Do not make this Black Friday mistake
AFP via Getty Images
You have been warned. You need to stop and think before you buy. The government warns you may not realize you’ve been attacked until it’s too late. It has issued new advice to ensure you stay safe this holiday season. Do not ignore these instructions.
Security researchers warn that in 2025 “the threat landscape has fundamentally changed.” This is attacks now harness AI to fix mistakes of the past. You won’t know you’re not shopping with Amazon or Costco or Walmart or any one of a thousand other brands until it’s too late, until your bank account has been drained.
Attacks targeting Black Friday and Cyber Monday shoppers have just surged 620% and will now get even worse this weekend. “These bad actors target online shoppers through fake websites,” America’s cyber defense agency warns.
Chrome, Edge and Safari, which dominate U.S. browsing with more than 90% market share, provide some protection against fake websites. But only if they know to block them. AI defenses flagging issues in real time are still in their infancy.
CISA, part of the U.S. Department of Homeland Security, focuses mostly on cyber securing government agencies and critical infrastructure, defending against nation state attacks, ransomware campaigns and exploited software vulnerabilities. But such is the holiday shopping threat to citizens, it’s stepping a little out of its lane.
“Black Friday is almost here!” the agency posted on X. “Before you fill your cart, make sure you’re shopping smart. Check out our holiday online shopping safety tips.”
Chief amongst those tips is avoiding fake websites. “Think about how you’re searching online. How are you finding the deals? Are you clicking on links in emails or going to trusted vendors? Are you clicking on ads on webpages? You wouldn’t go into a store with boarded up windows and without signage – the same rules apply online.”
Put more simply, CISA says, “if it looks suspicious, something’s probably not right.”
That means you must be sure you’re on a known, reputable vendor’s real website before you shop. “Some attackers may try to trick you by creating malicious websites that appear to be legitimate. Always verify the legitimacy before supplying any information. If you’ve never heard of it before, check twice before handing over your information.”
That also means you must never click links in emails or messages or social media posts, irregardless of the deal on offer. As the FBI warns, “if it looks too good to be true, that’s because it is.” It’s now child’s play to use AI to replicate a retailer’s brand, to copy their style and steal their images. Suddenly you’re buying something that doesn’t exist and never ships. And you’ve given away your financial details as well.
Fortinet warns that “every year the holiday season brings a predictable spike in online activity, but in 2025 the volume of newly created malicious infrastructure, account compromise activity, and targeted exploitation of e-com systems is markedly higher.”
The researchers report “a surge among domains imitating major retail brands,” with attackers “registering over 19,000 e-commerce-themed domains, of which 2,900 were malicious. Many mimic household names, often with slight variations that are easy to miss when shoppers are moving quickly.” These are behind the links you receive.
Fortinet provides a list of these thousands of domains in its report. TL;DR, you don’t need to check the list. Just make sure you follow CISA’s guidance. Do not shop unless you’re on an obviously legitimate vendor’s website. No microsites, no sites with holiday themed URLs. If you stray onto that thin ice, you’ll likely fall through.
