It’s the most wonderful time of year. Family. Post-turkey malaise. Shopping. Phishing scams.

One of these things is not like the other.

Yes, it's Black Friday and Cyber Monday season, and while we’re busy making our lists and checking them twice, hackers are making their lists of targets and checking those twice. Black Friday and Cyber Monday are some of the best times of year for hackers. They send influxes of attacks that are aimed at taking advantage  

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how and why hackers send phishing campaigns centered around holiday shopping. 


In this attack, hackers are sending fake order confirmation notices in the hopes of getting the user to attempt to get a refund. They will instead be led to credential harvesting pages. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Social Engineering, Impersonation
  • Target: Any end-user

Email Example #1



This email looks like a standard shipment notification. It shows an order confirmation, as well as shipping details, including a tracking number. When searching that tracking number, you’ll find it’s not legitimate, but rather associated with similar scams. The email is also for a brand that, when going to their website, leads to a malicious link. What the hackers want you to do is click on the “Issue a Refund” button. That redirects to a credential harvesting site. The hackers assume that you know you didn’t order from this site–that would encourage you to click on getting a refund. Seems easy enough–and that’s what the hackers would have you do. 



Black Friday and the holiday season are just around the corner. This has always been associated with an increase in phishing scams that take advantage of these events. Last year, we wrote about a number of these attacks, including spoofs of USPS, DHL and Amazon. All these attacks tend to have something in common. They either spoof some form of shipment notification or an order confirmation. The idea is that the end-user sees something they didn’t buy and aims to rectify it, or sees something that looks like they did buy and try to fix a delivery issue. Some of the more clever scams will include a phone number to call in what we call “phone number harvesting.” These attacks not only steal web-based credentials but also get your phone number, which can be used for further attacks.


We can expect a lot more of the same this year.  In 2020, for example, according to Check Point, phishing emails doubled in November, particularly around “Special offer” campaigns.



We’ll see a large increase this year. And remember–these attacks happen on both business and personal emails. That increases the room for error on the end-user’s side. 

The time is ripe for scams. Between shipping notifications, special offers, refund notices and more, we are inundated with legitimate emails around our holiday shopping. Hackers, always one to get it on the latest trends, love to take advantage.

Around the holiday season, end-users should expect a large increase in the amount of holiday shopping-related attacks. Even when they are legitimate, end-users should pay extra attention to all holiday and shipping-related emails.

Nothing ruins a holiday more than being swindled. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always hover all URLs before clicking
  • Always double-check sender addresses
  • Before engaging with an order confirmation email, ensure that it is something you have actually purchased