Link to you: scammers intensified phishing attacks before Black Friday
A surge in phishing attacks on potential buyers before the start of Black Friday is being recorded by cybersecurity companies. The number of emails with links to fake websites has increased 3.5 times compared to last month. The attackers are actively spreading them on social networks, luring people with huge discounts. Experts warn that attacks on customers are becoming more targeted. They urge you to check even emails where previous orders were mentioned, and take a break before agreeing to a tempting offer. How else do customers and stores attack on the eve of sales — in the Izvestia article.
The most common fraud schemes
The number of phishing emails before the global Black Friday sale (November 28, 2025) increased 3.5 times compared to last month, experts from the Neuroinform company estimated. Currently, the top 3 most common schemes used by scammers include fake websites of well-known brands, launching fake promotions on social networks and sending fake delivery notifications.
"Creating fake websites is a fairly well—known scheme, but despite this, potential buyers still fall into this trap," the company warned.
In November of this year alone, the attackers, according to various information security organizations, launched from 700 to more than 1,000 clone sites imitating well-known stores. By paying for goods on such resources, buyers lose not only money, but also their bank card information.
Phishing sites are very similar to legitimate sites, confirmed Muslim Majlumov, director of products and technology at BI.ZONE, a digital asset management company. The specialists of this company note that the number of such sites has been growing annually since September, and by November, when Black Friday takes place, it reaches peak values. For example, if about 100-150 of them are created from January to August, in September this number usually reaches 200, in October — 500, then in November the number of trap sites immediately doubles.
Analysts note that in the fall of 2025, the number of phishing emails increased by more than 2.4 times compared to the same period last year. Corporate emails for the discount season are increasingly receiving messages with the same wording: "Black Friday is close", "Discounts until the end of the week", "Your bonus for participating in the sale", "Special prices only today", "BLACK Friday has begun".
— Cybercriminals appeal to the recipient's emotions. Personalization, a sense of benefit or urgency, encourage you to act hastily — click on links, download attachments, or disclose personal information, experts warn.
In addition, according to preliminary estimates, the attackers organized about 100 actions on Russian social networks.: they aggressively promoted the advertising of goods, including the premium segment, allegedly with a discount of up to 90%, the Neuroinform company noted.
— Advertisements led to fraudulent websites where it was possible to pay for the goods. As a result, customers received cheap counterfeits instead of high—quality original products from a well-known brand, or they received nothing at all," they said.
In addition, in November 2025, the attackers actively sent SMS and emails to potential buyers, disguising themselves as well-known delivery services. The scammers' messages were about problems with delivery, and these messages contained a link to a phishing website for entering passport data for customs clearance, payment of customs duties, or additional charges for exceeding the weight of the parcel. In the first half of this month, the number of such letters has almost doubled compared to the same period last year.
In addition, the attackers used one of the most common schemes during the sales period — gift card fraud. They were sold on questionable websites, and after purchase they turned out to be inactive.
How retailers were attacked
At the same time, not only potential buyers became the target of intruders. One of the main problems for Russian online retailers is fraud (fraud involving the theft of personal data and funds) related to the abuse of loyalty programs.
— Scammers can appropriate bonuses in an illegitimate way and sell them on various online platforms. Before the sales season, their activity is traditionally growing, which is confirmed by our data," said Dmitry Golovanov, head of the anti—fraud analysis group at Kaspersky Fraud Prevention.
At the same time, according to Kaspersky Lab, in the third quarter of 2025, the number of accounts with signs of fraudulent activity aimed at e-commerce increased threefold compared to the first quarter. As a rule, such suspicious activity means that attackers commit illegitimate account fraud to benefit from loyalty programs, bypassing the rules of online retailers. For example, welcome bonuses are exploited when online stores offer customers free shipping, discounts, or additional points.
Artem Izbayenkov, director of the Solar Space cloud cyber defense platform at Solar Group, told Izvestia that on the eve of Black Friday, we are seeing an increase in DDoS attacks and malicious bot activity aimed at online retail, payment systems and delivery services.
— The load on the Internet business infrastructure during the sales period is accompanied by an increase in the number of cyber attacks by 70% or more compared to normal weeks. During this period, attackers seek to disrupt websites, disrupt online sales and gain access to customer data," he said.
Anton Chemyakin, head of the analytical department at Servicepipe, recalled that the first global sale "11.11" (World Shopping Day and Bachelor's Day) actually started a little earlier, which is already traditional for such events.
— And since November 8, we have recorded a 15-35% increase in human traffic, and an eight—fold increase in bot traffic for individual resources. The main peak occurred on November 9-11: DDoS attacks on large e-commerce sites were also observed these days, which is also traditional for the high sales season, he said.
In 2024, the peak load reached 3.5 million requests per minute, and this year it was slightly lower in intensity, but noticeably longer and geographically more diverse.
— During the week of November 17-21, human traffic decreased slightly and exceeded the standard by only 12%. The next peak is expected next week during Black Friday, when human traffic growth may be again by 30-40%, as well as a surge in malicious automation. The peak load, judging by the data from previous years and the activity on "11.11", can reach up to 3.8–4 million requests per minute, the expert predicts.
According to him, marketplaces accounted for the largest volume of malicious traffic this November, while parsers (programs that collect data from resources) attacked more specialized online stores less.
— We also recorded a new trend — the activation of AI agents during the sales period, their share exceeded 15% on certain resources at a certain point in time, while the average value for all segments of the economy was up to 1.4%, - said Anton Chemyakin.
How to protect customers and retailers
To protect yourself from phishing attacks during the sales period, it is recommended to carefully check store URLs: fake sites often have small differences, such as replacing letters or adding extra characters, said Alexander Dmitriev, CEO of Neuroinform.
— Do not follow links from emails and messages. If you receive a letter with a tempting offer, it is better to go to the store's official website yourself and check the availability of the promotion," he said. — In addition, it is necessary to update antivirus software regularly, modern antiviruses are able to recognize phishing sites and block them.
Experts also recommend checking the senders' addresses, not opening attachments from suspicious promotional emails and not clicking on the links in them.
Sargis Shmavonian, an information security expert at Cyberprotect, called for remembering that fake pages often differ in just one or two characters or a domain, and it is almost impossible to distinguish an artfully made fake website from the original by design or interface today.
— Do not follow the links from SMS and instant messengers, especially when it comes to order delivery, "account blocking", "refund" or the promise of big discounts or lottery wins. Always double—check the information through the official website or application of the store or marketplace, contact the bank or retailer directly through public contacts and specify the introductory information," he complained.
Additionally, accounts will be protected by two-factor authentication, limitation of daily limits and minimization of personal data in the public domain.
— The main recommendation is to take a short pause before any action. It gives you time to notice inconsistencies and avoid the trap," said Sarkis Shmavonian.
Modern phishing has moved from mass mailings to targeted attacks, he warned. Attackers use hyperpersonalization techniques: they analyze data from social networks and leaked databases in order to build the most plausible scenarios.
— For example, they may send an email mentioning a recent order or call with an offer of a product that you have long dreamed of, — said the expert.
BI.ZONE experts added that fraud causes significant damage not only to private clients, but also to companies whose brands the attackers use in their schemes. This leads to reputational risks, reduced trust and, as a result, loss of customers.
In order to protect the store from cyber attacks, Solar Group recommends that load testing be carried out in advance and that the site be resistant to DDoS, that bot traffic be filtered, that round-the-clock monitoring and incident response be activated, and that payment systems be tested in advance.
Переведено сервисом «Яндекс Переводчик»
