Scammers are using generative AI to create fake websites that look more convincing than ever, complete with polished text, professional imagery, and even the padlock icon in the URL bar that many people mistakenly equate with safety.
Cybersecurity expert Chet Wisniewski, director of Global Field CISO at Sophos, warns that a padlock or HTTPS in a web address only indicates that the site is encrypted, not that it is legitimate. In fact, nearly all scam websites now use encryption, making them appear trustworthy to unsuspecting users. Hackers can easily obtain SSL certificates at no cost and with no identity verification, allowing them to create spoofed sites that display the same security markers as authentic ones.
One of the most common tactics cybercriminals use is “typosquatting,” registering domains that closely mimic real sites but with subtle errors — an extra letter, a missing character, or a different domain ending such as .net instead of .com. More advanced schemes, known as homoglyph attacks, swap characters with visually similar ones, such as replacing an “O” with a zero or an “l” with the number one. These tricks are especially effective on mobile devices, where smaller screens make spotting the difference more difficult.
Experts also advise checking the age of a domain, as scam sites are often newly registered and abandoned quickly. Tools like WHOIS can help determine when a domain was created, though new sites are not always fraudulent, as startups and temporary promotions may use recently registered addresses as well.
Another warning sign is the payment method a site accepts. Scammers often push for untraceable forms of payment such as gift cards, cryptocurrency, or cash transfers. Wisniewski stresses the importance of using credit cards or PayPal instead of debit cards when shopping online, since credit payments offer stronger fraud protection.
With AI making scam sites harder to distinguish from real ones, experts say vigilance is more important than ever. Small details in a URL, the history of a domain, and unusual payment requests can all serve as red flags that help protect consumers from costly fraud.