Valentine's Day Phishing Domains Surge 44% Ahead of Feb 14

Attackers registered Valentine's Day-themed domains at a 44% higher rate in January compared to December, according to Check Point research released ahead of February 14. Nearly all of these domains—97.5%—remain unclassified, meaning they could activate for malicious use at any moment. This follows the same pattern we observed with Microsoft domain spoofing campaigns earlier this year.

The findings arrive as Bitdefender reports nearly four in ten Valentine-themed emails are scams, and SpyCloud identifies more than 630,000 threat actors with footprints spanning dating platforms, cryptocurrency exchanges, and cybercrime forums.

Domain Registration Surge

Check Point documented a steady increase in Valentine-related domain activity:

• March-December 2025: Average 474 new domains registered monthly
• January 2026: 696 domains registered (44% increase)
• First 5 days of February: 152 additional domains (36% higher daily average)

The 97.5% unclassified rate is concerning. Newly registered domains that haven't been categorized by threat intelligence services can bypass domain reputation filters. Attackers often register domains weeks in advance, let them age past initial scrutiny, then activate them for campaigns timed to holidays.

Active Attack Types

Researchers identified several active phishing patterns:

Fraudulent e-commerce sites feature professional layouts, product categories, and checkout pages designed to harvest payment credentials. One active site—funkovalentineclub—sells counterfeit merchandise while impersonating legitimate Funko branding.

Dating platform clones use simple typosquatting to capture credentials. Researchers found 710 look-alike dating domains impersonating platforms like Tinder in January—a 9% increase from December. Examples include domains like "tinnderCFD" that differ by a single character from legitimate services.

Gift card and courier impersonation targets consumers expecting Valentine's deliveries. Attackers impersonate FedEx, UPS, DHL, and digital gift card platforms with fake shipping notifications and purchase confirmations. These campaigns often abuse Google Cloud infrastructure for phishing to evade email filters.

Geographic Targeting

The United States accounts for 55% of Valentine's-themed spam, making American consumers the primary target. Attackers leverage common search terms like "Valentine's Day gifts" and "cheap Valentine deals" to drive traffic to malicious sites through search engine poisoning and malicious ads.

For those unfamiliar with how these attacks work, our guide to phishing email examples covers the common patterns to watch for.

Romance Scam Infrastructure

SpyCloud's analysis of infostealer logs revealed the industrial scale of romance-linked cybercrime. More than 630,000 unique threat actors maintain digital footprints across three categories:

1. Cybercrime forums where tactics and victim lists are traded
2. Dating and social platforms used for victim targeting
3. Cryptocurrency exchanges for laundering proceeds

This overlap demonstrates how romance scams connect to broader cybercrime operations. Stolen dating profiles become social engineering weapons. Cryptocurrency provides the cash-out mechanism. Forums enable specialization—some actors focus on initial contact, others on psychological manipulation, others on funds extraction.

Protection Recommendations

For consumers:

1. Verify retailer legitimacy before purchasing from unfamiliar sites
2. Type URLs directly rather than clicking links in emails or messages
3. Reject unusual payment methods including cryptocurrency, gift cards, and wire transfers
4. Download dating apps only from official app stores
5. Enable multi-factor authentication on all accounts

For organizations:

1. Update web filters with newly registered domain blocking
2. Alert employees to seasonal phishing themes
3. Monitor brand impersonation if you're in retail, hospitality, or delivery
4. Review DNS logs for connections to recently registered domains

Why This Matters

Seasonal phishing campaigns exploit predictable consumer behavior. People expect Valentine's emails about gifts, deliveries, and date planning—making malicious messages blend with legitimate ones. The delivery impersonation tactics are similar to those used in LastPass credential theft campaigns targeting security-conscious users.

The infrastructure being built now won't disappear after February 14. These domains, once established, can be repurposed for future campaigns. The threat actors behind them operate year-round, simply adjusting their lures to match the calendar.