Beware of Email Phishing Scams
I also get hundreds if not thousands of these phishing emails per week. It's not Amazon's fault; they had no knowledge of it, nothing to do with it, and could not have prevented it. These scams are very common and are generally called "phishing" scams; that's the generic term for any email purporting to be from a reputable company that is trying to obtain personal information such as credit card info or a social security number. They usually do that by making a provocative assertion, such as "Your account has been compromised" or "We have processed a charge to your credit card of $6,000.00", and then they provide a link to a website to "verify" your info.
In your case, they added a viral attachment as a twist. I'm guessing that, in all actuality, the attacker didn't even know you ordered from Amazon that week; he just got lucky with his timing. For example, I get several emails a week from my "bank" requesting that I log into my on-line account, Sometimes my "bank" is Bank of America, sometimes it's Citibank, sometimes Washington Mutual. About one in ten times, the odds break in the attackers favor and the message comes from Wells Fargo, my actual bank.
The only real solution is for the on-line consumer to be as savvy about purchasing from a virtual store as he or she is about buying from a brick-and-mortar one. For instance, I happen to know that Amazon never sends information in an attachment; it just doesn't happen. They send any information to you directly in the body of their emails. If I had received that message, I would have deleted it without a second thought, or possibly given it a good look over, just to see how clever the guys had been. I have, on occasion, followed links in phishng emails just so I could get to their fake web site and write obscenities in the blank fields where they expect me to be dumb enough to put my credit card numbers.
The standard response, if you are unsure about the veracity of an email, is to call the company directly from a known-good number and confirm the message. Most companies won't come out and say "We didn't send you this message", because they are huge and have too many departments and employees to make such a blanket statement, but if they say "We have no record of such a charge," etc., then you're fine. Given the odds, your best bet is to assume that any provocative email is fake until proven genuine.
I hope this won't ruin your online shopping experience. I have done it hundreds of times, from many different stores, and never been burned. In fact, I was thrilled yesterday to receive the custom-made bumper stickers I bought over they web. They proudly proclaim my message, in red, white and blue that "Stupid People RULE!"
-Tracy, Los Angeles