Amazon Prime Day returns from 23 to 26 June 2026, a highly anticipated moment every year for great offers. While the online event is an excellent opportunity to get the “deal of the year” by taking advantage of one of the many offers on a vast selection of products, Prime Day also represents a good opportunity for scammers. These aim to exploit users’ trust in the brand, the strong propensity to purchase and the rush induced by limited offers to orchestrate their criminal plans. It is no coincidence that this time of year regularly sees a surge in phishing emails, fake “mirror” sites (faithful replicas of Amazon’s official website) and deceptive messages, with the aim of stealing personal data, passwords or credit card numbers.
The data collected by the experts of Check Point Research reveal that these attacks are not improvised at all, but planned months in advance. Between December 2025 and May 2026, 6,843 new domains attributable to the Amazon name were registered. This temporal advantage is used by criminals to “age” fake sites, thus bypassing security systems that tend to block very recently created domains. Already in May 2026, approximately one in eleven of the new domains was cataloged by the experts Check Point Research as harmful or suspicious.
The pressure of cybercrime, however, does not only affect consumers, but extends to the entire commercial chain. Also in May 2026, companies belonging to the world of financial services suffered an average of 1,939 attacks per week, an increase of 8% compared to the previous year, while the sector of consumer goods and online stores reached an average of 1,809 attacks per week.
The two coordinated criminal operations identified by experts
The specialists of Check Point Research they identified two major coordinated operations.
The first exploits the “multi-TLD” technique, i.e. the variation of the final extension of an Internet address (such as .com or .it): scammers have registered six variations of sites – amazon-prime.help, amazon-prime.cam, amazon-prime.cc, amazon-prime.club, amazon-prime.app and amazon-prime.buzz – to “intercept Prime members regardless of the extension they type and keep the phishing pages active even if the individual domains are removed”, to use the explanation used by security experts.
The technical campaign, dubbed “amazoncredito”, targets the Spanish and Portuguese speaking markets through 46 fake domains promising fake discount coupons. To make the deception even more refined, IDN technology is exploited, a system that allows accented characters to be inserted into the web addresses that appear on the browser. Check Point Research he explained that in this way the scammers were able to ensure that “amazoncrédito is displayed with an accent in browsers, making the parody significantly more convincing for native speakers (Spanish, Ed.)”.
True mirror copies of the original marketplaces proliferate on the Web. Sites like amazonashop.shop faithfully replicate Amazon’s orange graphics, menus and banners, confusing those who land there from social media ads or a simple typing error. For the Italian market, amzn-buono.click was created, a portal that promises fake vouchers linked to Prime Day. Other scams instead reproduce individual product sheets: amazon-express.click, for example, artificially creates urgency with messages such as “only for the first 1,000 users”, while amazon-club.click ends up copying the reviews and the “Amazon’s Choice” sticker to make the purchasing experience seem as similar as possible to that of the official Amazon portal and thus succeed in stealing credit card data at the time of payment. Added to all this are the campaigns of smishing which simulate fake delivery delays, and attempts to steal 2FA codes, i.e. two-factor authentication codes which represent the second level of security for accessing a profile.
Amazon itself, on this support page, has listed the most common scams that are worth watching out for during the Prime Day period, but in general throughout the year. We will summarize them in the following points.
- False order confirmation: these consist of messages reporting a purchase that was never made, inviting you to click on a link to cancel it.
- Fake technical support: Typically perpetrated through sites and messages purporting to be from Amazon device support centers for the purpose of stealing personal data.
- Prime membership issues: Emails and SMS asking for bank details to confirm membership. Since Prime Day contains offers that are only accessible if you have an active Prime membership, a communication of this type could push you to provide your card details without thinking twice to avoid missing out on the opportunity to grab Prime Day discounts.
- Account suspension: these consist of communications that threaten the closure of the profile if the instructions provided by phantom Amazon operators are not followed, who in reality are scammers and have nothing to do with
How to protect yourself from Prime Day themed scams
To defend yourself from these and other scam attempts, it is essential to carefully check the site URL before proceeding with any purchase, remembering that the official one of Amazon Italy is one and only one: amazon.it. If you receive messages containing links that take you to other sites, do not open them or provide any personal data. Access Prime Day offers exclusively from the official Amazon website or app.
