This morning I got an email just incoherent enough to be believable as from Amazon:
Subject: Amazoп Security Alert:Sign-In detected from Firefox for Opera for Windows 7,Poland
"Your Amazon account [my email], found abnormal login, the recipient address has been changed!"
The exclamation point is theirs. More words claiming one can only log in using the app on a moble phone. Needless to say there is code hidden all over the email. At bottom there's a big button to "Change Settings."
Uh, nope.
I was cheered to discover that when I went to my account settings via the normal route rather than clicking on the bogus button, I already had two-factor authentication in place. Yay, me.