Hackers target Home Depot customers with new fall phishing scam

Published: 22 October 2025
Last updated: 23 October 2025
Home Depot storefront
Image by JHVE Photo | Shutterstock

Home Depot shoppers are being warned about a new phishing scam hitting email inboxes. The scam pretends to be a free giveaway from the home improvement chain but is really just hackers trying to steal your information.

New research published by Malwarebytes on Wednesday says the fake Home Depot email message tells the would-be victims they have won a free Gorilla garden Dump Cart – and all the person has to do to claim their free prize is to click a button that says “Start Here.”

The realistic-looking phishing campaign, which sports a Halloween theme, is aptly timed to coincide with the fall season, when millions of homeowners across the country's northern half spend weekends bagging fallen leaves and clearing out gardens before it gets too cold.

ADVERTISEMENT

Attempting to convince the recipient to click the link button, the email – which starts off with “Boo” – is crafted with catchy phrases such as “No Tricks Just Clicks!,” “Your Treat is Just a Click Away,” and “No Catch, No Cost, Win in Minutes.”

Home Depot phishing Halloween giveaway 1
Images by Malwarebytes.

Malwarebytes says once clicked, they were taken through a series of other fake pages – all designed to steal the recipient's personal information.

Each of these steps, such as filling out a survey (asking the user even more personal details) and providing a home address for delivery, would get the victim closer to claiming their “free” Gorilla Dump Cart.

Underhandedly, one of the last pages requires the alleged prize winner to provide a credit card number and details “to pay a small processing fee” to claim the wheelbarrow-like cart.

“Of course, urgency was applied so visitors don’t take the time to think things through. The site said the offer was only valid for a few more minutes,“ said Malware Intelligence Researcher Pieter Arntz, who conducted the phishing test.

“The ‘one-click’ promise quickly turned into a survey – answering basic questions about my age and gender, I was finally allowed to ‘order’ my free Gorilla Cart,” Arntz reported about his experience.

Home Depot phishing Halloween giveaway 2
Images by Malwarebytes.
ADVERTISEMENT

Obvious red flags

Noting that the entire image was clickable, upon further examination, the seemingly legitimate message showed several signs of fraud or inconsistencies, the research states.

Malwarebytes says the sender's email address is the first clue to the email being a scam. The email domain “yula.org,” not only contained no reference to Home Depot, but was registered to a high school in Los Angeles.

“The email address or server may be compromised. We have notified them of the incident,” Arntz said.

Next, the email’s content appears to have been copied and pasted from another legitimate shopping order. This helps to give the email authenticity, allowing it to bypass spam filters more easily.

Home Depot phishing Halloween giveaway 3
Images by Malwarebytes.

Third, the research found a “hidden block filled with unnecessary Unicode whitespace and control characters (like =E2=80=8C, =C3=82),” another method used by scammers to bypass spam filters.

And finally, the email was found to contain “a one-pixel image, “ most likely used as a tracker to alert the phishers if and when the email gets opened.

Speaking of tracking, the research also found that all the link addresses used in the campaign also had unique trackers, a known tactic used in phishing to gather even more details to ensure the bad actors' success, including “engagement, validating target lists, and potentially personalizing follow-ups or selling ‘confirmed-open’ addresses.”

Although Arntz's examination ended with a “Something went wrong, try again” pop-up, the intelligence expert says that after a victim's sensitive data is stolen, the scammers presumably will keep the PII stored in a database or server for future phishing attacks and/or identity theft, or possibly forward or sell it to cybercriminal affiliates.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Malwarebytes says the public can follow the tips below to stay safe from phishing threats.

  • Never click on links in unsolicited emails.
  • Always check the sender’s address is legitimate and one you would expect.
  • Double-check the website’s address before entering any information.
  • Use real-time anti-malware and web protection to filter inboxes.
  • Never fill out personal details on unfamiliar websites.
  • Never fill out payment details unless completely sure of a website’s legitimacy.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT