Black Friday brings bargains, rushing purchases, and millions of clicks, and that's precisely where scammers make their fortune. During this time, the volume of online shopping skyrockets, and with it, fraud attempts and cyberattacks. To shop with peace of mind and confidence, it's helpful to recognize the most common scams and know how to react if you encounter one..
It's not just about deceptive ads on social media or emails with fake offers. There are cloned websites, SMS messages that simulate delivery issues, coupons that redirect to fraudulent pages, and even packages that arrive without having been ordered. The good news is that, with clear guidelines and a little critical thinking, you can protect yourself against most of these tricks..
Why are these dates fertile ground for fraud?
Black Friday concentrates the highest number of online purchases of the year and an enormous amount of spending globally. We're talking about hundreds of billions in transactions, with an average spend per buyer of around $450.A large part of the purchases are 100% online and the star products are repeated: technology, fashion and training, where the appeal of the discount is irresistible.
This context is perfect for criminals. The rush, the urgency not to "miss the offer," and the flood of messages make you lower your guard.Recent reports place the Phishing as one of the preferred vectors during this time of year, with clear peaks on Black Friday, Cyber Monday, and Christmas. Scams are multiplying faster than e-commerce itself, and Mass campaigns "perform" better when almost everyone expects emails about shipments, promotions, or payment issues..
Most common scams: how they operate and how they try to catch you.
Fake websites and malware disguised as bargains
A classic tactic involves setting up pages that mimic real stores or create supposedly incredible offers to download files or trick you into clicking on malicious links. Behind it could be anything: from keyloggers to Trojans, ransomware, or spywareThe idea is that you enter data, download a "discount voucher," or try to access your account from that cloned website to steal credentials.
SMS or "order not delivered" messages
During Black Friday, it's common to have some pending shipments, and that's when they strike. You receive a text message or WhatsApp from a courier company or a well-known store notifying you of a problem or missing information. The link takes you to a fake page where you are asked to log in or pay a small fee.It's a common scam that impersonates well-known brands, and if you take the bait, you hand over your passwords and your card.
Fake coupons and discount codes
Another common lure: supposed vouchers with credit to spend on popular platforms. They arrive via social media, messaging apps, or websites of dubious origin and ask you to click a link or open a file. The result is usually a cloned website or a document containing malware designed to steal your information.If it sounds too good to be true, it probably is.
Brushing: the package you didn't order
This “silent method” consists of sending cheap items to real addresses without the recipient having requested them. These submissions are used to generate fake reviews or to give the appearance of commercial activity in online stores.The danger is not the product itself, but what it implies: your name, address, and sometimes your phone number or email address circulate in databases that are leaked or purchased on dark markets, opening the door to subsequent impersonation or financial fraud.
Malvertising, SEO poisoning, and spear phishing
Malicious ads and poisoned SEO place dangerous pages among search results or banners. Spear phishing, on the other hand, targets specific individuals (for example, e-commerce employees) with highly credible messages to steal access or infiltrate corporate systems. During these campaigns, attackers combine social and technical engineering to maximize impact.
How to check if a Black Friday offer is reliable?
The URL and the domain, under scrutiny
Examine the domain closely: does it exactly match the official one, or are there any "suspicious" letters (like "Amaz0n")? Be wary of URL shorteners that hide the destination. Check that the website uses https, look for the padlock icon, and avoid strange domains or those with spelling mistakes.If you receive a link via email or social media, it's best to type the address into your browser yourself.
Origin matters (a lot)
Think about where you saw the offer: a dubious profile, a poorly written ad, or a page with errors are a bad sign. Always prioritize official channels and well-known websites; if you're unsure, don't buy.Just because it's Black Friday doesn't make everything you see on your screen legitimate.
Research the reputation and age of the site
Look for genuine reviews and independent ratings. If there's no trace of the store or only recently created reviews appear, that's a bad sign. Checking the domain creation date also helps: websites opened days ago are often temporary fronts for fraud campaigns.
Evaluate the product and avoid artificial urgency.
Comparing prices between several stores protects you from impossible offers or tricks like inflating "previous prices". Be wary of excessive pop-ups, "only 2 units left" counters, and aggressive banners: these are typical techniques to force impulse purchases.Read descriptions, check quality photos, and look for reasonable stock.
Pay and browse safely: minimize risk
Rechargeable and virtual cards
If you can, use a secondary card that you top up with just enough for each purchase. Wallet-type options or single-use virtual cards (like those offered by digital banks) limit your exposure if something goes wrong.This simple habit nips many scares in the bud.
Avoid public Wi-Fi and consider using a VPN.
Open networks in shopping centers, airports, or libraries are not the place to enter payment information. If you have no other option, use a reputable VPN to encrypt your connection and avoid logging into sensitive services.When you shop, it's best to do so from your home network or a reliable mobile connection.
Do not save cards in the browser
Saving payment details in the browser is convenient, but risky if a malicious extension or malware exfiltrates them. It is preferable to enter the data manually or use the bank's gateway with strong authenticationA few extra seconds can save you a headache.
Reliable payment methods and gateways
Prioritize credit cards and well-known payment gateways (e.g., banks, PayPal, or Stripe), which usually offer better protection against fraud. Activate transaction alerts at your bank to be notified instantly if there are any unusual charges.If you buy from an unknown store, never pay by bank transfer or cryptocurrency: you won't get a refund if there's a problem.
What to do if you've already clicked on a fraudulent link or website?
Speed is everything. Change the affected passwords immediately and, if you haven't already, enable two-factor authentication on your accounts. Review transactions, request transaction alerts, and if you provided card details, request a card block or replacement.That's how you stop misuse.
Keep evidence: screenshots, senders, URLs, dates, and any other details. Contact your bank and the appropriate organizations: INCIBE, National Police, Civil Guard or the complaints office of your community (for example, the ODAC of the Foral Police)The sooner you report it, the sooner the campaign can be stopped and more victims prevented.
10 quick tips that neutralize most scams
- Be wary of impossible bargainsIf it seems too good to be true, it probably is.
- Investigate the store Before you buy: reviews, real contact information, and track record.
- If the offer arrives via SMS, WhatsApp, email, or pop-upDon't click: go to the official website using your browser.
- Never accept "rewards" or download attachments from unknown sendersYou're usually just one click away from malware.
- Prefer “https://” and a visible lock; if there's no encryption, get out of there.
- Shop on trusted websites and, if possible, choose national ones.Scams abound on opaque or offshore sites.
- Never share personal or banking information on public Wi-Fi networks.If it's urgent, use a VPN.
- Device up to dateSystem, browser and antivirus updated and active.
- Credit card is better than debit card: more likely recovery of funds in the event of fraud.
- If you suspect anything, report it. and warns other users to break the chain.
Signs of impersonation and social engineering techniques
Emails and SMS messages that "copy" banks, big brands or parcel companies work because you trust seeing those kinds of messages these days. Beware of spelling mistakes, domains with unusual characters, and urgent messages. (“payment failed”, “account blocked”, “last units”). If you see time pressure or they ask for bank details by email or phone, it smells like fraud.
The trick is to verify through reliable sources: access your banking through their app, log into the e-commerce customer area yourself, or contact the company's official service. Never reply to the thread you received or use the number from the message itself.Take a detour and confirm through your trusted channel.
Typosquatting: a single character can put you in the lion's den
Writing the URL by hand is a good habit, except when you make a mistake in a letter. There are criminals who register domains almost identical to those of famous stores. (for example, by changing or removing a letter) and they clone the design. You log in, enter your credentials or payment information, and they have what they were looking for. Pay close attention to every character and save the correct URLs of your stores to your favorites.
Security policy “on payment and by phone”
Never share card details over the phone if they call you "from the bank" or "from the store". Trusted companies will not ask you for codes, CVVs, or one-time passwords through that channel.If someone pressures you, hang up and call the official number yourself. On digital channels, be wary of forms that ask for too much information.
Secure shopping for businesses too: how to protect your e-commerce
Continuous security audits
Online stores must submit their website, APIs, and mobile apps to regular audits. Identifying and prioritizing vulnerabilities before an intensive campaign prevents a technical failure from leading to a costly incidentDuring peak sales periods, any gap hurts twice as much.
Vulnerability management and zero-day monitoring
It's not enough to check "before Black Friday" and forget about it. Continuous management and monitoring of emerging vulnerabilities is keyEspecially when a public proof of concept for exploiting them appears. Prioritize those that affect checkouts, authentication, and customer data.
Denial of service (DoS/DDoS) tests
DDoS attacks against e-commerce are a classic. Simulating controlled scenarios (DoS Test) allows measuring resilience, response times, and self-scaling capacity.Doing this before major campaigns helps optimize infrastructure and minimize downtime.
Social engineering: simulations and awareness
Phishing also targets your team. Simulate internal campaigns, measure the reaction, and provide ongoing training for your staff. Strong passwords, link verification, and a "think before you click" culture drastically reduce the risk.Supplement this with customer service notices explaining how you communicate and what you never ask for via email or SMS.
Cyber intelligence and brand protection
Monitor the network to detect fake stores impersonating your company, stolen social media profiles, or cloned login pages. Cyber intelligence services help to stop impersonations, combat piracy, and protect reputation.The faster you act, the fewer victims and less damage.
More practical signs for buyers
Before paying, look for real contact information (address, phone number, corporate email). If they don't appear anywhere or are generic, be suspicious.No one serious hides their identity when they want to get paid.
Also consider the website's consistency: well-written text, clear structure, return policy, and familiar payment methods. If you only see bank transfers or cryptocurrencies, it's best to turn around.Add an extra layer with alerts from your bank and use 2FA on your shopping platforms.
What to do with unsolicited packages (brushing)?
If you receive a package you didn't order, don't scan QR codes, don't call the phone numbers on the package, and don't leave reviews or confirmations. Check your account on the supposed platform, verify addresses and payment methods, change your password, and activate 2FA if you detect anything suspicious.Keep the package in case it is needed for an investigation.
Keep an eye on your fingerprint and your device.
Keep your system, browser, and apps up to date, and use a reliable antivirus. Use identity monitoring tools and avoid installing extensions or apps from outside official stores.The fewer doors you leave open, the fewer opportunities for the bad guys.
FAQs
What exactly is Black Friday?
It is a discount campaign that takes place on the fourth Friday of November, sometimes extending to previous days and Cyber Monday. Online activity is multiplying, and with it the likelihood of fraud..
Are there really any good deals or is it all just smoke and mirrors?
There are some interesting offers, yes, but not all of them are what they seem. Compare prices, check historical data, and be wary of crossed-out items and inflated "discounts".Even so, you can find real bargains in reliable stores.
I've fallen for a scam: what do I do now?
Change passwords, activate 2FA, block or replace the card, and save evidence. Contact your bank and the relevant authorities (INCIBE, National Police, Civil Guard or the complaints office in your community)Speed is your best ally.
Additional notes that you shouldn't forget
Many websites monetize through affiliate programs and display lists of recommendations. The fact that they charge a commission doesn't make them suspicious, but always make sure they link to official domains and secure gateways.Transparency is key.
For those who want to delve deeper, there are topics that help to understand the ecosystem: VPN and privacy, social engineering (phishing, vishing, smishing), ransomware, home cybersecurity and parental control, investment fraud, network spoofing and Wi-Fi security, among others. The more you know about these pieces, the better you'll be able to interpret the risks in high-consumption campaigns like this one..
Sticking to the essentials is simple: verify the website and domain, assess the origin of the offer, compare products, and pay with secure methods; browse trusted networks, don't save credit card information in your browser, keep your devices updated, and have official reporting channels readily available. With prevention, verification, and a healthy dose of skepticism, Black Friday will be a sea of great deals, not a minefield. Share this information so more people can shop safely online on Black Friday.