On November 24, 2025, as the Black Friday shopping frenzy kicked off, Amazon sent an urgent security alert to its 310 million active users worldwide — a warning that wasn’t just routine, but a red flag for what cybersecurity experts are calling the largest wave of holiday fraud ever recorded. The email, sent from Amazon’s security team in Seattle, didn’t mince words: scammers were deploying thousands of fake websites, phishing texts, and fake delivery notices to steal passwords, credit card details, and even account access. And they weren’t just guessing — they were copying Amazon’s design, layout, and even its signature orange cart icon with chilling precision.
How the Scams Work — And Why They’re So Effective
The trick isn’t brute force. It’s psychology. McAfee Corporation’s analysts found that 78% of these fake stores use typosquatting — domains like amaz0n.shop or amaz0n-deals.net — that look real until you squint. One shopper in Ohio told her local news station she clicked a Facebook ad for a $199 PlayStation 5, only to find her bank account drained three hours later. The site? A perfect replica of Amazon’s checkout page, right down to the "Secure Checkout" badge. Except it wasn’t Amazon. It was a server in Eastern Europe.
Meanwhile, CloudSEK, a digital risk firm based in Santa Clara, detected more than 2,000 holiday-themed fake stores in just the last 72 hours before Black Friday. That’s a 33% jump from 2024’s 1,500, and nearly double the 2023 tally. What’s new? The rise of the .shop domain. It’s cheap, it’s trusted, and most people don’t think to question it. One site, blackfriday.shop, even had a live chat feature with automated responses mimicking Amazon’s customer service tone. "It’s not a glitch," said CloudSEK’s lead threat researcher. "It’s a factory. These aren’t lone hackers. These are organized crime groups with marketing teams."
The Delivery Scam That’s Tricking Millions
Forget fake websites for a second. The most dangerous scam right now? The "missed delivery" text.
Trend Micro, the Tokyo-based cybersecurity giant, documented over 12 million of these fake delivery alerts sent globally in the 48 hours before Black Friday. They come from numbers that look local, use FedEx or UPS branding, and ask you to click a link to "confirm your address" or pay a $2.99 redelivery fee. Click it, and you’re taken to a login page that steals your Amazon credentials — then sells them on the dark web. One woman in Atlanta received three of these texts in one day. She clicked the second one. Her account was compromised within minutes. "People think they’re just paying a small fee," said a Trend Micro analyst. "They don’t realize they’re handing over the keys to their digital life."
Gift Cards, Social Media, and the "Too Good to Be True" Trap
Then there are the gift card scams. Scammers list $500 Amazon gift cards for $100 on shady third-party sites like eBay clones or Telegram channels. The cards? Already drained. Or worse — they’re fake, generated by bots. CloudSEK found over 800 such listings just on November 23.
On Instagram and TikTok, influencers with 50,000 followers are being paid to promote fake deals — "Amazon’s Secret Black Friday Sale!" — with links that redirect to phishing pages. These aren’t random accounts. Many are bot networks, some even using AI-generated faces to appear real. "It’s influencer fraud," said a former social media marketing executive who now consults for cybersecurity firms. "They’re not even aware they’re part of the scam. They’re paid $500 to post a story. They think they’re helping a brand."
Why This Year Is Different
This isn’t just more scams. It’s smarter scams. In 2023, most fake stores were basic WordPress clones. This year, many use dynamic content, real-time inventory feeds pulled from public APIs, and even fake customer reviews scraped from real Amazon listings. One site even had a "Live Now: 1,207 people viewing this deal" counter — pulled from Amazon’s own public traffic data.
Amazon’s warning included a chilling detail: cybercriminals are now using browser notifications to trick users. If you’ve ever allowed notifications from a site that looked legitimate — say, a fake Amazon deal page — you might now be getting pop-ups that say, "Your account has been locked. Click here to verify." These aren’t emails. They’re browser alerts. And they’re nearly impossible to block without disabling notifications entirely.
What You Can Do — And What Experts Say
The advice from Amazon, CloudSEK, Trend Micro, and McAfee is simple — but hard to follow in the frenzy:
- Never click links in texts, emails, or DMs — even if they look real.
- Type amazon.com directly into your browser. No shortcuts. No bookmarks.
- Check the URL. Look for misspellings, odd domains (.shop, .info, .xyz).
- Use two-factor authentication on all shopping accounts.
- If a deal seems too good — like a $50 iPhone or $100 AirPods — it is.
"The holiday season is the most profitable time for criminals," said McAfee’s chief threat intelligence officer. "And this year, they’ve built a system that scales. They don’t need to hack Amazon. They just need to make you think you’re shopping there."
What’s Next?
Experts expect the fraud to peak between November 24 and December 25, 2025 — with Cyber Monday and Christmas Eve being the most dangerous days. CloudSEK is already tracking over 300 new fake stores created since Thanksgiving. And Amazon says it’s working with law enforcement in the U.S., Germany, and India to shut down server clusters behind the worst offenders.
But here’s the uncomfortable truth: no amount of corporate warnings will stop someone who’s desperate for a deal — or distracted by holiday stress. The real defense isn’t software. It’s skepticism.
Frequently Asked Questions
How can I tell if a Black Friday deal is fake?
Check the URL carefully — fake sites often use .shop, .info, or misspellings like "amaz0n.com." Look for poor grammar, missing security badges (look for the padlock icon), and prices that are 70%+ below retail. If you’re unsure, search for the product on Amazon directly and compare prices. Legit deals are good, but never this good.
What should I do if I already clicked a suspicious link?
Immediately change your Amazon password and enable two-factor authentication. Check your bank statements for small test charges — scammers often try $0.50 or $1.00 transactions first. Run a full antivirus scan, and report the site to the FTC at reportfraud.ftc.gov. Don’t panic, but act fast — most accounts are drained within 2–4 hours.
Are .shop domains always scams?
No — .shop is a legitimate top-level domain used by real retailers. But during holidays, scammers exploit its trustworthiness. The key is context: if a .shop site offers a deal only available on Amazon, or uses Amazon’s branding, it’s fake. Always verify by going to the official site directly. Legit .shop domains have clear contact info and return policies.
Why are there so many fake stores this year?
The rise of AI tools and low-cost hosting has made it easier than ever to clone sites in minutes. CloudSEK reports that over 60% of these fake stores were built using automated templates, with AI generating fake reviews and product descriptions. With 310 million Amazon users targeted, even a 0.1% success rate means 310,000 compromised accounts — enough to make it profitable.
Is Amazon doing enough to stop these scams?
Amazon has removed over 1.2 million fake listings this season and shut down 400+ domains, but the scale is overwhelming. They rely on user reports and automated detection, which lag behind real-time fraud. Experts say the real solution lies in coordinated global law enforcement action — something that’s still slow-moving. For now, the burden falls on consumers to stay vigilant.
What’s the biggest red flag in a scam email?
Urgency. Scammers create fake deadlines: "Your package will be returned in 2 hours!" or "Your account will be suspended unless you verify now!" Legit companies never pressure you this way. If you’re unsure, go to the official website directly — don’t click anything in the email. And never give out your password, even if they say they’re from "Amazon Support."