Boots impersonated in phishing scam targeting nearly 9m shoppers

Kieran Howells
Boots Hearingcare has relaunched The Great Big Hearing Test for 2026.
EcommerceNews

Boots has reportedly been impersonated in a large-scale phishing campaign that targeted nearly nine million email inboxes, according to cybersecurity firm Huntress.

The scam promised shoppers a free Boots beauty sample pack in exchange for completing a short customer satisfaction survey.

Victims who clicked through were taken to a realistic-looking fake Boots storefront, where they were asked to hand over personal information including their name, email address, date of birth, phone number and home address.

They were then prompted to enter payment card details under the pretence of covering a delivery fee.

Huntress said Boots’ own systems do not appear to have been compromised. Instead, the fraudsters used other trusted infrastructure to make the campaign appear more legitimate.

The emails were sent from a compromised small UK business server, where the attackers had installed Gammadyne Mailer, a legitimate bulk email tool often used for newsletters.

Huntress said the small business was unaware its server had been compromised.

The cybersecurity firm found the campaign after the company installed its security software on 15 May.

It said the attackers had staged six recipient lists containing 8,894,920 email addresses and were in the process of sending the scam emails when the activity was detected.

Huntress said it isolated the network and blocked almost 30,000 outbound SMTP connections in 104 seconds, although it could not confirm how many messages had already been sent.

The scammers also avoided using an obviously suspicious website. Instead, they broke into the real website of Bolivia’s Instituto Plurinacional de Estudio de Lenguas y Culturas, a government cultural institute, and hosted the fake Boots pages in a “boots_store” section of the site.

Huntress said the use of an official government domain helped the scam appear credible, while making it more likely to pass automated spam filters and less likely to raise suspicion among victims.

The phishing emails impersonated “Boots hello@boots.com” and used personalised subject lines, including the recipient’s own email address and random reference numbers, in an attempt to make each message look more convincing.

The campaign may also form part of a wider UK-facing scam operation. Huntress said artefacts found in the attackers’ working folder appeared to point to other campaigns linked to HMRC and cryptocurrency themes.

Boots has been used as bait in similar “free gift” scams before. Earlier this year, fact-checking charity Full Fact warned over false Facebook posts claiming the retailer was offering premium mini perfume sets to people who completed a survey.

The incident highlights how major retail brands are increasingly being exploited by criminals to make phishing campaigns appear more trustworthy.

While the Boots brand was used to lure victims, the attack appears to have relied on compromised third-party infrastructure rather than a breach of the retailer itself.

Huntress said it has shared its findings with Bolivia’s national cybersecurity authority.

Click here to sign up to Retail Gazette‘s free daily email newsletter

EcommerceNews

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

EcommerceNews
Kieran Howells

Share:

Boots impersonated in phishing scam targeting nearly 9m shoppers

Boots Hearingcare has relaunched The Great Big Hearing Test for 2026.

Boots has reportedly been impersonated in a large-scale phishing campaign that targeted nearly nine million email inboxes, according to cybersecurity firm Huntress.

The scam promised shoppers a free Boots beauty sample pack in exchange for completing a short customer satisfaction survey.

Victims who clicked through were taken to a realistic-looking fake Boots storefront, where they were asked to hand over personal information including their name, email address, date of birth, phone number and home address.

They were then prompted to enter payment card details under the pretence of covering a delivery fee.

Huntress said Boots’ own systems do not appear to have been compromised. Instead, the fraudsters used other trusted infrastructure to make the campaign appear more legitimate.

The emails were sent from a compromised small UK business server, where the attackers had installed Gammadyne Mailer, a legitimate bulk email tool often used for newsletters.

Huntress said the small business was unaware its server had been compromised.

The cybersecurity firm found the campaign after the company installed its security software on 15 May.

It said the attackers had staged six recipient lists containing 8,894,920 email addresses and were in the process of sending the scam emails when the activity was detected.

Huntress said it isolated the network and blocked almost 30,000 outbound SMTP connections in 104 seconds, although it could not confirm how many messages had already been sent.

The scammers also avoided using an obviously suspicious website. Instead, they broke into the real website of Bolivia’s Instituto Plurinacional de Estudio de Lenguas y Culturas, a government cultural institute, and hosted the fake Boots pages in a “boots_store” section of the site.

Huntress said the use of an official government domain helped the scam appear credible, while making it more likely to pass automated spam filters and less likely to raise suspicion among victims.

The phishing emails impersonated “Boots hello@boots.com” and used personalised subject lines, including the recipient’s own email address and random reference numbers, in an attempt to make each message look more convincing.

The campaign may also form part of a wider UK-facing scam operation. Huntress said artefacts found in the attackers’ working folder appeared to point to other campaigns linked to HMRC and cryptocurrency themes.

Boots has been used as bait in similar “free gift” scams before. Earlier this year, fact-checking charity Full Fact warned over false Facebook posts claiming the retailer was offering premium mini perfume sets to people who completed a survey.

The incident highlights how major retail brands are increasingly being exploited by criminals to make phishing campaigns appear more trustworthy.

While the Boots brand was used to lure victims, the attack appears to have relied on compromised third-party infrastructure rather than a breach of the retailer itself.

Huntress said it has shared its findings with Bolivia’s national cybersecurity authority.

Click here to sign up to Retail Gazette‘s free daily email newsletter

Social

LinkedIn
RSS


SUBSCRIBE TO OUR DAILY NEWSLETTER

  • This field is for validation purposes and should be left unchanged.

Most Read

Most Read

EcommerceNews

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

RELATED STORIES

Most Read

Latest Feature


Menu


Close popup

Please enter the verification code sent to your email: