Prime Day Scams – How Attackers Exploit Trust and Urgency
Every Prime Day, fake delivery texts flood inboxes, exploiting shoppers’ urgency and trust. We explain how these scams work and what both consumers and security teams can do about them.
Every Prime Day, fake delivery texts flood inboxes, exploiting shoppers’ urgency and trust. We explain how these scams work and what both consumers and security teams can do about them.
Prime Day was created to celebrate deals. For attackers, it has become the perfect distraction.
A text arrives while you’re scrolling through checkout pages and order updates. It says a delivery was missed and asks for a small fee to reschedule. The sender ID shows “DPD” and the message appears inside your existing conversation thread. It feels routine. Almost everyone opens an SMS within minutes. Most tap first and think later.
A real example reads like this:
If you get a delivery text:
• Check the sender ID and compare the link domain before tapping.
• If you are unsure, go to the courier’s official app or website and enter your tracking number manually.
• Never give card details or 2FA codes over a page you reached from SMS.
That single line contains everything an attacker needs.
The link goes to a fresh domain, often registered days earlier. Attackers pick extensions such as .online, .site and .top. The landing page is a pixel perfect copy of the real DPD tracker. It asks for postcode, then card details, then date of birth. When the scam has what it needs, the page redirects to the real DPD site so the victim does not notice.
Within 24 hours a follow up call arrives claiming to be the bank fraud team.
They already have your card details and enough personal data to sound legitimate. Their next request is your 2FA codes. With those codes they can complete account takeover attacks.
These campaigns run at scale. In the last Prime cycle researchers tracked more than 120,000 fake Amazon domains, and over 36,000 spoofed delivery links in SMS alone. In a focused window before the event, analysts recorded tens of thousands of scam messages. DPD issued a public warning on 28 May about rising fraudulent texts. One analysis found 87% of domains containing “amazon-prime” registered in June were malicious.
Prime Day creates predictable behaviour. People expect multiple parcels. They expect courier updates. Attackers exploit that expectation. The fraud is not technically clever. It is psychologically precise. The message matches what people expect to see. The link looks like a tracker. The fee is small enough to seem reasonable. Those elements reduce friction and prompt action.
The techniques used against shoppers map directly to enterprise attacks. Spoofed supplier invoices, fake IT tickets, and urgent payment requests all use the same levers. Attackers weaponize context and timing to bypass rational checks. A convincing courier message can teach an employee to approve a payment or share credentials.
Card numbers are an immediate payout. They are tested with small transactions, used for purchases or sold on underground markets for about £8 to £12 each.
Full identity kits combine PII and payment data to enable refund fraud, fraudulent credit applications and ongoing abuse. Stolen credentials and 2FA codes let attackers perform account takeover through social engineering, SIM swap or session theft.
Occasionally a fake courier app will deliver a banking trojan, though that is less common now.
Because data is bundled and resold, a single compromise can fuel multiple fraud chains over months. Defenders need leak monitoring, tighter payment controls and tests that simulate the full fraud lifecycle, not just URL blocking.
This is a human problem and it needs human centric tests. Technical controls can help, but they will always trail narrative design.
Awareness alone is not enough. Simulations must mirror the real context people see.
That means using courier templates, realistic timing, and follow up calls in controlled tests. It also means testing the decisions people make when they are busy and distracted.
At CovertSwarm we recreate these campaign patterns in live assessments to reveal where trust breaks and where processes fail.
Prime Day is a seasonal spike, but the human behaviors it exposes are constant.
To reduce risk, organizations must test what looks normal.