Phishing activity tied to the annual sales period has increased sharply, according to new findings from KnowBe4 Threat Labs. The company examined 27,061 phishing emails linked to Black Friday and reported clear signs that threat actors prepared their campaigns earlier than expected. The first significant rise appeared on 1 November, when Black Friday-related emails reached roughly 8% of all messages collected for the study. Although the level fell after the initial jump, it remained higher than normal throughout the first half of November, averaging between 4% and 5%. The trend suggests a paced approach rather than a single burst of activity. The pattern also shows that attackers are focusing on users who begin searching for early discounts before official promotions start.
KnowBe4 researchers noted that the content of the phishing emails followed predictable themes. Many messages relied on promises of major discounts or time-sensitive offers designed to push shoppers toward fake pages. The researchers stated that threat actors attempt to reach consumers before legitimate retailers begin advertising large sales. Early activity gives criminals more time to refine templates, rotate domains, test message formats and adjust to filtering systems. The goal is to ensure the fraudulent sites remain active during the peak of online shopping when victims are less likely to scrutinise links.
Early activity and regional patterns
The analysis showed that 84% of the Black Friday-related emails impersonated a well-known deal tracking site rather than a specific retailer. Among campaigns that spoofed individual companies, Amazon appeared in 52% of cases, and Costco appeared in 13%. Target brand selection varied by country. In France and the Benelux market, the phishing activity began around 1 to 3 November. In the United States, Germany and the Netherlands, the campaigns began between 5 and 12 November. In the United Kingdom and South Africa, the emails frequently claimed to originate from Amazon. In France and the Benelux region, Lidl was a common target for impersonation. In Germany, the majority of retail-related phishing activity impersonated IKEA. These variations reflect the shopping habits and brand familiarity of consumers in each region, which attackers appear to study closely when constructing their messages.
Researchers observed that criminals are increasingly investing in the quality of fake retail sites linked in phishing emails. The sites now often mirror the layout and branding of major retailers with greater accuracy than in previous years. Many include dynamic features such as countdown timers or customer support widgets that mimic legitimate functions. KnowBe4 stated that recent generative tools allow criminals to create clean and visually convincing interfaces that reduce suspicion among hurried shoppers.
Fake storefront techniques and ongoing risks
Criminals no longer focus only on quick theft of small payments. Instead, many campaigns aim to capture account access or payment credentials that can produce longer-term profit. Some sites request login details tied to retailer accounts, while others ask victims to enter full payment card information before showing an error message that claims the purchase did not go through.
Researchers also highlighted the role of paid advertisements in directing users to these sites. Fraudulent ads placed on platforms such as Instagram and Facebook resemble genuine promotions and are often targeted at audiences who have previously browsed for similar items. This method increases the likelihood that victims will click through without questioning the source. Once on the fake page, the user faces a layout that closely matches the legitimate site, thereby reducing the likelihood of identifying inconsistencies.
KnowBe4 advised shoppers to approach unsolicited links with caution throughout the sales period. Simple checks, such as confirming the domain name, visiting retailers directly, and avoiding unusually deep discounts, can reduce risk. Shoppers should remain attentive even when offers appear attractive and should avoid completing purchases on pages that request personal information that is not normally required.
Incoming search terms:
Site Disclaimer
2-remove-virus.com is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.
The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.