When the deals get loud, so do the scammers

Every year, retail events like Amazon Prime Day, Black Friday and Cyber Monday create a predictable spike in online activity. Shoppers are in a hurry, inboxes fill with promotional offers, "limited-time" urgency becomes the norm, and the text messages start arriving with order confirmations, shipping updates, and delivery problems. That environment is a gift to attackers, and they treat it like one.

I want to walk through what actually happens during these windows, why it matters for a credit union specifically, and the handful of practical habits that meaningfully reduce risk. None of this is complicated. But the difference between a near-miss and a fraud loss usually comes down to whether someone slowed down for ten seconds before clicking or tapping a link.

This isn't handwaving about "increased risk." The data is consistent year over year.

Ahead of Prime Day in July 2025, Check Point Research tracked over 1,000 new domains resembling Amazon appearing online in June alone, with 87% of these flagged as malicious or suspicious. A separate analysis around the fall event found that during the first three weeks of September 2025, a total of 727 new Amazon-related domains were registered, and one in every 18 was flagged as malicious or suspicious.

The mechanics are straightforward. Attackers lean on two primary tactics: fake domains designed to imitate Amazon's login or checkout pages, and phishing emails crafted to create urgency like "refund errors" or "account issues," luring victims into clicking malicious links. In one intercepted campaign, an email used the subject line "Refund Due—Amazon System Error" with the sender's address spoofed to appear as if from Amazon, tricking recipients into clicking a link to update their address that led to a fraudulent login page built to harvest credentials.

The same playbook has moved aggressively to text messaging, and that's the part worth flagging this year. The FFIEC and NCUA call text-based attacks "smishing," meaning phishing delivered by SMS, and the volume during shopping season is striking. According to McAfee research, text scams in the shopping category jumped 250% from May to late July 2025, with much of that spike landing right around Prime Day. Proofpoint has reported that smishing volume nearly doubled compared to the prior holiday season. The same research noted that over two-thirds of all SMS messages sent worldwide relate in some form to order delivery or a consumer retail brand, which is exactly why a fake "delivery problem" text feels so normal. The favorite lure is the package notification: a text claiming a USPS, UPS, FedEx, or retailer delivery needs your attention, pointing to a look-alike site that harvests card numbers and personal details. The U.S. Postal Inspection Service has issued its own public warnings about these package-tracking text scams.

The payoff for the attacker is significant, regardless of channel. A successful attack can lead to unauthorized purchases, identity theft, or gift card abuse. The scale is not trivial either. Amazon itself reported that in 2024 alone it removed over 55,000 phishing sites and 12,000 phone numbers linked to impersonation scams, a reminder that the phone, not just the inbox, is now a primary battleground.

Amazon is simply the most useful lure because it's the most recognized. In 2023, phishing attacks impersonating Amazon made up approximately 34% of all online financial phishing attacks worldwide, the most of any brand. The same playbook runs for any high-traffic event, across email and text alike, and only the brand name changes.

It's fair to ask why a Prime Day consumer scam matters to a financial institution. Two reasons.

First, your employees are also shoppers, and they carry their phones everywhere. The same person who manages member data during the day is checking personal email at lunch and tapping a "where's my package?" text on a break. A credential-harvesting page doesn't care which hat someone is wearing or whether the link arrived by email or SMS, and password reuse between personal and work accounts remains common. A phishing or smishing compromise that starts as a personal Amazon scam can become an organizational problem fast.

Second, this is the regulatory expectation, not an optional nicety. The NCUA has been explicit. Its risk alert on social engineering and phishing reminds credit unions of the ongoing threat and reiterates the continued importance of educating employees and members on how to avoid these threats, noting that all credit unions and vendors, regardless of size, are potential targets. The FFIEC Information Security Booklet frames social engineering as the broader category, defining it as a general term for trying to trick people into revealing confidential information or performing certain actions. That includes phishing via email, smishing via text and vishing via phone call. Phishing email has historically been the most prevalent form, but the NCUA's own guidance specifically warns credit unions to be on the lookout for smishing attempts as well, and the 2025 data shows why.

The stakes are also defined in regulation. Under the NCUA's cyber incident notification rule, examples of reportable incidents include a phishing attack resulting in successful installation of malware, and a social engineering attack leading to fraudulent wire transfers. Credit unions must report qualifying incidents within 72 hours. A successful phish or smish isn't just a bad day. Depending on outcome, it can become a regulatory reporting event.

This is where I'll restate the principle I come back to with every client: security decisions are business decisions. Awareness training and basic account hygiene cost very little. The downside they protect against, including fraud loss, member harm, a reportable incident, and the examination scrutiny that follows, is expensive and disruptive. For a control this cheap against a risk this well-documented, the math is not close.

Here's the practical part. These habits apply to your staff and are worth passing along to your members in your own newsletters and member education. They work the same whether the bait shows up in an inbox or on a lock screen.

Go to the source, not the link. The single most effective habit is to stop clicking links in unexpected emails and texts. If a message claims there's a refund, an account problem or an order issue, open a browser and navigate to the site directly, or use the official app. The guidance from researchers is consistent: avoid links in email and SMS, and go to the retailer directly, trusting only official sites. This is the specific defense against delivery-text scams. If you're expecting a package, check the order in the retailer's app or the carrier's official site rather than tapping the text. Legitimate carriers don't collect "redelivery fees" by text or ask for a full card number to fix an address. The same rule protects against fake credit union and member-service notices.

Slow down and read the address. Urgency is the attacker's primary weapon, and they're counting on you not looking closely. Scrutinize URLs, attachments and the wording of unexpected messages for signs of a scam. Misspelled domains, odd top-level domains (".top," ".online"), shortened links that hide the real destination, and sender addresses or phone numbers that don't match the real brand are common giveaways. Be aware that the old advice to "just look for typos" is weakening, because attackers increasingly use AI to produce clean, professional-looking messages. The absence of errors is no longer reassurance.

Turn on multi-factor authentication everywhere it's offered. Enabling MFA on accounts means that even if a credential gets harvested, the attacker usually can't get in with the password alone. This is the highest-value single control an individual can enable, on personal and work accounts alike. Even if you use MFA, however, be sure to report any potential security events to your IT team to ensure accounts remain secure.

Be suspicious of refund, renewal, delivery, and "account issue" messages. These are the templates attackers reuse because they work, and the delivery-notification text is the signature smishing lure of the shopping season. Most impersonation scams involve fake messages about order confirmations, delivery problems or account issues, tricking people into sharing sensitive information. If a message creates pressure to act immediately, that pressure is itself the red flag. A useful habit: after you verify or delete a suspicious text, delete it, so you don't tap it later when you're distracted.

If something does go wrong, act fast. Change the affected password, enable MFA if it wasn't already on and monitor the associated financial accounts for unusual activity. For staff, report it immediately through your internal channel. A fast report turns a potential incident into a contained one and gives the institution the time it needs to meet any reporting obligations.

How much you build around this should match the credit union's size and complexity, consistent with the risk-based approach the FFIEC and NCUA expect.

For smaller institutions, the priorities are foundational: documented security awareness training that addresses phishing, smishing, and other social engineering, MFA on all email and remote access, and a clear, simple way for staff to report a suspicious message. The NCUA's Automated Cybersecurity Evaluation Toolbox (ACET) is a free downloadable resource that incorporates the FFIEC IT Examination Handbooks and the NIST Cybersecurity Framework, and it is a sensible self-assessment starting point regardless of asset size.

For larger and more complex institutions, layer on top of that foundation. Add simulated phishing campaigns with tracked results, and increasingly smishing simulations, since text is now a primary vector. Add technical email controls such as DMARC, DKIM, SPF and attachment and link sandboxing. Add timely member-facing alerts during known high-risk windows. Regular simulations and ongoing employee awareness programs are essential, and attackers increasingly impersonate executives or trusted vendors to trick recipients into sharing credentials or initiating fraudulent transactions.

The point isn't to do everything. It's to map the control to the risk, the risk to your institution's tolerance, and the cost to the value protected. Prime Day is a useful annual reminder to check that those line up.

High-traffic shopping events don't introduce new attack techniques. They amplify old ones by giving attackers a distracted, hurried audience and increasingly they reach that audience by text as readily as by email. The defenses are equally well-established and identical across channels: don't click unexpected links, verify by going to the source, enable MFA, and treat urgency as a warning sign rather than an instruction. Reinforce those habits with your staff before the next big shopping window, share the consumer-facing version with your members, and you'll have addressed a documented, recurring threat at a cost that any board can support.