Mimecast Logo
Get a Quote

    UK Consumer Survey Scam Campaign Impersonates Major Retail Brands

    16 April 2026

    By Samantha Clarke, Archa Archa, Hiwot Mendahun and the Mimecast Threat Research Team

    Key Points
    • Over 42k multi-brand phishing campaign targeting UK consumers with scams impersonating Boots and Superdrug across the last 90 days
    • Promise of free gifts or rewards in exchange for completing fake customer satisfaction surveys
    • Collection of extensive personal information and payment card details for fraudulent £2.95 "delivery fee"
    • Phishing infrastructure hosted on AWS S3 buckets, leveraging compromised domains for landing pages
    • Clones of legitimate brand websites increase victim trust and credential submission rates

    Campaign Overview

    The Mimecast Threat Research team has identified a cluster of phishing campaigns targeting UK consumers with scams that impersonate well-known retail brands and service providers. The campaigns use social engineering tactics that promise free gifts, exclusive rewards, or urgent account actions to lure recipients into surrendering personal information and payment details.
    Unlike traditional phishing campaigns that rely heavily on credential theft, these operations combine multiple data collection stages—first harvesting personal details through fake surveys, then capturing payment information under the guise of nominal shipping or processing fees. The £2.95 "delivery fee" represents a carefully calculated amount: low enough to avoid triggering immediate suspicion, yet significant enough to validate stolen payment card details for future fraudulent use.

    Attack Flow and Technical Infrastructure

    The campaigns follow a consistent multi-stage attack pattern:

    1. Initial Contact: Recipients receive emails with urgent or enticing subject lines referencing account updates, delivery issues, or exclusive rewards
    2. Landing Page Delivery: URLs direct victims to phishing pages initially hosted on AWS S3 buckets before redirecting to compromised or attacker-controlled domains
    3. Brand Impersonation: Landing pages feature near-pixel-perfect clones of legitimate brand websites, including authentic logos, styling, and layout
    4. Survey Engagement: Victims complete fake customer satisfaction surveys requesting opinions on products or services
    5. Reward Selection: Upon survey completion, victims choose from several "free" reward options (typically skincare products, gift cards, or promotional items)
    6. Personal Data Collection: First form requests full name, physical address, phone number, and email address
    7. Payment Data Harvesting: Second form collects complete payment card details (card number, expiration date, CVV) for the £2.95 "delivery fee"
    8. Legitimate Site Redirect: After data submission, victims are redirected to the authentic brand website, creating the illusion of a legitimate transaction

    Case Study: Boots UK Survey Scam

    Recipients of the Boots phishing campaign receive one of two primary email themes designed to establish legitimacy and entice.

    1. Post-Survey Gift Notification: Emails claim the recipient recently completed a customer satisfaction survey and has been selected to receive a complimentary gift as a thank you for their participation.
    2. Post-Purchase Survey Request: Emails reference a recent purchase at Boots and invite the recipient to complete a brief customer satisfaction survey, promising a gift upon completion.

    Both approaches exploit normal retail customer engagement patterns. Consumers are accustomed to receiving post-purchase feedback requests and loyalty program communications from retailers, making these lures particularly effective. The promise of a free gift creates an incentive for engagement while the reference to recent activity (whether fabricated or informed by data breach information) lends credibility to the message.

    UKSurveyscams1.png

    Analysis of the Boots impersonation campaign reveals sophisticated technical implementation. The phishing page, initially delivered from AWS S3 bucket storage, redirects to a compromised domain.

    UKSurveyscams2.png

    The landing page presents as a 1.4 MB clone of the legitimate Boots.com homepage, containing 19,549 lines of HTML that replicate the authentic site's visual appearance.

    UKSurveyscams3.png

    The primary malicious element is a modal overlay disguised as a OneTrust cookie consent banner. A legitimate privacy dialog familiar to UK internet users. The modal displays: "You have been selected to participate in our customer satisfaction survey. We really appreciate your feedback, and as a thank you, we have a special gift for you: a set of 5 of our best-selling skincare products from our sponsor, Skinny Tan."

    UKSurveyscams4.png

    This approach exploits user familiarity with privacy banners while creating urgency around exclusive rewards. The "Start survey" button—styled identically to a legitimate Boots consent acceptance button—submits a POST request to the PHP script that begins the credential harvesting sequence.

    UKSurveyscams5.png

    The user is taken through a few questions mimicking a survey then taken to a page where they are to choose from a selection of free gifts.

    UKSurveyscams6.png

    Once a gift is selected, they are taken through a form collecting personal information such as name, email/physical address and date of birth.

    UKSurveyscams7.png

    On the final page the user is then asked for a small payment of £2.95 for the delivery of the gift. Once the payment has gone through the user is redirected to the legitimate Boots website.

    UKSurveyscams8.png

    Campaign Variations and Geographic Expansion

    While the primary focus targets UK consumers, evidence suggests threat actors are expanding operations and targeting victims internationally:

    TV Licensing Campaigns exploit UK-specific regulatory requirements for television ownership, creating urgency around billing updates and payment detail verification. The lure aligns with genuine TV Licensing renewal periods, increasing victim susceptibility.

    EVRi Delivery Scams leverage post-pandemic expectations around frequent package deliveries and missed delivery notifications. These campaigns request personal information and payment details to "reschedule" non-existent deliveries.

    International Expansion includes campaigns impersonating Costco (targeting multiple countries) and Shoppers Drug Mart (targeting Canada), suggesting either geographic expansion by the same threat actor or toolkit reuse by affiliate operations.

    Indicators of Compromise (IOCs)

    Boots UK Campaign

    Example Subject Lines:

    • Boots: Gift Inside – Share Your Thoughts! NO:748893
    • Tell Us What You Think & Enjoy Boots Rewards!
    • Your Opinion Matters – Take the Boots Survey Today! NO:314121
    • Boots Rewards: Claim Your Gift & Promotion Today! NO:225678
    • Boots™ Take Our Survey and Get a Thank-You Gift! NO:210751

    Phishing URLs:

    • hxxps://s3.amazonaws[.]com/customerinformationgateway/cvgr.html
    • hxxps://s3.amazonaws[.]com/customerfreeproduct/bootssurveyonline.html
    • hxxps://matakesiri.s3.dualstack.us-east-1.amazonaws[.]com/5.html
    • hxxps://s3.amazonaws[.]com/accessgateway/jhadsuc.html
    • hxxps://s3.amazonaws[.]com/bahsduhyc/getyourfreebootsgift.html
    • hxxps://s3.amazonaws[.]com/recivefreegift/freesurvey.html
    • hxxps://s3.amazonaws[.]com/littlescruff/8.html

    Landing Page Domain:

    • bartonsurveying[.]com

    Superdrug Campaign

    Example Subject Lines:

    • Complete Our Survey and Get Superdrug Rewards
    • Gift Alert! Don't Miss Out on Your Free Reward at Superdrug
    • Give Us Your Opinion, Get Amazing Rewards from Superdrug
    • Share Your Opinion & Unlock Exclusive Superdrug Perks!
    • Your Opinion Matters | Get Rewarded by Superdrug
    • Your Superdrug Gift Awaits – Claim It Now: Ref.66630-7691

    Phishing URLs:

    • hxxps://s3.amazonaws[.]com/newsmachinet/1.html
    • hxxps://andiandilon.s3.dualstack.us-east-1.amazonaws[.]com/sdrug.html
    • hxxps://s3.amazonaws[.]com/heilbronrose/1.html
    • hxxps://s3.amazonaws[.]com/heilbronrose/6.html
    • hxxps://s3.amazonaws[.]com/deltine2002y/9.html

    Targets

    Geographic Focus: Primarily United Kingdom; expanding to Canada and global markets

    Industry Vertical: Across all industries

    Recommendations

    User Security Awareness Training

    • Educate employees on the specific characteristics of this campaign
    • Train staff to verify unexpected task assignments through separate communication channels before clicking links
    • Emphasize authentication verification: Users should always check the URL bar before entering credentials—legitimate Microsoft login pages will use login.microsoftonline.com or login.microsoft.com domains, not powerappsportals.com variations

    Proactive Threat Hunting

    Long-Term Considerations

    Organizations should recognize that survey scam campaigns exploit fundamental human psychology around reciprocity and limited-time offers. As these campaigns become more sophisticated in their brand impersonation and technical implementation, detection strategies must evolve beyond traditional indicators to include behavioral analysis and contextual evaluation of survey and reward offers arriving via email.

    Keep your edge in threat intelligence

    Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.

    Sign up successful

    Thank you for signing up to receive updates for our threat intelligence notifications.

    We will be in touch!

    Back to Top