Black Friday phishing emails up 237%

by James Dyer
Published on 24th Nov 2023

Black Friday and Cyber Monday are highlights in the cybercriminals’ calendars, leading to a spike in the number of related phishing attacks. Between November 1st – November 14th, 2023, we've detected a 237% increase in phishing emails relating to Black Friday and Cyber Monday versus the period between September 1st – October 31st, 2023. We predict that this will increase in the run up to this year’s Black Friday and Cyber Monday.

Quick attack summary

Vector and type: Email phishing

Techniques: Brand impersonation (including Amazon, eBay, Chase Bank, and Bank of America)

Payload: Phishing hyperlinks

Targets: Organizations in North America and the UK

Platform: Microsoft 365

Black Friday and Cyber Monday impersonation emails

This year, our Threat Intelligence analysts have seen a range of attacks, including a high number of phishing emails impersonating globally recognized brands. Cybercriminals are deploying a range of tactics to enable these impersonation emails to get through perimeter security and then trick recipients into falling victim.

Many of the emails we analyzed used stylized HTML templates to impersonate brands, featuring official logos, footers, and even some legitimate hyperlinks to the impersonated brand’s site. However, at least one malicious link to a phishing website is also included, usually as a call to action (CTA) button offering a discount or offer.

Stylized HTML phishing email impersonating Amazon

Stylized HTML phishing email impersonating Amazon

Stylized HTML phishing email impersonating Amazon

In this example, the yellow ‘Shop Now’ button takes the victim to a phishing website via a redirect, however there are also 10 legitimate links to Amazon’s website contained within the email to help it bypass link scanning detection in traditional email security technologies.

In addition, cybercriminals use hijacked or spoofed domain names to increase the appearance of legitimacy of their attacks. In the example above, attackers have spoofed the domain ‘’, which is used for notifications to UK-based shoppers. Another common tactic is to register a domain name that is subtly similar, but not the same as, the legitimate brand’s domain. Some of the lookalike domains we’ve detected this year include:


By registering lookalike domains, cybercriminals have the power to hold them, age them, and them up so they have SPF, DKIM AND DMARC enabled. This helps the attacks to get through the base-level checks that traditional perimeter anti-phishing technologies conduct before sending suspected phishing emails to quarantine or Junk.

As well as stylized templates, we’ve seen other social engineering tactics at play in this year’s Black Friday and Cyber Monday phishing emails, including various subject lines designed to tempt people into opening emails and quickly clicking on the hyperlinks inside, such as:

  • [BLACK FRIDAY OFFER] – Get 80% when you sign up!
  • Come on down to Lowe's for $100 OFF! - BLACK FRIDAY
  • Get ready! Black Friday starts at midnight
  • Switch to Chase to earn $1000 in cash back rewards – ONLY ON BLACK FRIDAY
  • Lovis Vuitton Black Friday OFFERTA su migliaia di prodotti!!
    [English translation from Italian - Lovis Vuitton Black Friday DEAL on thousands of products!!]

In the example shown above, the cybercriminal also uses obfuscation to mask the phishing hyperlink in the 'Shop Now’ button, meaning people won’t see the URL of the phishing website if they hover over it (a common piece of advice given to help people detect phishing emails).

Egress Defend Link Scanner

As shown in the screenshot above, the cybercriminal redirects a Black Friday-related ‘’ URL to a phishing website. As well as using the spoofed Amazon domain name, this gives the attack the appearance of legitimacy, as the recipient will see this URL first if they hover over, or even click on, the link.

Finally, cybercriminals are widening their nets by deploying attacks in multiple languages. Of the phishing emails that we’ve investigated between November 1st and November 14th, 2023, 13.8% were in Spanish and a further 11.3% were in Italian. Hackers will run multiple campaigns and the more diverse they make them, the more potential targets they can access.

Egress analysis: Brand impersonation, social engineering, and getting through traditional anti-phishing detection

Brand impersonation and social engineering

Black Friday and Cyber Monday present cybercriminals with a variety of phishing opportunities, particularly through brand impersonation. Cybercriminals impersonate brands in a number of ways: offering discounts and special sale prices, asking the user to update their delivery details, verify their account, or sign in to access a gift. Bigger brands are often the targets of cybercriminal impersonations as hackers aim to leverage the brand’s broad appeal to catch as many victims as possible.

These tactics (and others) all play on people’s heuristics – the mental ‘shortcuts’ or ‘rules of thumb’ we put in place to increase decision-making speed.

Brand impersonation relies heavily on the heuristic of ‘representativeness’; the ability to categorize something based on its similarity to other items in that category. The Amazon impersonation analyzed above uses several tactics to trick recipients into believing the email belongs in the same, trustworthy category as legitimate emails from Amazon, including the spoofed ‘’ domain, stylized template featuring Amazon branding, and the payload obfuscated behind an ‘’ redirect.

The use of link-based payloads (rather than malware attachments or invoice and payment fraud) is common in Black Friday, Cyber Monday, and other ‘holiday shopping’ phishing attacks, as this is in line with the emails sent from legitimate brands, containing real offers. In phishing attacks, however, these hyperlinks will send victims to a website that will steal their credentials or bank details or download malware onto their device.

It's also extremely common for cybercriminals to leverage the heuristic of hyperbolic discounting during holidays such as Black Friday and Cyber Monday, when legitimate brands are promoting their sales. People frequently rush to take advantage of discounts and offers – which in the case of phishing emails, are literally too good to be true. Cybercriminals also use pressure tactics such as limited availability and phrases such as ‘act now’ or ‘while stock lasts’ to incite victims to click quickly and without thinking.

Obfuscation techniques are becoming increasingly common within phishing emails. Our October edition of the Phishing Threat Trends Report found that 55% of phishing emails contain at least one obfuscation technique, with the majority containing two or more. Hijacking legitimate hyperlinks, as seen in the Amazon example above, is the second most common technique (behind HTML smuggling).

Bypassing traditional anti-phishing detection

Traditional anti-phishing technology relies on signature-based and reputation-based detection, determining whether the email contains any known attack signatures and whether is sent from a trusted entity (reputation) or not. This detection capability is found in secure email gateways (SEGs) and in the native security in cloud-based email platforms such as Microsoft 365, Gmail, and Hotmail, etc.

As noted above, the attacks we detected have got through reputation-based detection by passing DMARC, SKIM, and SPF checks. This can be achieved by strategically ageing a spoofed (or other registered) domain prior to launching a phishing campaign, by compromising a legitimate email account on a trusted domain or using a free webmail account or burner email.

Limiting the number of malicious hyperlinks and including legitimate ones within the emails helps attacks to get through link scanning checks. Typically, phishing websites are live for a short time only, until they are identified as malicious and blocklisted. With the rise of crime-as-a-service and availability of phishing kits online, however, it is easy for an attacker to ‘drag and drop’ their phishing website onto a different domain and update their attack.