It’s practically a holiday at this point: Amazon Prime Day. Two days of ridiculous deals and savings.

Here’s what else is associated with the day: Phishing.

Amazon is already a popular phishing target. We’ve written about it in the past, here, here, and here.

Amazon is one of the most impersonated brands out there. Now, with a major spending holiday around the corner, phishers are at it again, trying to steal credentials and money.

Starting in June 2022, Avanan researchers have seen an uptick in spoofed Amazon attacks, whereby hackers are trying to steal credentials in the hopes that users will think it’s the actual Amazon brand emailing. In this attack brief, Avanan will analyze how hackers are spoofing Amazon to steal credentials.


In this attack, hackers dangle the promise of an Amazon gift card if the user takes a survey. In actuality, the link leads to a clear credential harvesting page.  

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Impersonation
  • Target: Any end-user



In this attack, threat actors are taking advantage of the Amazon brand name to send credential harvesting emails. 

Email Example #1

In this attack, the hackers are sending what appears to be a survey that can lead to a sizeable gift card. The subject line will grab the attention of anyone who uses Amazon frequently. 

From there, you’ll see the beginning of the survey. Notice how the survey page is different than what’s suggested in the original email. 



The user will be asked to enter their email, and then afterward their password. 



Hackers are taking advantage of Amazon’s popularity to send phishing and credential harvesting emails. With the Prime Day holiday coming up, these scams will proliferate significantly. Check Point Research (CPR) has found a 37% increase in daily Amazon-related phishing attacks compared to the daily average from June. 

For last year’s Prime Day, CPR witnessed an 86% increase in phishing emails related to the sale, and a 16% increase in phishing URLs.

Further, in June 2022, there were almost 1,900 new domains related to the word “amazon”--and 9.5% of those were malicious or suspicious. 

This particular attack starts by utilizing Amazon’s name and credibility. When a user sees an email that appears to come from Amazon, they are more likely to trust it. The subject line, which refers to recent deliveries, is also something that seems plausible.

When hovering over the survey link, end-users will notice that the URL is not Amazon’s; also, the survey page makes mentions of different deals to complete, which wouldn’t happen on Amazon.

However, the fact that the email dangles the possibility of a reward may be enough to induce users to click.

Impersonating a brand is a classic social engineering tactic. Impersonating perhaps the world’s most recognizable brand is a surefire way to get at least some people to engage. 

With Prime Day here, Avanan researchers expect these attacks to spread like wildfire, making it even more important for users and companies to be on guard. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Check sender address before interacting with any email 
  • Always hover over any link to see the destination URL before clicking on it
  • Encourage end-users to ask IT if the email is legitimate or not