Amazon sent security warnings to all 300 million customers on 24 November 2025, alerting shoppers that cybercriminals were targeting accounts through fake delivery texts, phishing emails and phone scams.
Scammers were attempting to steal “sensitive information like personal or financial information, or Amazon account details” during the Black Friday shopping period, the company’s security division told customers.
Account takeover fraud cost victims more than £200 million in 2025, according to FBI data. The agency’s Internet Crime Complaint Center received over 5,100 reports between January and November, with most stolen funds transferred to cryptocurrency wallets where they became untraceable.
TransUnion tracked a 21% jump in digital account takeover between the first half of 2024 and the first half of 2025. The rate has climbed 141% since 2021.
In threat intelligence released by Darktrace, Amazon accounts for 80% of all phishing attacks globally. With over 300 million active accounts worldwide, criminals targeting random email addresses and phone numbers likely hit actual Amazon customers more often than not.
Fake delivery notifications appeared repeatedly in November and December 2025 attacks. Text messages claimed parcels needed redelivery fees or address updates, creating panic designed to bypass normal caution.
Guardio’s fraud monitoring put US online shopping losses at £340 million during 2024. Between September and November 2025, the cybersecurity firm recorded a 3,000% increase in shopping related SMS scams, with November reaching levels the firm had not documented previously.
“Black Friday is no longer just a shopping day,” Guardio researchers wrote. “It has become a hunting ground for cybercriminals armed with artificial intelligence.”
Artificial intelligence changed the scam landscape entirely. Perfect grammar became standard on phishing sites. Professional designs appeared convincing. The Anti Phishing Working Group found 76% of phishing websites in 2025 used AI generated content, making traditional warning signs like spelling errors increasingly rare.
Social media platforms distributed sophisticated fake storefronts to millions. Facebook, Instagram and TikTok advertisements directed shoppers to clone websites harvesting payment information during checkout.
Products looked authentic. Prices seemed reasonable. Design appeared professional. Bank accounts emptied before suspicions formed.
FortiGuard Labs documented over 18,000 domains registered between September and December 2025 containing terms like “Black Friday,” “Christmas Sale” and “Flash Deal.” At least 750 operated as criminal enterprises. Many used tiny spelling variations that holiday shoppers scrolling through dozens of tabs simply missed.
Criminals sent fake customer service messages through WhatsApp, Facebook Messenger and text.
Phone scammers used technology making their numbers appear as legitimate Amazon support lines on caller ID displays. They built trust through professional conversations, then walked victims through steps that handed over computer or bank account access. The FBI documented schemes where scammers claimed victims’ account details had been used to purchase firearms, then transferred calls to fake police officers who extracted full account credentials.
Breaking into accounts often required just password reuse. Criminals took usernames and passwords leaked from old breaches at other websites, then systematically tried them across hundreds of platforms.
Phishing pages perfectly replicating Amazon’s real login interface captured credentials as people typed them. A criminal platform called Matrix Push C2 hijacked browser notification systems, sending fake alerts that appeared to originate from Amazon, Netflix, PayPal and other trusted brands, funnelling victims toward credential harvesting sites.
Criminals also exploited legitimate Amazon news. The retailer began processing refunds from an FTC settlement requiring payment of £1.2 billion to Prime subscribers enrolled between June 2019 and June 2025 without proper consent. Scammers sent convincing emails claiming recipients needed to verify details to receive settlement money. The emails were entirely fake.
Criminals moved quickly once inside accounts. They changed passwords. They updated email addresses. They transferred funds or completed fraudulent purchases. All within minutes.
Proofpoint research found 65% of accounts compromised in 2025 had multi factor authentication enabled. Security measures failed when victims voluntarily provided authentication codes to scammers who had established trust through convincing impersonation.
Amazon told customers in the November warning to use only official channels for all account activities. The company said it would never phone requesting payment information, credit card numbers, gift card codes or bank transfers.
Amazon recommended in the November warning that customers enable two step verification at amazon.co.uk/2SV. Passkeys offered stronger protection by using face recognition, fingerprints or device PINs instead of codes criminals could intercept, the company explained. Configuration was available at amazon.co.uk/passkey.
The retailer emphasised checking email sender addresses carefully, as suspicious domains mimicking official addresses remained common. For unexpected order confirmations, customers should log in directly through the app or by manually typing amazon.co.uk into browsers.
Anne Cutler, cybersecurity evangelist at Keeper Security, warned shoppers faced “convincingly forged order confirmations, spoofed retailer sites and even AI generated customer service messages designed to steal login details or payment information.”
Anyone who shared payment details with suspected scammers should contact banks immediately and freeze cards and accounts, Amazon advised. For compromised accounts, passwords needed changing instantly alongside enabling two step verification. The company asked customers to report incidents at amazon.com/ReportAScam and file complaints with the FBI’s Internet Crime Complaint Center at ic3.gov.
US authorities seized a domain and database in December 2025 that criminals had used for bank account takeover operations. The group purchased fake advertisements on Google and Bing directing users to malicious sites. Thousands of stolen login credentials filled the seized database.
Research from Seon showed fraudulent transactions ran five times higher on Black Friday than in October 2025, with Cyber Monday seeing roughly four times the normal rate. Amazon shut down more than 55,000 phishing websites and 12,000 phone numbers during 2024.
Over 19,000 domains mimicking major retail brands appeared between September and December 2025. FortiGuard Labs researchers confirmed 2,900 as malicious operations running convincing storefronts complete with professional photography and competitive pricing.
The £200 million stolen through account takeover fraud in 2025 came from shoppers who clicked links in fake delivery texts, entered credentials on phishing sites, or trusted callers claiming to represent customer service. Amazon’s 24 November warning aimed to reach every customer before Christmas shopping peaked, but the scale of organised criminal operations targeting the platform continued growing through December.
