Next week, Amazon will celebrate Prime Day, a bacchanal of modestly discounted ephemera. But amid the flurry of cheap TVs and ebooks and what else, maybe Instant Pots? Watch out for this clever phishing campaign that might hit your inbox.

Researchers from security company McAfee today have shared details of a so-called phishing kit, which contains the tools an aspiring hacker would need to kick off a phishing campaign, designed to target Amazon customers. While McAfee discovered this particular kit in May, it appears to be a spinoff of one that had targeted Apple users in the US and Japan last November. The kit is called 16Shop; its author goes by the handle DevilScreaM.

In both the Apple and Amazon campaigns, 16Shop makes it easy for anyone to craft an email that looks like it comes from a major tech company, with a PDF attached. That PDF contains links to malicious sites that have been gussied up to look like, in this most recent case, an Amazon log-in page. Anyone who falls for it will have given up the keys to their Amazon account, and any other service for which they reuse that same password. As with the previous Apple campaign, those links direct victims to a page that requests not just their name but also their birthday, home address, credit card info, and Social Security number.

“The use of major brands looks to leverage the subconscious lever of authority to invoke user interaction,” says McAfee chief scientist Raj Samani.

All of this is typical of a phishing campaign, and in fact less sophisticated than the more targeted spearphishing attacks that regularly strike high-value targets. Its significance, though, lies in the timing. With Prime Day fast approaching—bringing with it a barrage of legitimate deals emails from Amazon—the sharks are circling.

“Cybercriminals take advantage of popular, highly visible events when consumers are expecting an increased frequency of emails, when their malicious emails can hide more easily in the clutter,” says Crane Hassold, threat intelligence manager at the digital fraud defense firm Agari. “Consumers are also more conditioned to receiving marketing or advertisement emails during certain times of the year—Black Friday, Christmas, Memorial Day—and cybercriminals format their attack lures accordingly to increase the chances of success.”

At the very least, interest around the Amazon phishing kit appears high. McAfee says that DevilScreaM set up a Facebook group to sell licenses and provide product support—like any good software startup—nearly two years ago. By November 2018, the group had 200 members. As of last month, it had topped 300 members and 200 posts. And McAfee has identified over 200 malicious URLs—that start deceptively with verification-amazonaccess, verification-amaz0n, and so on—associated with the phishing kit. It’s unclear how many people have actually fallen for the ruse, but fair to say that business is bustling.

McAfee notified Facebook that the 16Shop group exists, but as of Thursday night the social network had not yet taken it down. Facebook did not return a request for comment.

The good news is, the Amazon scam spree doesn’t appear uniquely clever, which means the usual rules for protecting yourself apply. Make sure that email comes from who it claims; in Gmail you can double check by clicking on the downward arrow next to your name. Don’t open attachments unless you’re sure it’s from someone you trust. Similarly, don’t type your information into a website that’s not legit, which means taking a close look at that URL. (The green lock in the URL bar, sadly, just means your data is encrypted in transit, not that it’s headed somewhere safe.) Get a password manager, to limit the fallout if you do accidentally cough up your log-in details. And don’t trust a deal that seems too good to be true—even on Prime Day.

More Great WIRED Stories