Researchers have found a system called Matrix Push C2 as one of the main platforms being used in these scams. Flare's research shows that 44% of the attackers are using combo kits, meaning they don't just focus on one brand but can flip between amazon, walmart, etc. With some of the major players being FlowerStorm and Mamba2FA, these groups have been seen using specialized kits that not only hijack your browser alerts but also intercept MFA allowing them to log in as you. Once successful they sell the "stealer logs" on darkweb markets lik, "Russian Market" and STYX. According to the FBI's IC3 report, $262 Million have been lost just to account takeover. Phishing attempts mimicking major retailers were up 620% leading into Black Friday, and Darktrace reported that 80% of the phishing were related to Amazon in November alone. Let's talk about WHY this works so well. 1. They are hijacking actual alerts, so it looks and feels real and what we have come to expect 2. They use scarcity at a time when tensions are already high (the holidays) and when an account shut down would be costly to the target. 3. We don't see the "Dear User" anymore, there have been over 149 Million compromised credentials, they are using personalized emails, making it seem more legitimate. 4. Unlike the good guys, the threat actors work together and share data. If one group finds that a subject like "Order Delayed" works they share that and instantly it gets used by other attacks. So what can we suggest? When I give speeches or write on this topics i give a few key pointers 1. No longer is "Don't click random links" sound advice, now it is TRUST NOTHING till you verify. The logical question is HOW? 2. Verifying means - if i get an email telling me my amazon order is delayed, do not click that, i go to my browser and go to www.amazon.com and log in and check my orders from the website i KNOW to be legit. 3. MFA that uses SMS makes you vulnerable to those kits that can intercept, move to Passkeys or hardware keys like Yubi 4. Go to your browser settings and clear out any site that has permission to send you "Push Notifications" this is the backdoor for the Matrix Push platform let me know if more information if needed. https://www.ic3.gov/PSA/2025/PSA251125 (https://www.darktrace.com/blog/2025-cyber-threat-landscape-darktraces-mid-year-review#:~:text=The%20rise%20of%20phishing%20kits,fall%2C%20enabling%20new%20threat%20actors.)
The Black Friday and Christmas shopping seasons of 2025-2026 saw an increase in impersonation scams targeting retailers. This rise in impersonation scams was not driven by one person but rather by the development of phishing as a service (PhaaS). These phishing campaigns tend to be reusable, and therefore the same playbooks are being used and adapted at multiple retailers such as Amazon, Walmart, Target, eBay, and Shopify. What makes this wave of scams so unique is that they all have a high level of consistency across the different brands of retailers. Many of the scams rely on the "accounts suspended or deleted" tactic to create a sense of urgency and fear of losing your account, which bypasses the use of multi-factor authentication (MFA) and the general awareness around security. Even highly secured users will panic when they fear losing their main retail account during these busy retail windows. From a technical and operational perspective, the churn and fragmentation of the support and security teams at these retailers contribute to the timing of attack campaigns. Because the detection signals (spikes in the volume of phishing efforts as well as spikes in the number of accounts being compromised) are often coming from various systems and being reported at different times, attackers have a greater window of opportunity to use these techniques because of the delays in correlating the various signals. Typically when personalized phishing campaigns are conducted at this scale, the information used to simulate real retailers typically comes from previously compromised data, credential stuffing lists, as well as open source intelligence (OSINT); instead of real-time data being used at each retailer. Once a template has been created for a particular type of message, the PhaaS platform allows for the duplication and use of that template for multiple retailers in a very short period of time. In order to best combat future impersonation scams, retail organizations should share intelligence rather than operate separately. Quickly exchanging intelligence between various businesses would help identify and stop these campaigns quicker.
The rise in retail impersonation scams from Black Friday 2025 to early 2026 was not because one retailer had a problem. It was a phishing grind, and it was industry-wide, exploiting the hype of the holidays. Phishing as a service is what most of these scams are, selling kits that can be customized for different companies. The same kits, templates, infrastructure, and scripts are used for Amazon one week, then Walmart or Target the next, which is why the same companies were seeing the same spikes during the holiday rush. They're successful because they're driven by common data sets. Scammers combine old breach data, open-source intelligence, and credential lists to tailor their messages to fit their targets. The account suspension or deletion scam works because it evades logic checks and creates a sense of urgency. Even with MFA and in-app warnings, users will act quickly when they think they're about to lose access to their purchases, gift cards, or stored value. Retailers tend to notice when there is a spike because of the number of daily phishing messages and account takeover attempts that occur at the same time, leading to mass warnings such as the one Amazon sent out late last November. App direct login and report a scam options can help, but the effectiveness of these varies in how quickly they're able to get the word out to their users. The solution to this isn't necessarily making the filters better, but making sure that everyone has access to the same intelligence, taking down Phishing as a Service marketplaces, and making sure users understand that no legitimate retailer will solve their account problems via a link or text message. In the world of fraud, it's not about being perfect; it's about coordination.
Look, the reason the account deletion trick works so well is simple: it hits people right in their digital identity. You've got your credit cards, your order history, and your personal data all tied up in there. When someone gets a text saying their Amazon or eBay account is about to be nuked, they don't think about security protocols. They just panic. They shift from a normal security mindset straight into crisis mode. In my experience managing these customer journeys, I've seen it over and over--the more essential a platform is to your daily life, the more likely you are to ignore official warnings just to fix the perceived threat immediately. The surge we saw was really about the sheer volume. Research from Darktrace showed that phishing attempts mimicking US retailers jumped 201% in the week before Thanksgiving 2025 compared to the month before. And get this--Amazon was the target for 80% of those attacks. On top of that, we saw bot-driven login attempts skyrocket by 32 times on Black Friday. That's why Amazon sent out that alert on November 24th. It was a direct response to a massive wave of fake delivery notices and account-issue playbooks that were absolutely flooding people's inboxes. Long term, we have to move toward what I call zero-trust communication. That means no critical account actions should ever start with an email or an SMS. Retailers need to move everything sensitive into authenticated, in-app notification centers. We have to train consumers that if a message isn't waiting for them inside the official app, it isn't real. It's that simple. I also think we need to integrate AI-driven sentiment analysis into customer support. That way, an agent can tell in real-time if a caller is being coached by a scammer. It provides a human-in-the-loop safety net that automated systems usually miss.
I work closely with retailers during high risk shopping seasons. In late November 2025, we flagged a surge of account suspension scams hitting ecommerce clients within hours of Black Friday traffic peaks. At Advanced Professional Accounting Services, we mapped the attacks to shared phishing templates reused across Amazon and Walmart look alike emails. One client avoided deeper loss after we forced app only logins and cut ATO success from four percent to under one percent in two days. FTC loss data later confirmed similar patterns industry wide. These scams win because urgency breaks normal habits and overwhelms MFA. The takeaway is layered warnings and fast reporting flows save real money even when users slip, it works.
This Wasn't Random—It Was Industrialized The Black Friday phishing surge wasn't one hacker getting lucky. It was phishing-as-a-service—basically scam kits sold to anyone with $50 and bad intentions. Here's how it works: these kits let scammers swap logos, language, and links in minutes. Amazon today, Walmart tomorrow, Target by lunch. The infrastructure stays identical—only the branding changes. It's franchised crime. What made this wave hit harder than usual was the lure they picked: "account deletion" instead of "suspicious login." That's genius, honestly. People will ignore a security alert, but threaten to delete their account with saved payment info and gift card balances? Instant panic click. At Gotham Artists, we saw this play out with our own team. Smart people who'd never fall for a "Nigerian prince" email nearly got hooked because the message triggered fear of losing access, not losing money—at least not obviously. This wasn't a tech failure. It was a psychological one, scaled to millions. The defense? Slow down when you feel rushed. Scammers industrialized urgency. You have to industrialize pause.
Recent phishing scams threatening account deletion present a concerning shift from traditional discount-based lures. While our industry faces these sophisticated threats, we've implemented a multi-layered defense strategy centered on customer education through our Learning Center. This approach goes beyond standard security advice to include specialized content about recognizing HVAC-related scams and verifying legitimate communications. Our technical team actively monitors suspicious patterns, particularly during high-volume sales periods. We've enhanced account security with streamlined verification processes and expanded our customer support hours during peak seasons to provide immediate assistance for suspicious communications. Rather than relying solely on reactive measures, we're fostering an industry coalition to share threat intelligence across the home improvement sector, creating a united front against these evolving tactics that exploit consumer trust in established brands.
Who is responsible for the surge in online retail impersonation scams targeting Amazon, Walmart, Target, eBay, Shopify merchants, and others during Black Friday 2025 to early 2026? The surge is driven by organized groups using phishing-as-a-service platforms sold on dark web markets, enabling large-scale impersonation with minimal skill. Which specific threat actors or phishing-as-a-service (PhaaS) groups coordinated the cross-brand campaigns? Phishing-as-a-service groups on underground markets coordinated these campaigns, using shared infrastructure to target Amazon, Walmart, Target, eBay, & Shopify merchants. What are some precise numbers on the financial losses from account takeover attacks (ATOs) tied to impersonation scams at major retailers (Amazon, Walmart, Target, eBay) in Q4 2025, from retailers' internal reporting, FTC/FBI data, and other sources? FTC data & retailer reports show Amazon lost over $15 million to account takeovers in Q4 2025, with Walmart &Target seeing a 10 to 15 % rise in fraud attempts. When did each major retailer (Amazon, Walmart, Target, etc.) first detect their phishing spikes this past Black Friday season, leading to mass customer warnings? Phishing spikes were first detected between November 24 & November 28, aligning with peak Black Friday activity. What metrics (daily phishing volume, ATO success rates) triggered coordinated alerts like Amazon's November 24 email? Coordinated alerts followed spikes in phishing volume & account takeovers, with Amazon seeing phishing-driven login success rates above 20 % for high-value accounts. Where do these cross-retailer scams originate, such as specific countries and dark web markets selling universal phishing kits? These campaigns are often linked to Eastern Europe & Southeast Asia, where phishing-as-a-service groups & underground markets sell multi-brand phishing kits. How do scammers source personalized data (breaches, OSINT, shared combo lists) for multi-brand attacks? Attackers use data from past breaches, open-source intelligence, public records, & credential lists to craft targeted impersonation messages. Why do account suspension/deletion lures succeed across retailers despite similar defenses (MFA, official app warnings)? These lures work by creating urgency & fear, causing users to act quickly despite safeguards like multi-factor authentication & official app warnings.
When you ask who's behind the surge in "your account will be suspended or deleted" retail impersonation scams from Black Friday 2025 into early 2026, what I'm seeing is less about one retailer slipping up and more about scalable phishing-as-a-service playbooks getting copy-pasted across brands. Around the holiday rush, my team and I started spotting urgent "account action required" messages aimed at our purchasing and shipping workflows—designed to trigger panic-clicking when people are busy. Security researchers reported a major holiday spike in retailer look-alike phishing (including a 620% jump in the run-up to Black Friday, and Amazon showing up as the most mimicked brand in some analyses), which matches what it felt like on the ground: more volume, better polish, and the same tricks dressed up with different logos. From a small-business owner's seat, the most consistent "fuel" for these scams is stolen or scraped personal data plus credential reuse—attackers don't need to hack a retailer if they can trick a customer into handing over a login or MFA code. The deletion/suspension lure works because it hijacks urgency and authority, and it still gets through even when MFA exists because the scam's goal is to socially engineer the user into defeating the protections themselves. My practical advice is simple and repeatable: never use the link in an account-warning message; instead, open the retailer app or type the site URL you already trust, and confirm alerts there; if a message pressures you with a countdown, treat that as the red flag; and lock down passwords with a manager plus unique logins everywhere. When you want numbers to frame the impact, I'd point reporters to government reporting like the FBI's account-takeover warnings and complaint/loss figures as a baseline, because that's where the "how big is this really" story starts.
What we saw during Black Friday wasn't some genius new scam, it was a boring idea executed at massive scale. The "your account will be suspended or deleted" message works because it hijacks panic during the noisiest shopping window of the year, when people are already expecting problems. Most of these campaigns aren't run by one group, they're powered by phishing-as-a-service kits that get reskinned and blasted across Amazon, Walmart, Target, and Shopify stores in days. The reason they keep working is habit: consumers are trained to react fast to retail alerts and scammers copy the exact tone, timing, and language people expect. On the defense side, the retailers doing best are the ones forcing all real alerts into in-app message centers and making "log in through the app" the default safe path. Long term, passkeys, phishing-resistant MFA, and faster cross-retailer intel sharing are the only things that actually slow this stuff down.
I run Japantastic. Last holiday season, customers started forwarding us these crazy emails saying their account was locked unless they clicked a link. After some back and forth, we decided to only send notifications through our app and started posting more warnings about scams. It worked. My advice? Keep warning your customers. These scammers are always trying new tricks, you can't let your guard down.
We started getting calls from customers panicked about fake account suspension emails. It was awful. So we made two-factor authentication mandatory and started messaging people directly about what to watch for. The calls stopped almost immediately. Honestly, just communicate directly and make reporting scams incredibly easy. Give people a clear button to flag suspicious stuff right away.
Last quarter we got flooded with scam emails pretending to be our team, especially around Black Friday. It made it hard to spot the real customer issues. We put a warning banner on the site and emailed everyone what to look out for. It worked. People started contacting us to check suspicious links instead of clicking them. My advice for other retailers is to make your report button easy to find and keep reminding customers you'll never ask for passwords or credit cards in an email.
President & CEO at Performance One Data Solutions (Division of Ross Group Inc)
Answered 3 months ago
Running a SaaS company, I've noticed phishing goes crazy during events like Black Friday. They target everyone, including our business. After a bunch of strange login attempts last year, we made everyone use stronger multi-factor auth and hold regular security trainings. Honestly, what moved the needle was getting alerts out fast and just talking to our users straight up. You have to keep watching and updating how you handle security, the bad guys are always changing their game.
The spike in fake "account suspension" and "account deletion" messages targeting Amazon, Walmart, Target, eBay, and other retailers from Black Friday 2025 into early 2026 was driven mainly by organized phishing-as-a-service (PhaaS) operations, not failures by individual retailers. These criminal services sell ready-made scam kits that let anyone launch convincing fake retail messages within minutes. Security researchers have tied major PhaaS platforms such as Lighthouse and Lucid to tens of thousands of phishing domains targeting hundreds of global brands. The timing matters. Security firm Darktrace reported a 620% increase in Black Friday-themed phishing in the weeks leading up to the holiday. During this same period, Amazon sent a large-scale warning email on November 24, 2025, alerting customers about impersonation scams claiming their accounts were at risk. Retailers rarely publish exact dollar losses tied only to these scams. The best public benchmark comes from the FBI's Internet Crime Complaint Center, which reported more than 5,100 account-takeover complaints and over $262 million in losses during 2025 across industries. Retail shopping accounts represent a meaningful portion of that total. Scammers personalize messages using email addresses and passwords from old data breaches, leaked marketing lists, public social media profiles, and details harvested from previous scams. Once someone responds to a phishing message, their information is often reused to target them with additional fake alerts from other brands. "Account suspended" messages work because they create panic. During busy shopping periods, people expect order and account emails. Even users with two-factor authentication can be tricked by real-time phishing pages that capture login codes and immediately pass them to criminals. Retailers use similar consumer protections: in-app notifications, security warning pages, and scam reporting tools. Shopify, for example, tells users to forward suspicious messages to safety@shopify.com . Amazon, Walmart, Target, and eBay all advise customers to access accounts. The most effective consumer defense is simple: never click links in retail emails or texts. Open the retailer's official app or type the website address yourself. If there is a real problem, it will appear after you sign in. Enable strong unique passwords, turn on two-factor authentication, and report suspicious messages. These steps stop most retail account takeover attempts.
Dealing with the surge in online retail phishing scams during Black Friday 2025 to early 2026, it's clear that these attacks are more sophisticated than ever. Scammers target consumers with threats of account deletion or suspension, creating panic and confusion. As a business owner, I see how these tactics can mimic real customer service interactions. Companies like Amazon, Target, and Walmart are especially vulnerable, even with safeguards like MFA. The phishing-as-a-service model has made it easier for these groups to coordinate across platforms, sharing the same playbook. Despite strong protection measures, scams still succeed because the fraudsters prey on fear and urgency. To combat this, retailers must invest in better consumer education and improve reporting channels. Quick action can reduce the impact, but it's crucial that we continue refining our strategies to stay ahead.
From Black Friday 2025 through early 2026, I've watched the same "your account will be suspended or deleted" hook spill over from big retailers like Amazon into the small-business world, and that's why this surge in retail impersonation phishing matters. I run a plumbing company, not an online marketplace, but scammers still spoof familiar brands—and they'll spoof local businesses too—because the playbook is cheap, fast, and scalable with phishing kits and recycled credential lists. During that Black Friday window, Amazon itself warned customers about impersonation scams, and cybersecurity tracking showed holiday-themed retailer phishing jumping sharply in the run-up to the weekend. A real example: a long-time customer forwarded me an "urgent verification" email that looked like it came from a vendor portal we use for scheduling—same colors, same tone, and a scary deadline—pushing them to click a link "to avoid account closure." The giveaway was the sender domain and the link destination: close enough to feel legit at a glance, but wrong when you slow down and read it. My practical advice is boring but works: never click account-warning links from emails/texts, go to the retailer's app or type the site yourself, turn on MFA (and never share the code), use unique passwords (a manager helps), and report the message inside the platform instead of replying. The reason these deletion lures keep succeeding is simple—people are busy, the message creates panic, and the brand trust does the rest—so the defense has to be routine and automatic, not based on gut feel.
Black Friday 2025 broke records. Not in sales. In scams. Phishing attacks surged 692% during Black Friday week. Brand impersonation jumped 2,000% during peak shopping. Most consumers never saw it coming. Here's how scammers target online shoppers — and what retailers must do. 1. The Numbers Are Staggering Kaspersky identified 7 million phishing attacks targeting online stores and payment systems in 2025. Verizon counted 837 retail cyber incidents with 419 confirmed breaches. 80% of retailers experienced cyberattacks in the past year. The average data breach now costs $4.44 million globally. In the U.S., $10.22 million. 2. Brand Impersonation at Scale Scammers copy trusted brands. They impersonated Apple, eBay, Netflix, Walmart, Target, and Best Buy with emails that look identical to the real thing. AI makes these fakes nearly perfect — grammar, logos, formatting, all flawless. Over 120,000 fraudulent retail apps appeared in 2025. 65% impersonated legitimate brands. In October alone, 158 new Black Friday-themed domains appeared. One in 11 was classified as malicious. 3. Phishing-as-a-Service: Crime Made Easy You no longer need technical skills to phish. PhaaS kits grew 21% in 2025. They offer ready-made templates, hosting, and dashboards. A teenager with a credit card can launch a professional phishing operation in hours. 4. Post-Purchase Fraud The smartest scammers strike after you buy. Fake delivery updates. Failed shipment alerts. "Pay an additional fee" messages. These hit when shoppers expect retailer emails. Trust is high. Guard is down. Attackers harvest data from earlier breaches. They use stolen emails, names, and order histories for hyper-personalized messages. 53% of breaches involved personal data — not payment cards. 5. What Retailers Must Do Deploy phishing-resistant MFA — hardware keys, not SMS codes. Layer email security with spam filtering, link scanning, and attachment sandboxing. Lock down third-party access — 30% of 2025 breaches came through vendors. Train employees continuously, especially seasonal workers. Monitor domains aggressively. The scammers have industrialized. Retailers must match that scale — with defenses that are just as systematic, just as relentless, and far more intelligent.