A record wave of online fraud is colliding with the year’s busiest shopping period, as federal investigators and Amazon warn of a sharp rise in account takeover schemes driven by advanced phishing, fake retail sites, and artificial intelligence tools.
Holiday Phishing Becomes Industrial-Scale
Since January 2025, the FBI’s Internet Crime Complaint Center has logged more than 5,100 reports of account takeover fraud, with losses topping $262 million—about $51,400 per case on average. Complaints have risen so steeply that investigators and Amazon have issued an unusually forceful joint alert focused on holiday shoppers.
Cybersecurity firm Darktrace measured a 620% jump in Black Friday–related phishing campaigns in November 2025, the largest holiday spike it has ever recorded. Amazon is the primary lure, appearing in roughly 80% of phishing attempts aimed at major consumer platforms such as Apple, Netflix, and PayPal. Darktrace researchers projected phishing volumes to climb a further 20–30% during the week of Black Friday itself, as criminals timed their campaigns to peak online spending.
Attackers are exploiting the rush of seasonal purchases to push email and text scams about account problems, suspicious charges, and shipping issues, all designed to drive targets toward credential-stealing pages.
Fake Retail Ecosystem Blooms Online
Behind these campaigns sits a dense network of newly registered web domains built to impersonate trusted retailers and discount outlets. FortiGuard Labs reports more than 18,000 holiday‑themed domains were created in just three months, with at least 750 confirmed as malicious. Many use terms such as “Christmas,” “Black Friday,” or “Flash Sale” and adopt familiar layouts to appear genuine.
Researchers also identified about 19,000 e‑commerce‑related domains mimicking major store brands, with 2,900 verified as malicious. Small alterations—like “amazon-dealz.shop” instead of the legitimate “amazon.com”—can be easy to miss on a smartphone screen, yet they route shoppers into well‑crafted traps.
The same ecosystem extends into underground markets. FortiGuard analysts found 1.57 million stolen login credentials tied to prominent online shopping platforms circulating on dark web marketplaces in a single quarter. These “stealer logs” often include browser‑saved passwords, cookies, and autofill data, allowing attackers to run automated credential‑stuffing campaigns at scale for only pennies per account.
AI Supercharges Deception
A major change this season is the extensive use of generative artificial intelligence in the fraud pipeline. Scammers use AI tools to build phishing emails, counterfeit storefronts, and online advertisements that closely resemble legitimate promotions and customer communications.
Fake shopping sites now routinely feature realistic product photos, convincing customer reviews, and chatbots that can answer basic questions, helping to sustain the illusion. Traditional warning signs such as clumsy language or obvious spelling errors are far less common, weakening the effectiveness of older awareness advice that told users to spot poor grammar or awkward phrasing.
Security researchers describe this shift as a structural change in cybercrime economics. AI systems let relatively inexperienced criminals create tailored lures in seconds and continually adjust tactics—such as rotating domains and altering layouts—when security tools begin to block specific patterns.
Impersonation Tactics Span Email, Text, and Phone
Brand impersonation sits at the center of many of these schemes. Fraudulent messages frequently claim to come from Amazon and urge recipients to resolve supposed account locks, billing discrepancies, or unrecognized purchases. Embedded links lead to fake sign‑in portals designed to capture usernames, passwords, and multi‑factor authentication codes.
Deceptive advertisements on large social platforms intensify the threat. Researchers estimate that Meta‑owned services alone may show around 15 billion scam advertisements every day, many of them promoting steep discounts or hard‑to‑find items that redirect to fraudulent checkout pages.
Text‑based “smishing” attacks mirror these patterns by pretending to be delivery updates from UPS, FedEx, USPS, or Amazon. Messages often reference missed deliveries or address errors that require immediate confirmation, steering recipients toward counterfeit tracking pages where payment details and login credentials are collected.
Phone‑based ploys add another layer. Criminals place calls that appear to originate from official Amazon support lines by spoofing caller ID. Posing as fraud investigators, they warn of fake unauthorized purchases and coax targets into sharing passwords, one‑time passcodes, or reset links. Security researchers have found that in roughly 65% of account takeover cases, victims had multi‑factor authentication activated, underscoring how manipulation rather than pure technical compromise is defeating defenses.
Scammers also continue to rely on gift card schemes, demanding codes as “payment” to resolve fabricated account issues or emergencies. Because gift card transactions clear instantly and offer little recourse, stolen balances are rarely recoverable once shared.
Defenses, Warnings, and the Road Ahead
Amazon has repeatedly stressed that it will not ask for payment information, security codes, or credential verification through unsolicited phone calls, emails, or text messages. The company says all genuine account changes, refunds, and billing corrections are processed only through its official website and mobile applications. Even so, Amazon reports that it took down more than 55,000 phishing sites and 12,000 fraudulent phone numbers in 2024, indicating the persistence of these methods.
To strengthen protection, Amazon now supports passkeys, which allow users to log in with biometrics or device PINs instead of passwords. Passkeys are significantly more resistant to phishing because they are cryptographically bound to legitimate domains. When combined with two‑factor authentication, they can provide strong layered security even if a password is exposed—so long as users do not share one‑time codes or approval prompts with anyone claiming to be support staff.
Victims and targets have several channels for reporting suspicious activity. Amazon offers a self‑service portal at amazon.com/reportascam and asks users to forward questionable emails to stop-spoofing@amazon. com or reportascam@amazon. com. Authorities also encourage consumers to file complaints with the FBI’s Internet Crime Complaint Center at ic3.gov and the Federal Trade Commission at reportfraud.ftc.gov, helping investigators track patterns across platforms and regions.
Experts say that as AI‑driven fraud matures, the balance of power will increasingly hinge on user behavior as much as on technical safeguards. High transaction volumes, tight delivery timelines, and sophisticated lures create ideal conditions for exploitation during the holidays. Looking ahead, wider adoption of phishing‑resistant authentication, coupled with rapid reporting and a sustained focus on basic precautions—such as navigating directly to known websites rather than following unsolicited links—will be critical in limiting the impact of account takeover attacks in future shopping seasons.
Sources:
“FBI Reports $262M in Account Takeover Fraud as Researchers Cite Surge in Holiday Attacks.” The Hacker News, November 2025.
“Phishing Attacks Surge by 620% in the Lead-Up to Black Friday.” Darktrace, December 2025.
“Amazon Issues Attack Warning — 300 Million Customers Are At Risk.” Forbes, November 26, 2025.
“Holiday Shoppers Targeted as Amazon and FBI Warn of Surge in Account Takeover Attacks.” Malwarebytes, November 26, 2025.
“Hackers Create 18,000 Christmas, Black Friday, and Flash Sale Domains to Empty Your Wallet This Holiday.” CyberPress, November 27, 2025.
“How AI Is Supercharging Holiday Phishing Attacks.” Jericho Security, November 19, 2025.