This should hardly come as any great surprise, of course, as a user base of hundreds of millions of users, combined with the allure of Black Friday, makes the Amazon brand a prime target for attackers of all kinds.

As Amazon itself stated in the November 24 email alert, these attackers target users in an attempt to obtain “access to sensitive information like personal or financial information, or Amazon account details.”

“The holiday inbox is a major hunting ground for scammers,” Nathaniel Jones, vice president of Security and AI Strategy at Darktrace, said, “attackers know people are expecting shipping updates, discount codes and last-minute deals from the retailers they love, so a fake email doesn’t have to work very hard to look believable.”

AI At The Forefront Of Amazon And Other Brand Impersonation Attacks

Yaz Bekkar, the principal consulting architect of extended detection and response at Barracuda, warned that attackers can “stand up convincing fake sites in minutes, slip phishing links into promo emails and ask for logins or card details.” The reason that they can do this so quickly and so convincingly? Yep, you’ve probably guessed it, AI. “This year, the attackers have a new tool, AI,” Bekkar wanted, “they’re using it to move faster and look more legitimate than ever.” Indeed, with these brand-impersonating websites now being so easy to generate at scale, and pixel-perfect ones at that, it’s no wonder that retailers such as Amazon and other online brands are taking it so seriously, as should you. “Phishing emails can be hyper-personalised from your own data trail of breached passwords, social media,” Bekkar continued, “and even fronted by synthetic voices, faces or deepfakes that sound ‘just like’ your bank, your parcel courier or your favourite retailer.”

Unfortunately, Bekkar reckons it’s going to get worse. Much worse. “But now comes the really worrying phase: agentic AI.” Once attackers can easily tap into systems that plan, act and adapt on their own, phishing campaigns won’t just be automated – they’ll be self-adjusting, Bekkar warned. “Every time they hit friction, a blocked URL, a security warning, a user who hesitates, the system can simply ‘recalculate the route’ in real time,” Bekkar concluded, “new domain, new pretext, new sender, new channel. Rinse, repeat, refine. At machine speed.”

Amazon Urges Customers To Mitigate Brand Impersonation Attack Risk

I have approached Amazon for a statement, but in the meantime, the online retail giant previously advised that customers only use the official website or Amazon mobile app, set up two-factor authentication and use a passkey to help mitigate the risks from such brand impersonation attacks. You should also remember that Amazon will never ask you to make payments or to provide payment information over the phone, nor send emails asking customers to verify their account credentials.