Yet another SCAM - Amazon security code sent to my cellphone?

[ObviouslyNotAGolfer]

Just received a text "security code" from Amazon with a link to report if I did not request. Like a dummy I clicked the link, but it just took me to Google.com (I'm probably already screwed). I am not sure why Amazon would be sending me (or any one) a security code, but I certainly did not request one.

(I do not have Prime, Echo, or any of their smart IOT devices.)

Anyone know anything about this--a new scam?? I did not find anything specifically about this one after a search online.

[Paul der Krake]

There are many flavors of scams that involve Amazon. Your best bet is to immediately change your password if you still can. If you use that password elsewhere, change that too.

[secondcor521]

And depending on the level of security you have on the device on which you clicked the link, you might want to make sure the link didn't download or install anything to the device.

I'm 99.9% sure that any download should still ask for permission to install.  But if your practice is to leave those permissions open, and if it's malicious, it's a possibility.

[Morning Glory]

It could be innocent. Someone's old number might be your hidden number if you use an MVNO. You had better change your password just in case.

[Travis]

Not a new scam. Been around for a few years.

[Daley]

Someone's old number might be your hidden number if you use an MVNO.

This isn't outside of theoretical possibility, but isn't a universal problem with MVNOs outside of a very small handful of low quality ones that're on Sprint/T-Mobile and either offer WiFi first or port number in after activation setups, such as Republic Wireless and Mint Mobile. Most MVNOs actually work just like regular carriers, and your real phone number is actually what's tied to the SIM card's IMSI.

I'm far more inclined towards the blind phishing/spam likelihood, possibly based on the recent n-day watering hole exploit that Google recently patched. Either the phone was lined up to do a massive fingerprint dump and got kicked to Google by the malicious party, or the system was patched by Google to bypass the possibly already known exploit URL entirely... though these sorts of scam spam text links are rarely so sophisticated.

Resetting Amazon and Google passwords on another device that isn't your phone and kicking out all logged in devices aren't a terrible idea. Nor is checking for any new apps installed on the phone. The paranoid, tinfoil-hatted version of my inner sysadmin wants to tell you to secure wipe your device and set it back up, but that seems a touch excessive when I read it actually typed out, even if it's not wholly unwarranted.

Either way, this is why I don't recommend handling sensitive accounts on a smartphone, and to use TFA based on code generators instead of text messaging to mobile numbers whenever possible.