Share
BRAND IMPERSONATION

Amazon Japan Prime "membership confirmation" phishing: the geofenced login scam that hides from researchers

An email dressed as Amazon.co.jp warns, in urgent Japanese, that your Prime membership needs "confirmation" or an updated payment method, and gives you one link to fix it. The trick that makes this campaign so hard to catch: the fake Amazon login only loads for a visitor on a Japanese connection. A researcher or a security sandbox outside Japan is quietly redirected to the real Amazon site and sees nothing wrong. Here is how to know it is fake in seconds, without clicking the link or typing a single character.

SafeBrowz Threat Research Security ResearchJuly 4, 20269 min read

Verdict: an Amazon.co.jp email asking you to "confirm" your Prime membership is phishing

An email styled as Amazon.co.jp that says your Amazon Prime membership needs "ownership confirmation" or an updated payment method, with a link to sort it out, is a phishing scam. The link opens a pixel-perfect fake Amazon sign-in page that harvests your password, then your address, birthday, phone number, and card details. What sets this campaign apart is that the fake page is geofenced: it only renders for visitors on a Japanese IP address, so security researchers and automated sandboxes elsewhere are sent to the real Amazon and report the link as clean. Amazon never asks you to confirm ownership of your account through an email link. Do not click it. Check your membership only by opening amazon.co.jp or amazon.com yourself and signing in there.

The Brief

Amazon is one of the most-impersonated brands in the world, and Japan has become one of the most heavily targeted markets for it. Proofpoint has tracked geofenced Amazon Japan credential-phishing campaigns whose daily message volume at its peak rivaled Emotet, and the same playbook drives newer waves. The CoGUI phishing kit alone pushed more than 580 million messages between January and April 2025, impersonating Amazon, Rakuten, PayPay, and Japan's national tax agency, according to Proofpoint, which attributes the activity to Chinese-speaking threat actors. The lure is mundane on purpose: a Prime membership "problem" you can fix with one click. That click is the whole attack. It leads to a counterfeit Amazon sign-in page, and the moment you type your password you have handed it over. The rule that beats it is the same one that beats a fake Amazon account-verification email: never sign in through a link in a message, only by opening Amazon yourself.

What the fake Amazon Japan notice looks like

The subject line sets the hook with urgency and the word Prime. Threat intelligence firm Infoblox flagged an active campaign against Japanese recipients using subjects like 「至急 Amazonプライム会員情報の確認」, which translates to "Urgent: confirm your Amazon Prime membership information." Proofpoint documented three recurring lures in the same family: a request to confirm ownership of the account, a demand to update the payment method on file, and a warning that the account is about to be locked. The body reads like a routine Amazon notice, styled with the Amazon logo and a clean layout, and it ends with a single button or link to "confirm" or "verify" before the membership is suspended.

Click it and you land on a page that looks exactly like the Amazon.co.jp sign-in screen. The realism is deliberate. In the campaigns Proofpoint analysed, the pages often pre-fill your email address, pulled from an old data breach, so the login feels personal and already half-complete. Enter your password and the trap widens. The next screen asks you to "verify" your identity with your full name, address, birthday, and phone number, and then your credit card number, which the kit checks against basic validation rules and Japanese postal-code databases so it can reject fake input. By the end you have handed over your Amazon login, your identity, and your card, all on a page that never once touched Amazon.

The tell is the address bar. A real Amazon sign-in only ever happens on amazon.co.jp or amazon.com. The links in these emails go nowhere near them. They point to lookalikes such as amazon-co-jp-verify[.]top, amazon-prime-kakunin[.]shop, or amzn-payment-update[.]cn (illustrative examples, not real Amazon domains; Proofpoint observed the real ones parked on cheap .xyz and .cn endings). The word "amazon," "amzn," or "prime" is glued to "verify," "confirm," or "payment," or parked on an ending Amazon would never use for a login. If the sign-in page is on anything other than amazon.co.jp or amazon.com, it is a fake, no matter how perfect the pixels are.

🛡 LIVE CHECK

Test that Amazon "confirm membership" link before you click

Got an email or text with an Amazon Prime "confirm" or "update payment" button and not sure about it? Paste the link below before you click. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

Why the fake page hides from researchers: geofencing explained

This is the part that makes the campaign so durable. The phishing link does not always show the fake page. Before it renders anything, it checks who is visiting. When the request comes from a Japanese IP address, on the kind of browser a real target would use, it serves the counterfeit Amazon login. When the request comes from anywhere else, from a security vendor's sandbox in a Western data center, a researcher's crawler, or an automated URL scanner, it quietly redirects the visitor to the genuine Amazon.co.jp site instead. The scanner sees the real Amazon, finds nothing wrong, and marks the link clean. The victim in Tokyo sees the fake.

Newer kits push this further. The CoGUI kit that Proofpoint tracked layers geofencing with "header fencing" and browser fingerprinting: it profiles the visitor's location, language, browser, screen size, and whether they are on a mobile or desktop device, and only reveals the phishing page when every signal matches an expected Japanese target. Some variants only render on a mobile browser, returning a blank or harmless page to a desktop or an automated scanner. This is exactly why a phishing URL can circulate for days while reputation feeds still call it safe, and it is the core reason a scanner that runs on the actual device, at the moment the page tries to load, catches what a central sandbox cannot. For the broader pattern of convincing lookalike stores and pages, our guide on how to spot fake online store scams covers the other tells.

How a real Amazon message actually works

Amazon does send real emails about your account and your Prime membership, so the concept is not invented. But a genuine message behaves nothing like the scam. Amazon states that it will never ask you to confirm sensitive personal information, or to "verify" or "confirm ownership" of your account, through a link in an email or text. Real Amazon account emails appear in your Message Center: if you open the Amazon app or website yourself, go to your messages, and the notice is not there, Amazon did not send it. Approved Amazon emails come from an amazon.co.jp or amazon.com address, and any real sign-in only ever happens on those domains, never on a lookalike you reached by clicking a link.

Three things separate the real notice from the fake. First, a genuine Amazon message never needs you to re-enter your password, address, and card on a page you reached by clicking a link. Second, you can always confirm it by opening Amazon yourself and checking Message Center, rather than trusting the email. Third, the destination is an Amazon-owned domain, never a hyphenated "amazon" name or a cheap TLD. When in doubt, ignore the buttons entirely and manage your membership by opening amazon.co.jp or amazon.com and signing in there. The same "confirm your account" pressure drives the Apple ID locked email scam and countless others; the defense is identical.

The 30-second check: sign in only at amazon.co.jp, never through the email

This is the whole answer, and it works whether the message is a flawless fake or a rare genuine notice, because it never trusts the email.

  1. Do not click the link. Do not open the confirmation page, do not enter anything. Nothing real is lost by pausing.
  2. Look at where the link actually goes. Hover the "confirm" or "verify" link (long-press on mobile). If the destination is anything other than amazon.co.jp or amazon.com, it is fake. A sign-in page on a .top, .shop, .cn, or hyphenated "amazon" domain is the giveaway.
  3. Open amazon.co.jp or amazon.com yourself. Type it in the address bar or use the official app. Do not use any link from the message. Then check Message Center: a real account notice will be there.
  4. Never re-enter your password, address, or card on a page you reached from an email. Amazon prompts for a fresh login inside a session you started, not after clicking an emailed link.
  5. If there is no matching notice in your real account, it was phishing. Delete the email. Your membership is fine and nothing will be suspended.

That is the same rule that beats the whole category, from a fake USPS delivery text to a bogus tax-refund message: judge it on the real, official site you open yourself, never on the message that reached out to you.

Red flags that mark it as phishing

  • A request to "confirm ownership" or "verify" your account. Amazon does not ask you to prove you own your account through an email link. That phrasing is a scam pattern.
  • A sign-in page that is not on amazon.co.jp or amazon.com. A hyphenated "amazon" or "amzn" domain, or a page on .top, .shop, .cn, or .xyz, is fake even if the layout is perfect.
  • Your email address already filled in. A page that greets you by your address is using data from an old breach to feel personal, not proving it is Amazon.
  • Urgency and a threat of suspension. "Confirm within 24 hours or your Prime membership will be cancelled." Urgency exists to stop you checking on the real site.
  • A jump from login straight to your card. Being asked for your full name, address, birthday, and card number right after signing in is a data-harvest form, not an Amazon flow.
  • A link that looks clean when a colleague abroad checks it. Geofenced pages can show the real Amazon to a checker outside Japan while showing the fake to you. A "looks fine to me" from someone overseas is not proof.
  • A sender that is not an Amazon domain. Approved Amazon email comes from amazon.co.jp or amazon.com, and the real notice also appears in your Message Center.

What to do if you entered your Amazon details

Move fast. Stolen credentials and card data get used quickly, so speed is what limits the damage.

  1. Change your Amazon password now. Do it by opening amazon.co.jp or amazon.com directly, not through any link in the email. If you cannot sign in, use Amazon's account-recovery flow on the real site.
  2. Remove any payment method you do not recognise, and turn on two-step verification. In your Amazon account settings, delete unfamiliar cards or addresses and enable 2SV so a stolen password alone cannot get in. Attackers add their own details to keep access.
  3. Sign out of all devices. In your Amazon security settings, sign out everywhere so any active session the attacker opened is cut off.
  4. Watch and freeze the card you entered. Call your bank or card issuer, flag it, and watch for unfamiliar charges. If you entered card data, treat that card as compromised and ask for a replacement.
  5. Check your order history and addresses. Look for orders you did not place and shipping addresses you did not add, and remove anything you do not recognise.
  6. Reset that password anywhere you reused it, and give every account its own unique password.

How to report an Amazon Japan phishing email

  • Report it to Amazon.co.jp. Forward the suspicious message to [email protected], or use the report form on Amazon's official "report suspicious communication" help page. If you do not have an Amazon account, forward it to [email protected].
  • Report spoofed sender addresses to [email protected], which Amazon uses for impersonation reports.
  • In Japan, you can also alert the relevant consumer and cybercrime authorities if you lost money or handed over card data.
  • In the US, report the scam to the FTC at reportfraud.ftc.gov and, if you lost money or had an account taken over, to the FBI Internet Crime Complaint Center at ic3.gov.
  • Delete the message after reporting. Do not click anything on the way out.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Amazon included) plus Cyrillic and Punycode homograph checks, all running inside the extension before the page renders. The fake confirmation page wears the Amazon brand but sits on a domain that is not amazon.co.jp or amazon.com, and it pairs that brand with a credential-harvest login form and suspension-deadline urgency. Reading a page's brand against the domain it actually loads on is exactly how the engine separates the real amazon.co.jp from an impostor, and it flags the impersonation before the sign-in form is usable.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam-TLD lists to flag domains already reported as malicious, which covers many of these confirmation pages as they are reported.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches brand-new lookalike pages in seconds, including a fresh Amazon Japan clone that copies the real styling but sits on the wrong domain and asks for a password and card behind a "confirm your membership" prompt.

Why a device-side scanner matters here: because the fake page only renders for a real visitor on a Japanese connection and real device, a central sandbox in a Western data center is redirected to the genuine Amazon and reports the link clean. A scanner running on the actual device, at the moment the page tries to load, sees the same page the victim sees, so a geofenced or fingerprinted page cannot hide from it the way it hides from a remote crawler.

Honest scope: SafeBrowz flags and blocks the phishing sign-in page before it loads, so the "confirm your membership" step never reaches you. It reads the page you are about to open, not your inbox, so it cannot delete the email itself, and it cannot undo a password already typed on a page you visited without it. Pair the extension with one habit: sign in to Amazon only by opening amazon.co.jp yourself, never through a link in an email.

Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Where browser-layer defense fits

The email is the lure, but the theft happens on the page. That confirmation link is where victims are pushed to type an Amazon password and card into a counterfeit login, and where geofencing keeps a remote scanner from ever seeing it. Browser-layer scanning catches that step on the device where the page actually renders. When an Amazon-styled sign-in loads on a domain that is not amazon.co.jp or amazon.com, a brand-aware scanner flags the impersonation before the form is usable, whether the visitor is in Tokyo or anywhere else. SafeBrowz is a free extension for Chrome, Firefox and Edge, plus a live Android app (Safari coming soon), that checks every URL before it renders against a 550+ brand database. Install SafeBrowz and pair it with the one rule that beats this whole category: reach Amazon only by typing amazon.co.jp yourself, and never sign in through a link in a message. If you want to test a suspicious link right now, our free scam URL checker runs the same 3-layer scan on demand.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every link check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

See pricing and Premium features

Frequently asked questions

Is the Amazon Prime "confirm your membership" email real?

Almost never. An email or text styled as Amazon.co.jp that says your Prime membership needs "ownership confirmation" or an updated payment method, with a link to fix it, is a phishing scam in the overwhelming majority of cases. The link opens a fake Amazon sign-in page that steals your password, personal data, and card. Amazon does not ask you to confirm ownership of your account through an email link. Check your membership only by opening amazon.co.jp or amazon.com yourself and signing in.

Why does the phishing link look safe when I check it?

Because these Amazon Japan pages are geofenced. The link checks who is visiting before it shows anything: a request from a Japanese IP address gets the fake Amazon login, while a request from a security sandbox or a checker outside Japan is redirected to the real Amazon.co.jp, which looks clean. Newer kits also fingerprint the browser, language, and device, and some only render on mobile. That is why a URL can circulate for days while reputation tools still call it safe, and why a scanner that runs on the device where the page actually loads catches what a remote crawler misses.

How can I tell the Amazon email is a fake?

Look at where the link goes and where the sign-in page loads. A real Amazon login only ever happens on amazon.co.jp or amazon.com. If the "confirm" or "verify" link points to a hyphenated "amazon" domain, or a page on .top, .shop, .cn, or .xyz, it is fake. Other tells: a request to confirm ownership of your account, your email pre-filled, a jump from login straight to your address and card, a suspension deadline, and a sender that is not an Amazon domain. Real Amazon notices also appear in your Message Center.

I entered my password and card on the fake Amazon page. What now?

Move fast. Change your Amazon password immediately by opening amazon.co.jp or amazon.com directly, not through the email, and turn on two-step verification. Remove any payment method or address you do not recognise, sign out of all devices, and call your bank to flag or replace the card you entered. Check your order history for anything you did not place, and reset that password anywhere you reused it. The sooner you act, the less an attacker can do with the stolen details.

Does this Amazon Japan scam only target people in Japan?

The current campaigns are aimed at recipients in Japan, using Japanese-language lures and pages geofenced to Japanese IP addresses, which is why expats and researchers in Japan see them while people abroad often cannot even load the fake page. But the technique is not unique to Japan: the same kits impersonate other brands and can be pointed at any market. The safe habit is universal. Never confirm an account through an emailed link, and sign in only by opening the real site yourself.

How do I report an Amazon Japan phishing email?

Forward the message to [email protected] or use the report form on Amazon's official suspicious-communication help page. If you do not have an Amazon account, forward it to [email protected], and report spoofed sender addresses to [email protected]. In the US you can also report the scam to the FTC at reportfraud.ftc.gov and, if you lost money or had an account taken over, to the FBI at ic3.gov. Delete the message after reporting.

Related SafeBrowz coverage

Bottom line: the Amazon Japan Prime "confirm your membership" email is a phishing scam that steals your Amazon login and card, and it stays hidden because the fake page is geofenced to only show for Japanese visitors while sandboxes see the real Amazon. Amazon never asks you to confirm ownership through an email link, and a real Amazon login only ever loads on amazon.co.jp or amazon.com. Do not click the confirmation link, and check your membership only by opening Amazon yourself. Put SafeBrowz on your browser so the fake sign-in page never loads on your device, and pair it with the habit of signing in to Amazon only by opening the site yourself.