Most scammers are targeting the bargain tracker Deal Watchdogs and have been using the first week of November to test scams on early deal-seekers.
Cybercriminals started their Black Friday phishing campaigns almost a month before the shopping event itself, according to new data shared exclusively with Cybernews.
An analysis by KnowBe4 Threat Labs, a security awareness training platform, has revealed a twenty-fold increase in Black Friday-themed phishing attempts on November 1st, with activity surging to around 8% of all observed emails.
Targeting early birds
This early start is no coincidence, with researchers warning that criminals are using the first week of November to test phishing templates, bypass filtering systems, and target early deal-seekers who are already searching for pre-Black Friday discounts.
The attackers also leverage this window to establish fraudulent storefronts and fake retail ecosystems before legitimate retailers flood inboxes with their own promotions.
Although the spike drops after November 1st, phishing levels remain consistently elevated – between 4% and 5% – throughout mid-November, indicating a sustained campaign rather than a one-day surge.
In total, the researchers at KnowBe4 analyzed 27,061 Black Friday-themed phishing emails.
The majority targeted early-bird bargain hunters by impersonating Deal Watchdogs, a popular deals-tracking brand, which accounted for 84% of all messages.
These emails frequently referenced Amazon gadget discounts and Oprah’s Favorite Things, themes crafted to appear trustworthy and culturally familiar.
Direct Amazon impersonation appeared in 52% of samples, while Costco spoofing accounted for 13%, highlighting Deal Watchdogs as the dominant lure.
Phishing campaign dates per region
The timing and brand targeting varied significantly by region. Black Friday phishing campaigns began on November 1st in France and on November 3rd in the UK, while scam campaigns in the US, Germany, and Benelux countries started on November 5th.
Peak attack days followed between 10th and 12th November, depending on the country.
Regional impersonation also reflected local consumer behavior: Amazon was most spoofed in the UK and South Africa, Lidl in France and the Benelux region, Costco in the US, and IKEA in Germany.
Payloads ranged from credential-harvesting links in the UK and the USA to fraudulent gift card schemes in Germany and the Benelux region.
Fake websites supercharged with AI
Fraudulent storefronts and fake retail ecosystems that phishing links lure unsuspecting shoppers to are now far more sophisticated than the crude scam pages of previous years, security analysts also warn.
Generative AI has given criminals the ability to clone the branding, layout, and tone of major retailers with stunning accuracy. They can replicate discount banners, product photography, customer service chat, delivery notifications, and even real-time inventory indicators.
Tim Burke, CEO of Quest technology management, notes that these sites mirror current Black Friday promotions” perfectly,” and deploy persuasive countdown timers and scarcity messaging to push shoppers into impulsive purchases.
“The goal is usually either to harvest payment credentials in bulk or to gain long-term access to customer accounts for later exploitation. It’s a shift from quick frauds to campaigns designed for sustained financial gain,” says Burke.
Consumers are also being lured into scams through genuine-looking paid ads on Google, and Meta platforms Facebook and Instagram.
The message to shoppers this year, according to Javvad Malik, lead CISO advisor at KnowBe4, is to treat every deal with caution, especially if it looks too good to be true.
“Scammers count on the excitement of a bargain to override someone’s usual judgment. Taking a moment to verify the website, examine a link, or double-check a deal could be the difference between a great saving and becoming a victim. A few simple steps can keep you safe while still enjoying the best of the sales.”
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked