Solutions overview
For security teams
For fraud / Risk teams
For digital business teams
Account take over (ATO)
Credit card data theft
Library
Partnerships
About
News
Events
Careers
Contact
What do bank account takeovers, credit card scams, purchase of counterfeit goods, and frequent flier mile theft, all have in common? All these cyber crimes usually begin with a user visiting a fake website.
In the first quarter of 2024, over 963,000 unique phishing sites were detected worldwide. Phishing sites are just one category of fake websites that mimic legitimate sites to steal information. The overall scope of fake websites is likely much broader.
Interacting with fake websites can have severe impacts, including data theft, customer mistrust, and financial losses. Before we look at some fresh examples of fake websites in the wild, let’s look at the types of fake websites and what you can do to protect your clients from them.
What are fake websites?
Fake websites are deceptive sites that mimic legitimate ones and exploit users’ trust in brands. Creating these fake websites to mislead users and steal information is done through website spoofing – and spoofing is a common phishing scheme that attackers leverage to steal information or cause upheaval.
Some of the attackers’ goals are to steal money or personally identifiable information (PII). Once the fake website is up and running, attackers can do this in various ways, such as using credential harvesting methods, credit card data theft, etc.
Financial services companies, airline companies, e-commerce marketplaces, and healthcare providers are among the victims of fake websites, as are charities, package delivery services and telcos. No industry is safe.
Examples of use cases for fake websites
E-commerce scams
E-commerce scams include, among others, fake online shops and gift card scams.
Hackers use legitimate e-commerce platforms to create their own (fake) online shops. Both the look of the website and the products on sale look very similar (if not the same) as those of the legitimate brand. In many cases, these fake stores push “promotional” offers that are too good to be true. However, after making a purchase, shoppers who fall for the scam may receive counterfeit products – or simply see the payment is carried out but will get nothing in return.
Gift card scams operate differently. Scammers create fake websites that sell either already-used gift cards or counterfeit ones that the retailer won’t accept. They then pocket the payment without providing anything in return – and often steal the buyer’s credit card information for future fraudulent use.
Account takeover
In account takeover, hackers aim to gain control of accounts for services they can abuse. Bank account takeovers are the most well-known ATO cases, where attackers gain unauthorized access to a victim’s bank account to steal funds or conduct fraudulent transactions.
To accomplish this, scammers create a website homepage and login page that looks exactly like a legitimate site. They trick users into adding their credentials (usually username and password) to log into their accounts. They then receive this account login data on their servers.
Account takeovers are also common in the higher education vertical, where bad actors try to get access to faculty accounts in order to steal research, or even exams which have not been published yet. In the case of airlines, taking over a client’s frequent flier account is done in order to steal loyalty points and miles.
Investment fraud
In investment fraud scenarios, attackers create a fake website that clones a legitimate site from online investment platforms, brokerage firms, or financial service providers. Then, they lure victims into “investing” their funds by transferring a large amount of money to this platform. These websites often feature unrealistic financial gains, such as high returns on cryptocurrency or real estate investments, to make the opportunity more appealing.
Misinformation
We often form our opinions and preferences based on information obtained from reputable sources. It’s no wonder that the number of fake news sites is increasing. These websites impersonate real news outlets to promote ideological agendas or cause societal disruption. Cybercriminals, political agitators, or “hacktivists” often create and promote them through paid advertisements.
In the US, there are more fake news websites than real local media websites. These websites are incredibly dangerous because they purposely distort public opinion based on lies, sway people to change their values and beliefs, defend (often extremist) causes, or even endanger readers’ health based on incorrect and unfounded healthcare information.
A related case involves fake financial news, where misinformation is spread to manipulate stock prices for monetary gain. For example, malicious actors disseminate false claims that company stock is going down to influence market behavior and create profit opportunities.
There are many other examples of such use cases, including SEO poisoning, fake package delivery text messages, donation scams, etc.
What are the implications of scams based on fake websites?
Fake websites can impact anyone. If a business has its website cloned and used for any type of attack, the consequences are multiple, from financial loss to brand damage.
One of the most immediate consequences of fake websites is revenue loss, particularly common for e-commerce companies. Customers who intend to buy an item from a legitimate online store may be misled into making payments on impersonating sites, causing the company to lose direct sales opportunities. In some cases such fake stores will not deliver, and the disgruntled customers may contact the genuine store and ask for reimbursement. If the company decides to compensate the customers, the financial implications are not just loss of income but also increased expenses. An additional burden on expenses is the cost of managing these fraud cases.
Financial implications aside, attacks from fake websites can also severely damage a company’s reputation, break customer trust, and create regulatory problems. Rebuilding a good reputation can take years, and requires significant marketing and PR investment. Plus, if a company is in the media’s eye, it faces much more scrutiny from the public and from regulators, which may lead to hefty fines.
When it comes to the impact on individual users, they usually suffer financial losses, and have their PII stolen (which is not only an administrative nightmare but also a source of significant emotional distress). And as to those fake websites spreading misinformation, the impact on society can be profound, potentially influencing public opinion on important issues or contributing to social unrest.
5 Examples of Fake Websites That Could Fool Anyone
Why do users believe in fake websites, and what attracts them there? Here are five recent examples of fake websites and how they were used to scam people.
1. PayPal
In late 2023, a series of fake websites replicating PayPal’s login page tricked customers into entering their account details. Hackers created these fake websites with URLs similar to PayPal’s, such as “paypaysecurity.com” or “paypa1.com,” and complemented this with a website layout identical to the original’s.
Hackers used phishing techniques, such as email notifications about an alleged account issue, to prompt users to log into their ‘PayPal accounts.’ However, these were actually fake websites designed to look like the legitimate PayPal site.
Once users submitted their details, hackers could steal their credentials, take over their accounts, drain their balances—or carry out a combination of these actions. This attack affected thousands of users and resulted in millions of dollars in estimated losses. While the exact number wasn’t divulged, just a few years earlier, in 2020, Action Fraud determined victims lost $8 million in PayPal scams during that year.
2. Apple
There are fake iPhones, Macbooks, iPods, and even… fake Apple customer service websites. Over the last few years, fake websites impersonating Apple support have targeted users seeking help solving Apple device malfunctions. These fake websites used SEO poisoning techniques to appear on top of Google results pages for keywords like “iPhone not charging,” leading Apple customers to click on the link without much thought.
The hackers aimed to persuade frustrated Apple customers to call a fake support number – and thousands of customers did. During the call, they were lured into buying other items or services. While the exact financial loss is not known, there are stories of people who have lost over a thousand dollars in these calls.
Apple faced stringent backlash from customers and the media, and the Apple team saw their workload increase as they tried to take down these fake websites and get them unindexed from Google.
While Apple has shared more information on phishing awareness and how to avoid scams, it remains a target of various attacks – most of which start with a fake Apple website.
3. Netflix
The proverbial “Netflix & chill” expression quickly turned into “Netflix & panic” for Netflix users who were scammed in late 2023 by fake websites which cloned this popular streaming platform. Hackers used email notifications to trick users into logging into their accounts to solve a problem with their payment method and prevent their accounts from being suspended – which of course these bad actors used to steal PII.
Recent statistics revealed that victims of these scams lost $2270 on average. This Netflix scam was a highly successful feat for hackers, causing financial losses for Netflix users and an administrative nightmare for the Netflix team. The company had to reset the passwords of all affected users, send out warnings, and strengthen its security measures to allow earlier and easier fraud detection.
4. ChatGPT
Scammers follow consumer and industry trends closely, and ChatGPT is no exception. From early 2023 to the end of April, around 1 in 25 new domains associated with ChatGPT or OpenAI received potential malicious flags. Some of the domains uncovered by security researchers include:
- chat-gpt-pc.online
- chat-gpt-online-pc.com
- chatgpt4beta.com
- chat-gpt-ai-pc.info
- chat-gpt-for-windows.com
These fake websites were created to deceive users into installing malicious software packages or entering bank account details to get a premium version of the tool. For example, the URL chat-gpt-ai-pc.info encouraged users to download “AI enhancement tools” that were, in reality, a form of malware.
Several such attacks have led to severe consequences including identity theft and significant financial losses. In response, the OpenAI team issued multiple warnings to users, and invested heavily in external cybersecurity services to mitigate the damage.
5. Nike
Fake websites are commonly used to sell counterfeit items, particularly from the world’s favorite brands – and more so during popular events. In 2023, various fake websites impersonated Nike’s site during the FIFA World Cup. These sites offered “exclusive” deals on Nike products, such as Air Jordans, at significantly lower prices, pressuring Nike customers to make quick purchasing decisions to avoid losing the deal. Like in the other scenarios previously discussed, the URL was very similar to that of the legitimate site.
As a result, Nike was forced to handle a flood of complaints from customers who thought they had purchased the goods from an authentic brand. The company had to issue public warnings, and collaborate with authorities to take down these fake sites.
Many customers were duped into buying counterfeit or non-existent products, with estimated total losses in the tens of millions. While we don’t know the exact number of victims of this particular attack type, fake online shops have scammed millions of people over the past years.
Real-time Digital Risk Protection with Memcyco
Dealing with fake websites is not unlike playing whack-a-mole. Even if you detect one of these before the damage is done, another one may immediately appear, attempting to abuse users’ trust in your service and brand. Fighting that requires a proactive and multi-pronged approach.
Memcyco’s real-time Digital Risk Protection (DRP) solutions give security, fraud, and digital business teams unprecedented visibility into website impersonation attacks as they unfold. The solutions protect companies and their customers from when such fake sites are up and until they are taken down, and continue to provide protection even after that, while PII is still available for purchase on the darknet. Employing AI and a unique ‘nano defender’ technology, Memcyco’s system provides you with full protection and visibility in real-time. Contact us today to discover fake websites before they become a real threat.
