Black Friday 2025 Scams: Brand Impersonation, Old Scams, and Familiar Malware Drive the Global Fraud Season

What started as an American retail tradition went on to become a worldwide sales event – and a favorite time of year for scammers.
While US Black Friday officially falls on the fourth Friday in November (28 November this year), many countries now run sales weeks earlier.

 In Romania, for example, promotions this year began as early as October 30, while some European brands delayed their campaigns to align with the US calendar.

The result: a month-long shopping season, giving cybercriminals more time and space to execute scams across multiple regions and languages.

Global spam landscape

Between October 1 and November 10, Bitdefender Antispam Lab found that scams accounted for 53% of all global Black Friday-related spam by volume, while 47% consisted of spamvertising or aggressive marketing.

However, we expect future scam spikes to include mass waves of fake delivery and shipping scams that appear in the final week of November.

Bitdefender telemetry reveals clear geographic patterns in this year’s campaigns, with top destinations for Black Friday spam and scams arriving in inboxes of consumers in the US (60%), Germany (12%), Ireland (7%), South Africa (4%) and the UK (3%).

Top Sources of Black Friday Spam include the United States (43%), The Netherlands (14%) and Indonesia (13%)

The data shows that Europe and North America remain the main battlegrounds for Black Friday-related fraud.

However, the reach of Black Friday-related scams is global, with malicious and marketing spam hitting inboxes across Asia-Pacific, Latin America, and Eastern Europe.

Record-breaking online spending fuels record-breaking scams

According to Adobe, US consumers spent $10.8 billion online on Black Friday 2024, a 10.2% increase from $9.8 billion in 2023.
That spending growth continues to attract scammers who capitalize on seasonal hype, a sense of urgency, and trust in major brands. Bitdefender’s latest data reveals that Black Friday scams form a single interconnected ecosystem, combining email phishing, social media fraud, malvertising, and SMS phishing into a coordinated effort that peaks every November.

Brand impersonation dominates 2025

If one tactic defines this season, it’s brand impersonation, or the practice of cloning logos, marketing language, and designs from trusted companies to make scams look legitimate.

The most impersonated brands in scam emails observed this year include:
Amazon, MediaMarkt, TEMU, IKEA, Kaufland, Grohe, Oral-B, Binance, Louis Vuitton, Jack Daniel’s, Reese’s, and United Healthcare.

Amazon remains the most-abused brand, appearing in everything from mobile phishing to fake coupon emails promising huge discounts.
A separate campaign spoofed United Healthcare, promoting Oral-B dental kits in a false “Black Friday Smile Upgrade” to collect personal data.

Here’s a taste of this year’s scam emails courtesy of Bitdefender Antispam Lab researcher Viorel Zavoiu:

Germany: a major target for high-volume phishing

German-speaking consumers have faced a massive phishing and giveaway operation impersonating MediaMarkt, Amazon, and TEMU.
Bitdefender linked it to a single infrastructure cluster active from October 11 to November 10.

The campaign delivered fraudulent messages, using Google Cloud Storage for hosting and Google Cloud IPs in the Netherlands and Belgium for distribution.
Emails promised €500–€1,000 vouchers, iPhones, or “test product pallets,” all written in German with emojis and a sense urgency:

“Black Friday😍:: Ihre MediaMarkt 500€ Gutscheine + iPhone Air / 17 Pro (Max)”

The use of legitimate Google Cloud infrastructure made these scams more difficult to block and detect, allowing them to bypass traditional spam filters.

Luxury scams never die

Some scams are timeless. One recurring campaign promised designer accessories under the subject line:

“[Black Friday 2025] Elevate Your Style – Louis Vuitton Bags from $200.”

The email described “refined fashion and timeless craftsmanship” and used similar email templates to those used in variations of this luxury goods scam for over a decade.

Malware behind Meta ads: the Binance × TradingView campaign persists

At the high end of the threat spectrum, Bitdefender Labs continues to track a multi-stage malware operation abusing Meta’s ad platform.
The threat actors behind last year’s Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands report are still active, and using Black Friday branding to claim new victims.

Over 30 fraudulent Meta ads were observed, all promoting “Binance × TradingView Black Friday bonuses”.
Victims who click are redirected to lookalike Binance pages offering crypto rewards or “trading tools,” but they download the same information-stealing malware previously analyzed by Bitdefender.

This malware harvests browser data, credentials, and crypto-wallet information.

From early sales in Romania to German-language phishing campaigns and fake delivery alerts expected to flood US phones later this month, Black Friday scams are a year-round global business.

The tactics evolve, but the playbook stays the same: impersonate trusted brands, exploit a sense of urgency, and spread through every available platform: from email and SMS to paid advertising.

How to stay safe this Black Friday

Verify deals at the source. Visit official websites directly instead of clicking on links in emails, ads, or messages.

Expect delivery scams. As Thanksgiving approaches, stay alert for fake “tracking updates” and “package delays.”

Use verification tools. Analyze URLs with Bitdefender Link Checker.

Ask before you click. Share suspicious messages with Bitdefender Scamio to confirm if they’re fraudulent.

Keep protection on. Bitdefender Premium Security block phishing domains, brand impersonation pages, and malicious downloads before harm is done.