A new wave of fraudulent giveaway emails is spreading across the United States, impersonating Lowe’s and claiming the recipient has won a free Gorilla Carts utility wagon. These messages do not come from Lowe’s, Gorilla Carts, or any legitimate partner. They are part of a malicious funnel built to harvest personal information, payment card data, and device identifiers. The emails direct users to a fake survey and checkout sequence hosted on newly registered or disposable domains, followed by requests for sensitive information that can be exploited for financial fraud.
Victims report receiving emails with subjects such as “You have won a Gorilla Carts” or variations of this phrasing. The emails reference the recipient by name, but the examples shown here are only representative. Actual scam messages may use different subject lines, sender names, promotional images, and URLs. This flexibility allows the operators to bypass filters and continuously refresh their infrastructure.
Example of the Lowe’s Gorilla Carts Scam Email
One recent example impersonates Lowe’s and claims the user has won a Gorilla Carts wagon. The message is sent from an unrelated email address, not from the genuine @lowes.com domain:
Sender: “Lowes” <LFRKtqNLJe@mante.biffalojp.com>
Subject: “[REDACTED] you have won a Gorilla Carts”
The email contains a clickable product image linking to an IP based redirect hosted at:
http://webapp-cdxapi-test-mort.fanniemae.com/sdfqsdfqdfgssdfh.html
Although the domain includes the name of a well known organization, it is not part of any legitimate Fannie Mae system. The URL is being abused as a redirect layer that forwards victims into a fraudulent survey funnel. IP based redirects are a hallmark of mass scale phishing operations because they are easy to replace and difficult for automated systems to evaluate.
How the Scam Redirects Users to a Fake Survey
After clicking the email image, users are redirected into a fake rewards survey hosted on another disposable domain. In the example submitted to Botcrawl, the survey was located on:
https://cheapperfume.shop
The page uses generic promotional graphics, stock icons, fabricated date stamps, and imitation branding to convince users they must answer a few questions to claim their reward. The questions themselves are meaningless and serve only to move victims to the next stage of the scam. No real verification occurs, and the answers have no impact on the outcome.
These survey pages are typically hosted on domains that appear only days or weeks before the scam begins. A quick WHOIS Lookup will often reveal that the site was registered recently, uses privacy protection, or provides minimal ownership information. This behavior is consistent with short lived scam networks that rotate domains rapidly to evade takedowns.
The Fake Checkout Page: Where the Theft Happens
Once a user completes the fraudulent survey, they are passed to a fake checkout page styled to resemble a legitimate Lowe’s promotional site. Unlike real Lowe’s pages, these sites:
- Request personal information not needed for promotions
- Display fabricated scarcity warnings
- Use generic SSL certificates
- Host on unrelated or recently registered domains
The checkout page seen in this case demanded the following information:
- Full name
- Email address
- Phone number
- Billing and shipping address
- Payment card number, expiration date, and security code
Submitting this information does not result in any shipment. The data goes directly to the operators behind the scam, who may use it for unauthorized purchases, identity theft, account takeovers, or resale on criminal marketplaces. Because the funnel is designed to appear as a small promotional fee or shipping cost, victims often overlook the danger until fraudulent transactions begin appearing on their accounts.
Domains and Infrastructure Used in This Scam
Scam operators frequently rotate domains, IP addresses, hosting providers, and redirect layers. In this example chain, the following infrastructure was observed:
- Email impersonation: LFRKtqNLJe@mante.biffalojp.com
- Redirect Layer:
webapp-cdxapi-test-mort.fanniemae.com - Survey Page:
cheapperfume.shop
The presence of well known corporate domains in redirect layers does not indicate involvement by the legitimate company. Phishing groups frequently exploit redirect endpoints or misconfigured subdomains to camouflage traffic. The only reliable way to verify a domain is to examine ownership through a WHOIS Lookup or to check the official Lowe’s communication and promotional guidelines.
Why the Lowe’s Gorilla Carts Scam Is Effective
Gorilla Carts products are widely recognized and frequently promoted by major retailers. Their popularity makes them ideal lures for scammers who want to leverage brand familiarity. The scam also benefits from:
- Simple, direct messaging
- Use of the recipient’s name to appear personalized
- Professional product images taken from legitimate websites
- False urgency created by countdown timers and limited stock notices
- Low dollar payment requests that seem harmless
This same structure appears in many other trending product scams, including fraudulent Starbucks giveaways. A recent example circulating online claims recipients can get a free Bearista Cup by completing a similar survey. That scam is documented in Botcrawl’s report on the Starbucks Yeti Rambler Tumbler scam. These schemes share infrastructure and follow the same basic pattern.
Red Flags That Identify the Lowe’s Gorilla Carts Scam
- The email does not come from the official @lowes.com domain
- Redirects begin from unrelated or corporate looking domains misused by scammers
- Survey pages are hosted on recently registered unrelated domains
- Checkout pages request unnecessary personal and financial information
- Scam URLs often change daily and bear no connection to legitimate retailers
How to Protect Yourself from This Scam
- Do not click links in unsolicited giveaway emails
- Always verify promotions directly on the retailer’s official website
- Never provide payment information to claim a prize
- Check suspicious domains using a WHOIS Lookup tool
- Scan your device for malware after interacting with suspicious links
- Use a reputable security tool like Malwarebytes to remove hidden threats
What to Do If You Submitted Information
If you entered personal or financial information on any of the scam sites, take action immediately:
- Contact your bank or card provider and report the fraudulent activity
- Request a replacement card
- Monitor statements for unauthorized transactions
- Change passwords tied to your email or financial accounts
- Run a full device scan with anti malware software
- Be cautious of follow up phishing attempts, which often target prior victims
How to Report the Lowe’s Gorilla Carts Scam
- FTC Report Fraud
- IC3 Internet Crime Complaint Center
- Your state or national consumer protection agency
- Your email provider by marking the message as phishing
Fake retailer giveaways remain one of the most common email based scams circulating in 2025. By recognizing the red flags, verifying promotions through official channels, and protecting personal information, users can avoid these schemes even as they continue to evolve.
