Amazon just sent out a warning about phishing emails targeting Prime members—scammers spoofing login pages and tricking users into handing over their credentials. Sound familiar?
They correctly advise: “Don’t click suspicious links.”
But then they recommend authenticator apps and 2SV (two-step verification) as the solution.
Here’s the problem: those are the exact methods attackers are bypassing every day. They offer no protection whatsoever from even inexperienced teen hackers.
Phishing sites now relay MFA prompts in real time, tricking users into approving logins via auth apps or stealing their codes instantly. The attacker doesn’t need your password—they just need to fool you into authenticating them. And people do it every hour. A user thinks, “Well, I got a prompt from my auth app, so it must be safe,” and boom—access granted.
This is how Scattered Spider just hit Aflac. Hawaiian Airlines. Qantas. All through social engineering combined with MFA manipulation. It’s not a theory. It’s happening right now.
So what should Amazon and others be recommending?
That’s the only real fix. You can’t train 100% of users to never click the wrong link. But you can build a system where clicking the link doesn’t compromise anyone.
Security awareness is helpful. But in today’s world of AI-generated phishing and spoofed sites built in 5 minutes, training is a nice-to-have—phishing-proof architecture is a must-have.