During your everyday scroll on Instagram, you come across an ad – maybe jewellery, maybe shoes, or maybe even merch of your favorite sports team – that promises you a huge discount. Interested, you click on the link and, having found an online store with the promised deal, you decide to buy.
But as you enter your card details, a message pops up saying the transaction was declined. You try again and again, but each time is unsuccessful. Frustrated, you close the browser tab. Some weeks later, your card declines while buying groceries. You check your account balance to find it empty. What happened?
As Boyd Clews explains in his video, using the same scenario I described above, there is a high chance that scammers stole your card information by using a fake online store. The products and discounts you saw listed there don’t actually exist, even if the website looks legitimate.
Such websites are obviously scams designed to steal money from unsuspecting people. In a car dealership website scam, numerous people were scammed out of tens of thousands of dollars. In April 2025, the Lithuanian State Tax Inspectorate (STI) warned the public about fake STI websites that imitate the appearance and functionality of the official page. Since March and April are the income tax filing months in Lithuania, this is especially concerning.
Fraudulent websites aren’t necessarily on the rise – in fact, the number of phishing sites has dropped from around 1,5 million in the first quarter of 2023 to just below 900 thousand in the third quarter of 2024. Still, the number of phishing sites in 2024 is nearly six times higher than in 2020, emphasizing the severity of the issue.
Naturally, the question arises – how do scammers create and copy fake websites? How can they use official domain names, such as those of car dealerships and tax authorities, to scam people out of millions every year? And, most importantly, how are web hosting service providers dealing with this, and even allowing it to happen in the first place?
How do scammers host illegal websites?
Most hosting providers have it in their terms of service and other legal agreements that hosting scam or fraudulent websites is not allowed.
For example, WordPress emphasizes that it’s committed to freedom of expression, allowing people to host a wide range of content on their sites. However, they also draw the line at scamming people out of their money. Similarly, Hostinger states in their ToS that its hosting services cannot be used for illegal activities. What falls under that is not explained, but perhaps it isn’t too wild an assumption that Hostinger may consider monetary scams illegal.
Given these limitations, how come scammers still use hosting services to host fraudulent sites?
Taking advantage of sparse site screenings
As some Reddit users claim, with the extraordinary number of websites each provider hosts on their servers, threat actors simply take advantage of the fact that domain or hosting providers don’t routinely check the content of the sites they host. Unless they receive a report – and it can take some time before a site is reported.
For example, Hostinger says in its Terms of Service that it does not actively monitor what kind of sites are hosted on its servers. In April 2025, Hostinger reported that it is hosting more than 9.5 million websites. Checking every single one of them for fraudulent content is simply impossible. Chances are, other hosting providers – much bigger than Hostinger, such as Amazon Web Services – are in similar situations. This leaves ample time and opportunity for scammers to run their fraudulent websites and illegal schemes undetected.
Domains: extensions and hijacking
Another way that scammers create fake sites is by using domain names with barely noticeable typos. For example, in the Lithuanian Tax Authority case, the official, non-scam website uses a domain name with a .lt extension – vmi.lt. Scammers, however, may use a domain like vmi.com or vmi.org, or any other official-looking domain name extension.
Domain hijacking is one more way that threat actors resort to, although it takes some effort and social engineering skills. In such cases, a threat actor may use social engineering to get hold of the domain owner’s logins, such as email and password. Other ways to get such information are security vulnerability exploitation, domain owner impersonation, and keylogging. With a hijacked domain, the threat actors are free to transfer domains to a different host and use them for malicious purposes.
AI website cloning
But hijacking a domain, using a well-known domain name with a typo, or simply hosting a site is not enough to successfully scam people. If a scammer is impersonating a well-known site, such as a tax authority website or something like Amazon, there’s the question of user interface likeness and similarity. Most recently, threat actors are using AI to clone websites, complete with logos, testimonies, and other UX design elements that lend them authenticity.
Indeed, a website that appears just like the one you’ve seen before – especially if it’s an online store or an official government site – seems more trustworthy than one with spelling mistakes or design elements that aren’t very symmetrical. You will be more likely to click on buttons or enter personal details on a website that functions just like you’re used to, like in this case of a fake login page for DHL employees. But if this is the case, if scammers are resorting to highly advanced AI techniques to scam better, how can you protect yourself and your wallet? How to recognise if a website is a scam?
How to check if a website is a scam
Whether it is domain hijacking or AI website cloning, recognizing a phishing site is not always a straightforward process. Especially if you’re visiting a site for the first time. However, here are some tips and tricks on how to check if a website is used for scams – and how not to fall for them.
Check the URL
Firstly, check whether the site uses a secure protocol, that is, https instead of http (notice the missing s) at the beginning of the address. An HTTPS protocol means the site is running on a secure, encrypted protocol. Most browsers, however, automatically block access to insecure sites and require confirmation before redirecting you to them.
Secondly, always check and verify the domain extensions. Remember the example with the Lithuanian State Tax Inspectorate – the scammers used a domain extension different from the official site. Additionally, check the domain name for typos or invisible symbols. If you can, always type the domain name in the search bar yourself.
Check the website content
Most legitimate online stores, government agency websites, or other sites have certain elements in them that make them legitimate. Look for these elements first:
- Full and well-written ‘About us’ or ‘Contact us’ pages, complete with a real address and contact information.
- Links to privacy policy, returns policy if it’s an online store, terms of service, and other legal agreements.
- Spelling and grammar mistakes.
- Inconsistent page layout, poor quality photography.
Remember that with techniques such as AI website cloning, recognizing a scam website can be even more difficult.
Check the offers and payment options
When checking out a website like an online store, an investment platform, or anything else that has to do with money, follow the golden principle: if the offer seems too good to be true, it probably is a scam. If someone is promising you incredibly high returns on investments or a 99% discount on an otherwise expensive item like a car, clothing, or tech, the chances are high that this is a scam. Another clear indication of a possible phishing scheme is urgency. This includes limited offers and countdowns (although real online stores also sometimes use these), statements that urge you to do something now before it is too late, and similar. Scammers use urgency to induce a state of stress. If you are stressed or panicking, there’s less chance you will question the situation and whether what is happening is actually safe and legal.
If you somehow end up at the checkout page, tread really carefully. Check that the page is using a secure protocol – HTTPS. The absence of a secure protocol on a checkout page is a very bright and big red flag, since this means that none of the information you enter is encrypted – including your payment card details.
Even if the checkout page is secure, make sure the vendor offers at least several different payment options, such as PayPal, Google or Apple Pay, or other payment processing providers. If the website’s only or primary payment option is bank transfer, it’s a red flag. Do not enter any details, close the website, and report it.
Check for other signs of social engineering
Social engineering is a set of psychological manipulation strategies, such as AI voice cloning, commonly used by bad actors in all aspects of life. They are designed to cause harm. Read more about how to protect yourself from social engineering.
Conclusion
Fake websites designed to steal your money are on the rise. With advanced techniques such as AI website cloning, it’s becoming more and more difficult to tell if a website is real or fake. This puts numerous people – and reputable businesses – at risk. Real sites are being copied or hijacked and used for illegal purposes, and people are losing millions to scammers without a chance of getting this money back.
And while it’s still possible to detect a scam website, for example, by inspecting its URL or checking for signs of social engineering, the truth is that bad actors are unrelenting. With hosting providers relying on individual site reports instead of routine site content checks, domain hijacking, and even more advanced AI scamming techniques, staying vigilant online is more important than ever.
Your email address will not be published. Required fields are markedmarked