Scam emails impersonating big brands Amazon, DHL, Currys, Aldi and ASDA warning

Christmas is the busiest period for online shopping which unfortunately means looking out for scam emails posing as Amazon, DHL, Currys, Aldi and ASDA. We explain how to spot them

Amazon logo seen displayed on a smartphone
(Image credit: SOPA images \ Getty images)

Scam emails posing as well-known brands will often pop up in your inbox pretending to be from companies you buy from, such as this phishing purporting to be from Tesco.

Amazon is one brand urging people to be on high alert as we enter one of the busiest periods for online Christmas shopping. Last-minute shoppers are more likely to head online to secure a gift - leaving them potentially more vulnerable to scammers hoping to cash in.

Many of these scam emails are sent from email addresses that quite clearly have nothing to do with the brands they claim to be from, which is an easy way of telling a fake from a genuine communication.

But some phishing emails take it a step further by spoofing a legitimate firm's email domain, making fake emails more difficult to spot. 

But interacting with the email will only lead you to websites that have nothing to do with the brands involved. These sites will likely be dangerous and attempt to extract personal information from you, which could include your bank/card details.

Some emails spoof the email domain of the online discount marketplace website Living Social - in reality these email have nothing to do with Living Social or the brands shown. 

We have examples including your favourite shopping stores.

Scam emails warning

What do the spoofed Living Social emails look like?

Here are five examples of emails spoofing Living Social’s email domain that have nothing to do with Living Social or the brands shown:

1. ASDA email scam

Asda scam email

(Image credit: George Martin)

This email posing as supermarket ASDA offers a £500 gift card and other ‘special prizes’. This is similar in tactics to other ‘gift card’ emails and even looks to create a sense of urgency by stating that the offer is due to expire.

2. Aldi scam email

Aldi scam email

Aldi scam email

(Image credit: George Martin)

Again this email poses as a UK supermarket and uses the gift card/voucher hook, combined with an expiry time/date. 

Aldi confirmed that it has no connection whatsoever to the email.

3. Amazon scam emails

Fake Amazon email #1

The most common scam uses correspondence that suggests you have ordered a product but confirmation is needed before it can be shipped. The scammers then try to convince you to provide payment or bank account information or even install software on devices to complete the order.

Amazon says orders can always be verified by logging into your Amazon account - and Customer Service is available 24/7 to assist.

Fake Amazon email #2

Amazon is not running this ‘customer survey’ or offering ‘exclusive rewards’ and ‘free shipping’. This email will take you to a site that has nothing to do with Amazon.

Fake Amazon email #3

Once again, Amazon is not offering ‘rewards’ - attempting to ‘claim’ this reward will not take you to a genuine Amazon website.

Amazon has a dedicated page explaining different types of gift card scams impersonating the brand here.

4. DHL scam email

DHL scam email

(Image credit: George Martin)

Fake emails and text messages commonly impersonate delivery companies. This is another fake designed to intrigue you to interact with it under the pretence of a parcel/delivery.

5. Currys email scam

Smeg scam email

(Image credit: George Martin)

Currys is not running this Smeg loyalty programme. Again, clicking through will take you to a website that is not affiliated with Smeg in any way.

All of these emails arrived with the sender displaying as ‘info@livingsocial.co.uk’ - all of them failed DMARC. Living Social is not responsible for the emails and has confirmed that they were sent fraudulently. 

Smeg confirmed that it has no affiliation with the email displaying its product.

What happens if an email fails DMARC?

Domain spoofing can happen when a domain is not protected by DMARC (Domain-based Message Authentication, Reporting & Conformance), a security standard designed to prevent unauthorised email senders using a domain they do not own.

In the event that an email fails DMARC, this should be picked up by the recipient’s email server, which should then direct the suspicious email automatically to your junk/spam folder. 

This is helpful, but with the emails lurking in that folder, some who spot them could still be tempted to believe they’re genuine based on the supposed sender.

Each of the spoofed Living Social emails were detected as DMARC failures by Microsoft and sent directly to the recipient’s junk/spam folder.

What additional checks should I carry out on a suspicious email?

It’s important that you conduct additional checks on any communication you receive if you’re unsure of its legitimacy. Hover over the email’s links to see where it is taking you - does the URL look suspicious? 

Take into consideration how the email has arrived - is it offering you something out of the blue? Has the email addressed you impersonally? Is it trying to create a sense of panic or urgency? 

If the answer to any of these questions is ‘yes’ then you should not interact with the email. If you’re still unsure, contact the brand it purports to be from via its official channels, away from the email itself.

I think I’ve been taken in by a fake email, what should I do?

If you’ve entered sensitive information, such as your bank/card details, into a third-party site you were taken to via a suspicious email, you need to let your bank know what’s happened via its official channels ASAP.

Your bank should work with you to cancel your card, block any pending payments (if required) and refund the money you’ve lost.

You should also then keep an eye out for any follow-up scams that could occur if you’ve given contact details, such as your email address or phone number, away to fraudsters. Treat any contact you receive out of the blue with caution.

How can I report fake emails?

Fake emails and phishing websites can be reported to the National Cyber Security Centre at report@phishing.gov.uk - action can then be taken to remove these websites before anyone else falls victim.

If you’re going to warn friends and family about a fake email, send them a screenshot - do not forward the email on directly.

A spokesperson for Living Social said: “Thank you for your email and for bringing this matter to our attention.

“We have checked the headers of the emails in question and spoken to Proofpoint who monitor and maintain our email security records. They have advised that everything is in order on our side and that the emails in question, which have been sent by a scammer, have failed authentication and should have been moved by Microsoft on receipt to the Spam folder. 

“We would advise consumers to be alert to fake emails and to be especially careful about opening and reacting to things that are in their spam folder. If a customer has any concerns about whether an email they have received with a Living Social domain is spam or not, they can reach out to our customer services team here with a screenshot of the email to clarify.”

George Martin

George is a freelance consumer journalist with a keen interest in scams and housing. He worked for the Consumers' Association for seven years where he was the editor of Which? Conversation - his work on exposing new scams saw him often quoted in the national press. 


George has been at the forefront of the cladding and building safety crisis, campaigning for the rights of leaseholders and giving a voice to those caught up in the scandal - as a result he was nominated for Property Journalist of the Year in 2021 at the Property Press Awards.