Cybersecurity researchers are sounding the alarm as Black Friday and the holiday shopping season approach, revealing that more than 18,000 holiday themed domains have been registered in the last three months, many by malicious actors seeking to exploit the surge in online shopping and consumer demand for discounted deals.

According to a recent threat report from FortiGuard Labs, the spike includes domain names featuring terms like Christmas, Black Friday, FlashSale, and other retail related keywords. Of these newly registered domains, at least 750 have already been confirmed as malicious, used for phishing, fake storefronts, and payment information harvesting.

At the same time, attackers have also registered more than 19,000 ecommerce themed domains, of which around 2,900 are flagged malicious. Many mimic well known retailers with minor variations that are easy to miss when shoppers are moving quickly during peak shopping periods.

Security firms point out that these domains often serve as infrastructure for phishing websites imitating major retailers, payment processors, or shipping services. Fake storefronts offer deep discounts or holiday deals to lure shoppers into giving credit card information, while fraudsters also deploy search engine optimization (SEO) poisoning campaigns designed to make malicious domains appear high in search results during peak shopping seasons.

Additional schemes involve fraudulent gift card offers, counterfeit goods sales, or scams involving cryptocurrency or payment redirection. According to the 2025 holiday threat overview, attackers are increasingly automating their operations, deploying tools that allow rapid bulk domain registration and deployment across multiple geographies and merchant categories.

Researchers say the combination of record high online shopping traffic, inflationary pressure on consumers, and widespread mobile device use creates a perfect storm for cybercriminals to exploit trust and urgency. With many people looking for discounts and quick deals, especially via mobile devices, deceptive URLs, minor spelling variations, and fake sites can easily slip under the radar.

Attackers began preparing months in advance, leveraging industrialised tools and services that assist them to scale attacks across multiple platforms, geographies, and merchant categories. The criminal infrastructure supporting these operations has become highly sophisticated, with services available on darknet marketplaces offering turnkey solutions for launching phishing campaigns.

Credential validation kits, instant setup phishing hosting, and website cloning services allow rapid deployment of new campaigns. Bulk proxy and virtual private network (VPN) tools offer geographic and IP (Internet Protocol) diversification, evading geofencing controls. Smishing and vishing operations leverage automated Session Initiation Protocol (SIP) and Short Message Service (SMS) spam panels to target consumers with fake delivery notifications and sale offers.

The FortiGuard Labs research reveals that the criminal economy behind ecommerce compromise is highly organized. Full databases, WooCommerce records, payment tokens, cookies, and administrative access to high revenue sites are openly sold on underground marketplaces. Accomplice recruitment for rapid cash out and laundering further accelerates monetization of stolen data.

Phishing kits are being sold for between $100 and $1,000 depending on complexity and customizations. These kits enable even low skilled attackers to set up advanced phishing operations without requiring deep technical knowledge, lowering barriers to entry for cybercrime and expanding the threat actor pool.

Security experts recommend consumers always check the full Uniform Resource Locator (URL) carefully and be extra skeptical of domains with sale related keywords or odd spellings. Shoppers should use trusted, official retailer websites by bypassing links from emails or advertisements and navigating directly via bookmarks or known URLs.

Enabling strong security features including two factor authentication (2FA), secure payment methods, and browser security extensions provides additional protection layers. Consumers should avoid shopping on public or unsecured networks, especially when entering payment or personal information.

Additional red flags include unrealistic discounts, urgent limited time deals, poorly formatted sites, or requests for unusual payment methods such as gift cards or cryptocurrency. Using security software or safe browsing tools that flag known malicious domains or newly registered suspicious sites can help identify threats before engagement.

The research indicates that popular ecommerce platforms such as Adobe Commerce, Shopify, and WooCommerce are prime targets due to weak configurations and outdated plugins. Attackers are deploying sniffers to capture customer data and using remote code execution (RCE) exploits to gain administrative access to shopping platforms.

The FortiGuard Labs team has observed a surge in the sale of stolen gift cards, credit card data, and compromised ecommerce site databases. Threat actors are actively exploiting critical vulnerabilities in major ecommerce systems to install persistent backdoors or JavaScript based web skimmers directly onto checkout pages.

Separate research from Darktrace found a 54 percent jump in phishing attacks impersonating well known festive retailers including Walmart, Macy’s, and Best Buy. The attacks increasingly leverage artificial intelligence (AI) powered tools to craft convincing phishing emails that mimic legitimate communications from retailers and banks.

Ghana’s Cyber Security Authority (CSA) previously warned that online fraud alone accounted for GH¢12.87 million in losses between January and September 2025. The country lost more than GH¢19 million to cybercrime during that period, representing a 17 percent increase compared to the same timeframe the previous year.

The CSA recorded 266 cases of online shopping fraud from January to October 2025, with monetary losses exceeding GH¢600,000. The authority has urged Ghanaian consumers to exercise extreme caution when shopping online during Black Friday, citing anticipated rises in scams as shoppers chase discounted deals.

Common tactics used by scammers targeting Ghanaian consumers include brand impersonation, fake online shops, and phishing schemes. Fraudsters often mimic legitimate brands on search engines, run fake social media shops, or lure victims with deceptive links that steal personal information.

The CSA recommended that consumers verify contact details through official sources, avoid unfamiliar online stores, and be cautious of offers that appear too good to be true. The authority further advised consumers to insist on payment after delivery and inspection of products, protecting buyers from losing money to sellers who never intend to deliver goods.

The authority operates a 24 hour helpline for reporting suspected cyber fraud incidents. Citizens can call or text 292, use WhatsApp at 0501603111, or send emails to [email protected]. The CSA encourages immediate reporting of suspicious activities to help track and potentially apprehend cybercriminals.

For businesses, security experts emphasize the importance of keeping ecommerce platforms and plugins up to date while conducting regular vulnerability scans to significantly reduce risk. Implementing advanced fraud detection tools helps identify unusual activities such as brute force login attempts or fake traffic patterns.

Educating customers on recognizing phishing attempts and promoting safe shopping habits is equally important. Monitoring domain registrations for potential brand impersonations and reporting them promptly can help protect corporate reputations and prevent consumer losses.

Securing administrative panels with strong passwords and restricted access can prevent unauthorized breaches. Organizations should implement multi layered security approaches combining network protection, email filtering, endpoint security, and user awareness training to defend against holiday season threats.

The combination of automated attack tools, industrialized criminal services, and heightened consumer activity creates an environment where vigilance becomes essential. Both individual shoppers and businesses must maintain heightened awareness throughout the extended holiday shopping period running from Black Friday through year end.

The distinction between confirmed and unconfirmed malicious domains signals a vast gray zone where many new registrations remain dormant but potentially dangerous. This creates uncertainty as security teams struggle to identify which newly registered domains pose genuine threats versus legitimate seasonal businesses.

Looking ahead, the threat landscape is expected to remain elevated through December as cybercriminals sustain operations to capitalize on gift shopping and year end promotions. The increasing sophistication of attacks, combined with easier access to criminal tools and services, suggests that holiday season cyber threats will continue growing in both volume and complexity.

For Ghanaian consumers participating in Black Friday shopping, whether purchasing from local or international retailers, the message from security experts is clear. Slow down, verify authenticity, use secure payment methods, and report suspicious activity immediately. The savings from a seemingly great deal can quickly evaporate if personal information or financial credentials are compromised.

The FortiGuard Labs research emphasizes that while technology solutions provide important defenses, consumer awareness and cautious behavior remain the most effective protection against holiday shopping scams. Taking extra time to verify legitimacy before making purchases can prevent financial losses and identity theft that could take months or years to resolve.