In this case the fraudster was logged in to an Amazon account. They created a new account using the alternative e-mail address and set the address differently to the original account.
They then claimed that the original account was lost due to the e-mail address being "hacked" and that they needed the order numbers. They then used the order numbers to request a replacement using their new account.
>They created a new account using the alternative e-mail address and set the address differently to the original account. //
You lost me.
So customer Andy Blogger has account ablogger@gmail.com.
Fraudster Bandy Logger creates account at Amazon using email address ab.logger@gmail.com and the verification email is sent to Andy's account (as gmail is dot blind in email addresses).
How does fraudster Bandy confirm ownership of the Amazon account so he can log in and change the accounts email address? Doesn't he have to create the account with the re-shippers postal address, then confirm the account with an email address they control, then change the email address to the one for the Gmail account ... doesn't that look pretty damn suspicious.
How about recording a short video on account creation, speaking/signing name or something similar. Then reps could confirm owner ship via video chat. Sure it would still be possible to abuse but would be a lot harder.
They then claimed that the original account was lost due to the e-mail address being "hacked" and that they needed the order numbers. They then used the order numbers to request a replacement using their new account.