With stores such as Amazon becoming more and more prominent, you are not unlikely to get scam emails trying to fish for your user name and password.

Now, if you use those stores, you're going to expect receive emails from them. This is what hackers are hoping for. They want you to have a quick reaction looking at their email and thinking, darn! I have to click on that link and fix whatever issue I'm having with the shipping or payment or just my credentials...

Here I have one such email from Amazon... The tell tales, first of all the subject is completely wrong, but if you don't shop there much, you may not notice. But then the email uses two large images which is not normal. The test with black, red, and blue colors... Yeah. Wrong too. Finally, all the links are wrong. Amazon uses "https://www.amazon.com/..." for all their email links. Here we had these two:

http://creativeprecious.com/ua.php?ci0=j2ihjh30Y9b59h491j31dX0Rjj3YaX430d6yv9yeXXXY8fds3|.UeuZC1VUj|TY6QVUj|TY6QVUj|TXi3dpZphR23NFrx4g6g
http://creativeprecious.com/ua.php?by0=j2ihjh30Y9b59h491j31dX0Rjj3YaX430d6yv9yeXXXY8fds3|.UeuZC1VUj|TY6QVUj|TY6QVUj|TXi3dpZphR23NFrx4g6

Next, the content of the email has nothing to do with the subject. The content says it's just a survey. You've got to be a stupid scammer if you change your mind mid-way like this. Ha! Ha!.

Also if you look at the From: field, you'll notice that no one would ever select such an email address for themselves. It's just plain stupid.

Not to mention, Amazon doesn't send you rewards for rating products. They'd go out of business fast!

X-Apparently-To: alexis_wilke@yahoo.com; Mon, 10 Feb 2020 21:24:25 +0000
Return-Path: <contact@umrp.lordsnap.net>
Authentication-Results: mta4161.mail.gq1.yahoo.com; 
 dkim=pass (ok) header.i=@umrp.lordsnap.net header.s=f8bb033;
 spf=pass smtp.mailfrom=@umrp.lordsnap.net;
 dmarc=NULL(p=NULL sp=NULL dis=NULL) header.from=lordsnap.net;
Received-SPF: pass (domain of umrp.lordsnap.net designates 193.111.125.57 as permitted sender)
X-YMailISG: ZYHfticWLDtIKv3_Uw15OTQOufH2dNMvYC9SAjeB1KIK_zAd
 Fqde4z4xE1NA8cWau5ZtsEx5UqNW2BvgYwsvm6AfWQloEkJ3xnJiCLnOH2dB
 iqctBY9OOuMDEa6rySp5YQZVh8c5IRfwBWBh6RQNav8OtF355fyNHybeNZcu
 4NTEMbBEY5wA69_1GfWF2OhGMi81YSDrqAgYzQVadZDWvNf1g2O6STSK3dTM
 fE85wFNyUb4QkpVFu8VYauzRTpDTw4Xp4MUUWPWOGsosN0WoYuISFE2BPRLk
 oSaQRiGmJnauhSUtKAIj.hxtrLhqCMASBaHWputW6sH1NS_M3jws5lRAeM6W
 SO.lAb60aCPbCf9L965nc_gKx_8Z2fFdVsvcgetUnRgB2S4drunKY5oqPnVO
 7896nZNNe0r5RghWxFOLITLWNi.SuMeFSPZEEKibseR25e1wZB_mlA1JKfi2
 5Z94s8N3f7CB.U2yGgOtFQCQAfBuWdNvA954E__v_AD2.hfavoSxDB.dFO0S
 XLFZfSqq5BMxfjFblSudpLONa1bNuYqUdlCBKC57S8pmXbGYm7RQmt4fExsI
 WMC7u3MoRS0wGI6bywAbVpB.Aqj8WzBOsURG6gMll0U5WbO67at2a7678Ll_
 U3AzMzZRm8E3zHflXk9SDeoZaPzCUPQ6iDIsbgWvWP2Nn49gS4sM367MObmM
 y2cL2aT.P8xaR.U4sWwRD68g5t.s5MvbQu9R6uEciNU7NPCxwz1dujRcuPuh
 FEwKV9pwzOoYl19gLXVgo9CdYMTNAQXt5xaXZv11ixTlrWgn7iBrxsDWh1_Q
 WmpdggzZ7nXjDj4yVvIoRDGEjzhlnkBnFLWuacW_w9.88WWbCjmfOvsmq1g3
 aKfg2FSO7.DrcGwPZFXxGzCvkmQvXLjAvEzYLfSm.PgnIQ6z3i2tVBaPSI8N
 LxDt18tXSfm5J8FK64fu_rAUXteQG_aF6E2LoXJj.qZDNlQ2zBDEddCqWyLB
 cpxLmci.vngrxJ0wTtTKtWosuq_JU1_hqa8Io4dxqLYjIxDgqVQe6TC.WK9m
 WyaXqfhnrGI77uep1FpAquT2BU9eCRmv7twa_eGRSqAEZz_YvfxLlWyfvaeV
 PL3L7sBOcnklXFkbpZigFP1gh1YxZ5WeqfVOzkjWbjMqX9O5cmuPkh28sPaX
 MuyymKa38ehQbJQ0bQyrGo1VO_ruEoJ_TcISiFafqQaA1HimcVL6m6cIi8dY
 ODLi51fK0TYld81ib4lDFFQ_J9JpRhSeRhCP
X-Originating-IP: [193.111.125.57]
Received: from 10.253.231.22  (EHLO umrp.lordsnap.net) (193.111.125.57)
  by mta4161.mail.gq1.yahoo.com with SMTP; Mon, 10 Feb 2020 21:24:24 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=f8bb033; d=umrp.lordsnap.net;
 h=Message-ID:From:Reply-To:To:Subject:Mime-Version:Date:To:Content-Type;
 i=OeX8CE4C6YLKefRnQE6Oq13hn9veNmlbo8yN4K2lcFouAJ2pQgd360vNoiUilaQPesAHDZUykICSK6WtVG3DeCsWp8dlqhztL@umrp.lordsnap.net;
 bh=QKr04AZiiWDX50vIphfRGN8gKTgfypVO0l9kh1p5TD8=;
 b=lE0u1NFiAMe+Yrhj0UJulYdn4QtMVfyOIUPvbRgX5Ve9W5rRao1CM8UbemtY7yMuLVb37tRhEjZE
   J4B06PbtC+tSaGTKfBZkIzTWEMY8Nctrc8zr33Bmi7w0QcZtRAApmitD5/+lzhbeC6dpz3DrpHqN
   sOXu/073ZMpjRiYEeKU=
Received: from localhost (127.0.0.1) by umrp.lordsnap.net id h8750i16lt06 for <alexis_wilke@yahoo.com>;
          Mon, 10 Feb 2020 16:24:10 -0500 (envelope-from <contact@umrp.lordsnap.net>)
Message-ID: <17044822.3950102947.Phpmailer@umrp.lordsnap.net>
From:=?UTF-8?B??==?UTF-8?B??==?UTF-8?B?Qw==?==?UTF-8?B??==?UTF-8?B?bw==?==?UTF-8?B??==?UTF-8?B?bg==?==?UTF-8?B??==?UTF-8?B?Zg==?=
     =?UTF-8?B??==?UTF-8?B?aQ==?==?UTF-8?B??==?UTF-8?B?cg==?==?UTF-8?B??==?UTF-8?B?bQ==?==?UTF-8?B??==?UTF-8?B?YQ==?==?UTF-8?B?dA=
     =?==?UTF-8?B?aQ==?==?UTF-8?B?bw==?==?UTF-8?B?bg==?==?UTF-8?B?IA==?==?UTF-8?B?Tg==?==?UTF-8?B?ZQ==?==?UTF-8?B?ZQ==?=
     =?UTF-8?B?ZA==?==?UTF-8?B?ZQ==?==?UTF-8?B?ZA==?==?UTF-8?B??= <OeX8CE4C6YLKefRnQE6Oq13hn9veNmlbo8yN4K2lcFouAJ2pQgd360vNoiUi
     laQPesAHDZUykICSK6WtVG3DeCsWp8dlqhztL@umrp.lordsnap.net>
Reply-To: info@umrp.lordsnap.net
To: alexis_wilke@yahoo.com
Subject:=?UTF-8?B?WW91ciBBbWF6b24gT3JkZXIgaGFzIGJlZW4gc2hpcHBlZC4uLnBsZWFzZSBjb25maXJtIHJlY2VpcHQg?=. #Ref 833660
(Subject translated: Your Amazon Order has been shipped...please confirm receipt . #Ref 833660)
Mime-Version: 1.0
x-mid: 92396788
Return-Path: p9oj9osstqj4crl8jaqf@umrp.lordsnap.net
Date: Mon, 10 Feb 2020 16:24:10 -0500(EDT)
To: alexis_wilke@yahoo.com
Content-Type: multipart/alternative; boundary="----=NextPart-3c3722327511fc96935aac62b5ee6465"
Content-Length: 2441

February 10, 2020

Dear Alexis_wilke ,

Please tell us about your Online Shopping Experiences and as a thank you, you can select from several exclusive offer rewards!
User Reference: 658124

Transcripts:

[first image]

How would you rate your online shopping experience?

Satisfaction Shopper Survey

Please rate your experience and claim your REWARD!

We'd like to hear about your Online Shopping Experiences.
Please click on one of the following to rate your
experience.

Very Satisfied | Satisfied | Neutral | Disatisfied | Very Disatisfied

(Picture of a Red Gift with a ruban, Picture of a woman with a headset, a.k.a. a support or sales person)

[second image]

You may unsubscribe at any time. Unsuscribe

Or you may write to

304 S. Jones Blvd #907, Las Vegas NV 89107

As a note, the address is actually a valid address in Las Vegas. At the time, it was a business selling PO Boxes. As we can see it says PhysicalAddress.com which is a really good domain name for such a business! They have locations in 6 states already.