Cybercriminals Use AI to Create Fake Websites That Look Just Like the Real Thing

When Joann Fabrics filed for bankruptcy for the second time within a year this January, scammers seized the opportunity. Within days, a flurry of impostor websites appeared with URLs like “joannlosangeles.com,” “jo-annclosingonsale.shop” and “joanndiscount.shop”— all designed to look nearly identical to the retailer’s legitimate site.

The Joann scam sites, which used the company’s name, branding and product images, pretended to offer merchandise at deep discounts with the aim of stealing shoppers’ credit-card information and personal data. Customers who placed orders on these fake sites never received products but had their payment information compromised.

“The whole look and feel of the website was very similar to the real website,” says Melanie McGovern, director of public relations and social media for the Better Business Bureau, or BBB. “If you’re on your mobile phone, you’re not looking at that URL when you click on an ad or a link in an email that says ‘shop here.’ ”

These fake Joann websites exemplify the increasingly sophisticated website scams that can fool even careful consumers, according to the BBB. Scammers are creating realistic fake websites that look identical to the originals, imitating everything from well-known retailers such as Amazon and PayPal to toll-collection agencies, employment portals and financial institutions. 

Such scams have been growing for years, but some cybersecurity experts worry that a new development will supercharge them: AI tools that enable criminals with limited technical skills to create nearly perfect replicas of legitimate sites in just minutes. 

The process is simple: Attackers buy an AI-powered tool on a criminal marketplace or dark-web forum. They feed in the URL of a legitimate site, and the AI-powered tools instantly scrape the real page, clone its look and feel, and add fake forms designed to capture personal or financial details. Scammers can tweak the pages, translate them into multiple languages, and deploy them—often in minutes—without writing a single line of code.

“The scary thing is just how easy it is,” says Robert Duncan, vice president of intelligence and strategy at cybersecurity firm Netcraft. “It allows more nontechnical people access to the tools, lowering the barrier of entry.”

Casting a wider net

Joann Fabrics said it was aware of the fake sites and Facebook ads and had warned consumers that https://www.joann.com/ was the only legitimate website through which to buy Joann products. It also urged anyone who made a purchase through a fake site to dispute the charge with their financial institution. Joann sold off it branding to rival Michaels in early June.

It isn’t clear whether the Joann impostor sites were created with the help of AI. But Netcraft has identified nearly 100,000 domains created with the help of illicit AI tools, impersonating 194 different brands across 68 countries. The firm estimates these fake sites now account for 6% to 7% of all phishing activity online.

The tool allows scammers to go after brands that previously weren’t a big enough target for the amount of effort it would take to create a fake site. While Duncan says major companies have sophisticated systems to detect and take down impostor sites quickly, smaller businesses often lack these resources.

“The big enterprises, the very large brand recognizable names, expect this,” says James E. Lee, president of the Identity Theft Resource Center, a nonprofit that helps victims of identity theft. “But it’s small and medium businesses, really, any business today,” that are now targets for cyber-fraud, he says. 

Text messages purporting to be from legitimate companies—known as smishing—are a preferred way to lure victims to impostor sites, allowing attackers to bypass spam filters and reach people in a more personal, immediate way, says Tim Davis, lead cyber-threat intelligence analyst at the Center for Internet Security. Messages might claim to come from toll services, package-delivery companies or employers, and include links to sites with shortened URLs that hide their true destination.

How to protect yourself

While spotting fake websites is getting more difficult, cybersecurity experts say there are things consumers can do:

  • Instead of clicking on links to websites in text messages and emails, navigate to the company’s official website by typing the address directly.
  • Study web addresses carefully. Scammers often add terms at the end of legitimate domain names, such as “kmart-jobs.com” or “amazon-sale.net” instead of the official kmart.com or amazon.com. Also, watch for subtle misspellings or substitutions in URLs, such as “1” instead of “i” or the number 0 instead of the letter O.
  • Be extra cautious when navigating to websites on a mobile phone because it’s more difficult to spot a suspicious URL on the smaller screen.
  • Don’t count on spelling mistakes or grammar errors in phishing emails or webpages to alert you to a fake site. While that used to be helpful, AI-generated content now produces flawless text, making this detection method obsolete.
  • If something feels suspicious—such as urgent language demanding immediate action, requests for unusual personal information or deals that seem too good to be true—stop engagement immediately. Report the site to authorities like the BBB or FBI’s Internet Crime Complaint Center (IC3).

Jackie Snow is a writer in Los Angeles. She can be reached at reports@wsj.com.

This Wall Street Journal article was legally licensed by AdvisorStream.

Dow Jones & Company, Inc.

By Jackie Snow

Aug. 20, 2025

Disclosures: Used with permission from The Wall Street Journal, WSJ.com. Copyright 2025 Dow Jones & Company, Inc. All rights reserved. 

RISK DISCLOSURE: Investing involves risk including the potential loss of principal. No investment strategy can guarantee a profit or protect against loss in periods of declining values. Past performance does not guarantee future results.

This material is for information purposes only and is not intended as an offer or solicitation with respect to the purchase or sale of any security. The content is developed from sources believed to be providing accurate information; no warranty, expressed or implied, is made regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information. Consult your financial professional before making any investment decision. For illustrative use only.

 SECURITY REMINDER: E-mail transmission may not be secure.  If you would like to be contacted by other means please alert Paragon Financial Advisors.  By your use of email, Paragon Financial Advisors assumes you agree to our transmission of information by e-mail.  Please do NOT send Social Security numbers or account numbers, confidential or privileged information via E-mail.

 CONFIDENTIALITY NOTICE:  All e-mail sent to or from this address will be received or otherwise recorded by Paragon Financial Advisors and is subject to archival, monitoring or review by, and/or disclosure to the Securities and Exchange Commission. This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. This communication represents the originator’s personal views and opinions, which do not necessarily reflect those of Paragon Advisors. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify info@paragon-adv.com  

 

Share Post

Archives

Related Posts