TL;DR
Check Point found 6,843 fake Amazon domains ahead of Prime Day, with phishing emails and fake storefronts targeting shoppers across 22 countries.
Cybersecurity researchers have identified nearly 7,000 fraudulent Amazon-themed domains registered in the six months leading up to Prime Day 2026, which begins on 23 June. Check Point Research tracked 6,843 new domains created between December 2025 and May 2026, with registrations peaking at 1,446 in April and remaining elevated at 1,267 in May.
Of the total, 9.2 percent were classified as malicious or suspicious. The rate accelerated sharply in early June: during the first week of the month, one in every 13 newly registered Amazon-themed domains was flagged, according to Check Point’s analysis.
Prime Day 2026 runs from 23 to 26 June across 22 countries, with four additional markets joining later in the summer, according to Amazon’s official event page. The extended four-day window and global reach make it a high-value target for phishing operations, which follow the same seasonal playbook that researchers documented around the FIFA World Cup, where over 13,000 fraudulent domains appeared in the months before kickoff.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
The phishing infrastructure includes fake Amazon storefronts designed to harvest credit card numbers, spoofed login pages that steal account credentials, and email campaigns with subject lines such as “Refund Due, Amazon System Error” that direct recipients to counterfeit sites. Check Point flagged one campaign using a sender address mimicking Amazon’s customer service domain closely enough to bypass casual inspection.
A notable cluster targeted Spanish-speaking shoppers. Check Point identified 46 domains registered under the “amazoncredito” pattern, all linked to a single registrant and aimed at Latin American markets where Amazon has been expanding its Prime membership. Five of six “amazon-prime” top-level domain variants were already classified as malicious at the time of the report.
The tactics are not new, but the scale keeps growing. Google recently sued a Chinese cybercrime ring that used AI to generate phishing code and operated one million fraudulent domains, illustrating how cheap and automated domain-based fraud has become. Check Point’s findings suggest that Amazon-themed operations are following the same industrial pattern, with thousands of domains registered months in advance and activated as shopping events approach.
Check Point recommended that shoppers type amazon.com directly into their browser rather than clicking links in emails or ads, enable two-factor authentication on their Amazon accounts, and treat any unsolicited refund notification as suspicious. The company also advised looking for HTTPS and padlock icons, though it noted that fraudulent sites increasingly use valid SSL certificates to appear legitimate.
The timing is significant because Prime Day has become one of the largest online shopping events globally, generating billions in revenue and drawing millions of first-time deal hunters who may be less familiar with phishing tactics. Amazon has not publicly commented on Check Point’s findings.
