Experts are warning that more than 2,000 holiday-themed fake retail sites are now active as Cyber Monday hits peak traffic, creating a prime window for large-scale fraud. The warning lands as Adobe Analytics projects Cyber Monday online sales of roughly $14.2 billion, following a record $11.8 billion in Black Friday spending.
The combination of urgency, mobile shopping, and steep-discount hunting has created ideal conditions for scam networks that are already operating at scale, according to CloudSEK, who published the report last week.
“Black Friday and Cyber Monday create an environment where consumers actively search for steep discounts across unfamiliar online stores — making them prime targets for large-scale fake shop operations,” wrote the author of the report Ibrahim Saify, security consultant with CloudSEK.
Saify identified two major clusters of fraudulent storefronts designed to activate specifically during the Black Friday–Cyber Monday period. One cluster includes more than 750 Amazon-themed domains, many created through typosquatting and built from the same holiday-banner templates, countdown timers, and fake trust seals.
A second, much larger cluster spans the .shop domain and includes hundreds of thousands of sites impersonating brands such as Apple, Samsung, Garmin, Fujifilm, Ray-Ban, COSRX, and HP. The report shows that many of these domains sat dormant behind “coming soon” pages until the days before Thanksgiving, then switched into full storefronts as Black Friday approached.
The mechanics are familiar. Fake stores have long relied on aggressive discount banners, fabricated “recent purchase” alerts, and checkout pages designed to harvest billing information. Many also continue to redirect payments through unflagged shell merchant sites to avoid detection. These patterns mirror years of holiday-season fraud, where scammers take advantage of consumers who are primed for fast purchases and deep discounts.
“Holiday-themed fake shop campaigns have become highly polished, fast-moving, and automated — designed to exploit the rush of Black Friday, Cyber Monday, and Christmas sales,”
What has changed is the scale and coordination. CloudSEK found that entire networks of sites now use identical HTML structures, shared JavaScript checkout logic, and a suspicious content-delivery network that hosts holiday-themed assets and flip-clock timers. The templates automatically re-theme for Black Friday, Cyber Monday, Christmas, and Thanksgiving, allowing scammers to reuse the same infrastructure across the entire season.
The domains themselves show clustering in their creation dates, with large waves registered in late 2024 and in several bursts throughout 2025. The pattern suggests a centrally managed ecosystem rather than one-off opportunists, according to the report.
The fraud networks also hide behind Cloudflare reverse proxies or China-based hosting, making it difficult to trace their origins. Several payment-redirection domains remain unflagged by reputation services, which lowers the likelihood that early victims will trigger alerts. The report shows how checkout information, including credit-card data, is sometimes embedded directly into URL parameters for rapid harvesting.
Adobe’s sales projections explain why this level of automation is emerging now. This year’s Cyber Monday is expected to draw the largest online shopping volume of the season. With shoppers moving quickly across unfamiliar sites, scammers gain both reach and plausible cover. High-traffic periods also make it harder for fraud analysts to distinguish malicious behavior from legitimate spikes.
CloudSEK expects the fake storefronts to remain active through December as scammers re-theme their templates for Christmas and year-end sales. The firm warns that even seasoned online shoppers may have trouble identifying the most convincing clones, particularly on mobile devices where visual cues are less noticeable.
The scale of this year’s activity reflects a “seasonal reloading” pattern that has become more organized and more automated, according to the report.
