Gretel Egan | November 15, 2017

Holiday Shopping Tips: Examples of Phishing Emails and Ads

Last updated: September 10, 2018

Examples-of-Holiday-Shopping-Scams.jpgHoliday shopping mania seems to kick off earlier and earlier each year, with Black Friday and Cyber Monday previews and preseason deals popping up in inboxes and social feeds weeks in advance. And it doesn't just happen in the US, despite the fact that these shopping "holidays" are triggered by Thanksgiving. Aggressive sales by legitimate retailers on both sides of the pond present a golden opportunity for cybercriminals — an environment in which online shoppers are seeking (and expecting) better-than-average deals.

As such, it’s perhaps more important than ever for consumers to brush up on online shopping tips and cybersecurity best practices. But it’s also helpful for online shoppers to see what phishing attacks, social media scams, and other tricks and traps look like in practice. It’s similar to the idea of “putting a face to a name”; visual cues can lead to a stronger connection and, in the case of security awareness, give users a better sense of how to put best practices into action.

Following are some real-world examples of fraudulent emails and social posts that are designed to trick unsuspecting consumers. Though the attacks you come across may be different in some ways, many con artists use common techniques to fool online shoppers into being careless with their personal information and their financial data.

Examples: Amazon Phishing Emails

Unfortunately for large retailers like Amazon, their size and reach make their brands the perfect vehicles for social engineers. Because consumers frequently get emails from a company like Amazon, they can mistakenly assume that any email that looks like it’s from Amazon is legitimate.

Here is an example of an email that played on a customer’s fear that he had been locked out of his Amazon account. Judging by the structure of the email — and the fact that the From address is clearly not a legitimate Amazon address — the ultimate goal of this message was to steal this user’s login credentials:


Source: Better Business Bureau

Following is an example of a widespread phishing attack that happened after last summer’s Prime Day shopping event. Instead of using fear, the social engineers made recipients an offer that many couldn’t refuse: free money.



That said, phishing isn’t just linked to big businesses. During the holidays and all year round, it’s important to carefully read and consider any email that asks you to click a link, download a file, or confirm login credentials or payment information.


Find more holiday shopping tips that can help you avoid phishing emails, phony charities, delivery fraud, and other scams.

Security Spotlight: Avoiding Holiday Shopping Scams


Examples: Phony Shipping Notifications

Phishing emails that fraudulently represent home and commercial shipping services aren’t anything new — but that doesn’t mean they aren’t still successful. These types of attacks are perennial favorites for attackers, and they become more frequent during the holidays. We again see social engineers tapping into fear; after all, nobody wants there to be a problem with merchandise they’ve ordered or packages they’ve shipped.

Below is a phishing email that UPS shared on its website to help keep its customers informed of the kinds of fraudulent messages that are being reported by alert recipients. In addition to an invalid embedded link, the email address in the From field clearly shows that the message did not originate from



But as the example shared by FedEx below shows, phishing emails target senders and recipients alike. In these types of attacks, the content is paired with a malicious attachment that infects the user’s device when downloaded.

HolidayScams_FedEx.png Source: 

Examples: Fake Social Media Ads

In the survey that was the basis for our 2017 User Risk Report, we asked 2,000 working adults — 1,000 in the US and 1,000 in the UK — a range of questions about cybersecurity best practices, including those used on social media. One thing we found was that US adults tend to put too much trust in business pages on sites like Facebook and Twitter; in fact, 57% of these respondents said they believe that business pages are approved by the hosting social media application prior to being posted. 

Cybercriminals are certainly benefitting from this misplaced trust. I didn’t need to look any further than my own Facebook feed to find examples of scammers who are exploiting known brand names to trick users. In the first example, the ad seems to be affiliated with Amazon and promises NHL fan gear at incredible prices. However, on closer examination, the link shown at the bottom of the ad — — is not an Amazon link, nor is it the “official” NHL shop (a visit to and a click on that page’s “Shop” tab confirms that the legitimate link is Given these clues, it’s clear that making a purchase through this site is risky at best and downright dangerous at worst.


Following is another example of a common social media ploy: free money. Whether it comes in the form of a promised gift card or a voucher (like what we see below), users are tempted to roll the dice and take a chance. The problem is that they don’t realize how big of a chance they are taking.

In this version, which I saw shared by multiple people, the website listed at the bottom of the ad is again a telling clue. The graphic makes abundant use of the Macy’s logo and, at first glance, the weblink appears to confirm that affiliation. However, a closer look shows that the link doesn’t go to; instead, it goes to — which is unlikely to offer anything other than trouble to trusting consumers.



Stay Cyber Safe and Keep Your Holidays Jolly

As you can see from the examples we’ve shared, good decision-making is key to keeping your personal and financial information secure when shopping online. Don’t prioritize deals over your data and stay alert to holiday shopping scams. Be sure that the emails and ads you engage with this holiday season are on the nice list — and report those that are on the naughty list.


Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now