwarding rules, filters, delegates, and unknown sign-in sessions from the inbox.
- Confirm the recovery phone number is still yours. If service disappeared unexpectedly or the carrier behaved strangely, treat it as possible SIM swapping.
- Review the devices you use for email and Amazon, then sign out of shared computers and remove saved passwords from devices you no longer trust.
Common mistake: changing only the Amazon password. If email still belongs to the attacker, they can keep pulling the account back through resets and alerts.
Use the right Amazon surface for the right job
Amazon says changes made on the Amazon website apply to both Amazon Pay and Amazon websites. On the Amazon website, Login & security is where you edit account name, email address, mobile phone number, and password. Your payments is where you manage payment methods and billing addresses. On Amazon Pay, you can view orders and transactions, merchant contact information, merchant agreements, and suspended orders.
Use Managing your Amazon account for Amazon Pay as the map, then work in this order: inbox, password, addresses, payment methods, subscriptions, and authorizations.
Strengthen sign-in
Amazon's Password security page says two-step verification adds a security code after your password, so a stolen password alone should not be enough. The page also shows the path on Amazon.com: Account & Lists, Your Account, Login & security, then Advanced Security Settings.
- Use a unique password that you do not reuse on email, banking, or shopping sites.
- Turn on two-step verification and add a backup verification method.
- If the account allows an authenticator app, prefer that over SMS when the phone number has been unstable.
- After the password change, check whether Amazon still shows any devices or browsers you do not recognize, and sign out where possible.
- Re-check the sign-in state after a day. Some persistence only shows up when the attacker retries.
Clean up payment methods and backup options
Amazon Pay uses the payment methods stored in your Amazon account, so payment cleanup has to happen on both the Amazon website and the Amazon Pay side of the account. Amazon Pay says you can change account information on Amazon.com and that those changes apply to both sides.
- Use Managing your Amazon account for Amazon Pay to confirm the current email, phone number, password, and billing address.
- Use Deleting payment methods to remove cards or bank accounts you do not recognize.
- Check whether the backup payment method still points to a card or bank you actually control.
- If a billing address was changed, put it back immediately before you place any new order.
Safety note: if a payment method was added by someone else, treat it as a control breach, not a harmless convenience change.
Review orders, subscriptions, and authorizations
This is where most account abuse becomes visible. The attacker may not need to keep logging in if they can move through an existing order, a merchant agreement, or an automatic payment authorization.
- Use Viewing orders and transactions to find Amazon Pay activity and open the exact order record.
- If the order is still reversible, use Canceling payments or orders. Amazon Pay says the merchant, not Amazon Pay, may need to issue the refund or make the change.
- For recurring charges, use Authorizing automatic payments and Merchant agreements FAQ to review or cancel the authorization itself.
- If the charge is unauthorized, use Unauthorized charges. Amazon Pay says to contact your bank or card issuer quickly, change your Amazon Pay password, and notify buyer support.
Keep the order ID, transaction reference, merchant name, and time together. That is the evidence support teams need, and it also tells you whether the problem is a single charge or a recurring authorization that is still live.
Know which party can actually stop the problem
Amazon Pay can locate the activity, but the merchant, card issuer, or bank may be the one that actually stops the loss. Separate the problem before you spend time on the wrong support queue.
- If the purchase is still pending, the merchant may be able to cancel it faster than a later dispute.
- If the charge already posted to the card, the card issuer controls the fraud clock and dispute process.
- If the subscription continues after you cancel the authorization, the merchant agreement still needs to be ended with the merchant.
- If login resets keep looping after password changes, the inbox or device is still compromised.
This keeps the response orderly: Amazon for account settings, Amazon Pay for order and authorization records, the merchant for service cancellation, and the bank or card issuer for posted fraud.
Shared devices and browser persistence
Many Amazon compromises survive because the browser, not the account, is the persistence layer. An attacker who saved a password in a shared browser, installed a malicious extension, or kept a logged-in tab open can return after you reset the password. Treat every shared computer as untrusted until you check the browser profile itself.
- Sign out of Amazon and email on any computer you do not own.
- Remove saved passwords and autofill cards from shared browsers.
- Check browser extensions and remove anything you did not install yourself.
- If a family member or caregiver manages the same device, create separate browser profiles instead of reusing one sign-in.
If Amazon keeps challenging you with codes on a device you did not use before, that is a sign the session or browser environment still needs cleanup.
Gift cards, credits, and household payment surfaces
Gift cards and household payment methods can hide small but repeated losses. Review balances, recent redemptions, and any purchases you did not approve. If you share Prime, shared payment methods, or a family account, separate the personal card from the household card so one person's sign-in does not control everything.
- Record gift-card balances before you contact support so you can spot any later change.
- Separate personal and shared payment methods where possible.
- Review subscriptions linked to shared payment methods after a password reset.
- If Amazon Pay shows a merchant agreement you do not recognize, treat it as a standing authorization problem, not a one-time order.
Treat suspicious messages as an attack path
Many Amazon incidents start with a fake delivery notice, account alert, support message, or payment request. Amazon Pay's Internet scams and phishing page says not to provide Amazon.com Gift Card claim codes by phone, text, or email, and not to complete payment if a message sends you away from the merchant site.
- Do not sign in from a link in the message. Open Amazon or Amazon Pay directly instead.
- Do not share one-time codes, claim codes, or password reset links with anyone who contacted you first.
- Check the same order, charge, or support issue inside Amazon before you respond to the message.
- Use how to identify scam emails and phishing if you need a quick pattern check.
Do not: trust a support number, payment request, or account-lock message that arrived by text or email. Verify it from the Amazon or Amazon Pay site, not from the message.
Keep the review cadence simple
Once the account is stable, a monthly review is usually enough for most people. Check the inbox tied to Amazon, the Amazon password, shipping addresses, payment methods, recurring authorizations, and recent Amazon Pay activity. If you share a household computer, repeat the check after travel, a phone change, or a new card being added.
If the same problem keeps returning after you remove it, stop treating it as a single Amazon issue. A recurring compromise usually means the inbox, phone number, or device still has attacker control, and that is the part that has to be fixed first.
If the account is already drifting into suspicious activity again, use how to recover a hacked Amazon account for the recovery branch and keep this page as the hardening branch.
Amazon security is strongest when the control plane is boring: a clean inbox, a unique password, two-step verification, and payment methods that match what you actually use. When order history, authorizations, and addresses stop changing without you, the account becomes much harder to abuse.