Fake chasms: scammers actively fake the resources of messengers and banks

Telegram, the services of Sberbank, Alfa-Bank, Yula, as well as WhatsApp, Steam Community and three marketplaces turned out to be the leaders among the resources imitated by scammers, cybersecurity experts said. Forgeries of some addresses have quadrupled. Fraudsters' methods are becoming more sophisticated, experts said. Now hackers are increasingly attacking through private messages, previously the main channel was mass e-mail newsletters. About what other methods are actively used by intruders, see the Izvestia article.

Which websites were forged by scammers

In the first half of 2025, scammers most often imitated the resources of Telegram, Sberbank, Alfa-Bank, Yula, WhatsApp, Steam Community and three marketplaces on the Runet. This was reported to Izvestia by the Coordination Center of the .RU/.RF domains.

In total, almost 12,000 phishing resources were identified and blocked, disguised as well-known brands. Telegram domains were forged the most — about 3.4 thousand fraudulent links.

"Compared to the first half of 2024, the most noticeable trend was the increase in phishing attacks through messengers. Telegram rose from fifth to first place, and WhatsApp, which had not previously been in the top 10, immediately took the sixth place. The number of phishing domains imitating Telegram has increased 3.6 times, and WhatsApp has quadrupled," they said.

Photo: TASS/dpa/picture-alliance/Weronika Peneshko

The banking sector, marketplaces, and bulletin boards also remain popular lures for phishing attacks. Among financial brands, fraudsters most often imitate Sberbank and Alfa-Bank, and in the e-commerce segment, the Yula bulletin board and three marketplaces. This year, the Steam Community online platform also entered the top 10, which indicates the growing interest of scammers in the gaming audience. And brands such as Booking, SDEK, "M.Video" and BlaBlaCar, on the contrary, have lost popularity.

— Scammers exploit users' trust in digital services and most often fake exactly the platforms that people use on a daily basis. Therefore, the "phishing rating" does not reflect vulnerability, but the degree of popularity of these brands on the Runet," said Evgeny Pankov, data analyst at the Coordination Center.

Photo: IZVESTIA/Dmitry Korotaev

At the same time, the schemes of the attackers are constantly adapting to new patterns of user behavior. Previously, mass e-mail newsletters were the main channel, but now attacks are increasingly taking place through personal correspondence.

— When creating phishing domains, scammers use standard patterns: substitution of characters, addition of numbers or words, for example, sberbank.id56728.ru . And in order not to lose their data, money or access to the device, users need to remain vigilant," the expert added.

Photo: TASS/dpa/picture-alliance/Silas Stein

Most of the detected phishing resources are fake marketplace sites, login forms of various government organizations, as well as sites designed to steal Telegram accounts, the Solar AURA Monitoring center for external digital threats has confirmed.

There is a trick against hacking: how hackers crack passwords of Russians in seconds

Neural networks have simplified the work of cybercriminals

"A distinctive feature is the widespread use of detection protection, as well as domains that have no semantic connection with the brand that the site mimics. In addition, phishing combines, illegal online services that allow you to generate a variety of phishing pages for various brands, have become widely popular," they said.

What schemes are used for phishing

Fake resources are visually almost indistinguishable from the originals and use similar domain names, added Kirill Levkin, MD Audit Project Manager (Softline Group). The main thing is to force the user to enter usernames, passwords, card details, or undergo "identification" with the transfer of data that can be used to hack accounts or financial theft.

Among the fakes, those that imitate "Public Services" are especially dangerous — this is one of the most sensitive resources for citizens, said Maxim Kolesnikov, a leading information security specialist at the IT integrator AiTiAngel.

— People react quickly to messages about fines, court debts, and calls to the authorities, especially when everything looks "in shape": a letter or SMS arrives with a logo, a substituted last name, and a link to a phishing copy of the site, — said the expert. — A person enters a username and password, thinking that they are accessing the state portal, and at that moment they transfer their data to fraudsters.

Photo: IZVESTIA/Dmitry Korotaev

Another classic example, according to the expert, is an SMS or a letter from a "bank" with a message about an approved loan, although in reality it was not issued. The scheme is supplemented with a "feedback form if you have not requested a loan." For example, they provide a phone number, and the victim himself calls back to the scammers, who only have to "process" the person and extort a sum of money.

— There are less obvious examples: on a dating site, a woman sends a link to "pay for tickets", but the money actually goes to her card, — Maxim Kolesnikov explained. — Or the case when scammers forged the website of an online store under the brand of a well-known information security integrator. Visually, everything looked plausible, but the money from the orders was credited to a third-party company's checking account. Such stories show that now everything can be forged — from letters and websites to entire businesses.

Photo: IZVESTIA/Eduard Kornienko

Kirill Levkin added that the most widespread and effective category of attacks is psychological impact: calls from the "bank security service", "tax service", "portal staff".

"There is a common scheme where attackers pretend to be buyers or sellers on popular platforms and convince the victim to click on a phishing link to receive payment or delivery," he said. — Fake websites of "delivery services" or "acquiring services" are often connected to this.

Photo: Getty Images

Scammers are actively exploiting interest in investments, cryptocurrencies, artificial intelligence, and "high-yield" projects. Fake trading platforms and websites with "generative AI services" appear, requiring you to deposit money, register a card, and then disappear with the information you receive.

— For businesses, the number of attacks compromising business correspondence is growing, when an attacker intercepts or fakes letters from counterparties with details for transferring funds, — Kirill Levkin added. — Targeted phishing attacks and malicious attachments in emails using trusted brands are also used.

They started overtaking: scammers began to attack iPhone owners more often than Android users

This is attributed to the careless behavior of the victims themselves.

How not to get on a fake link

Attackers are still using various means of detecting fake resources, the Solar Group added.

"There is also a trend of creating domains that have no semantic connection with the brand that the fake site mimics," the company said.

The baits are diverse: they offer "easy earnings" on investments, report extremely generous promotions or winnings, ask you to vote for someone you know in the contest, and use frightening legends, said Olga Altukhova, senior content analyst at Kaspersky Lab.

Photo: Getty Images/Sitthiphong

"For example, they notify you of an attempt to log into an account that actually did not take place, and they urgently require you to provide any data," she explained. — Despite the fact that attackers are constantly coming up with new legends, there are several recommendations that will help minimize the risks for users.:

In particular, you should be critical of any extremely generous or intimidating messages: in mail, messengers or social networks. You can't click on links or download files from questionable conversations.

— You should always pay attention to the name of the sites in the address bar and not enter confidential data on suspicious resources, — Olga Altukhova emphasized. — It is always necessary to use security solutions that will block an attempt to access a phishing or scam page in time.

Photo: IZVESTIA/Dmitry Korotaev

But the most common and dangerous scenario of deception so far remains calls from scammers backed up by plausible documents or a fake voice, added Dmitry Lunevsky, Director of development at the Cube Three IT integrator. With the help of AI, attackers can generate speech that mimics the voice of a relative, or create a convincing letter, ID card, or "summons" by substituting the necessary names, photos, and positions.

—Fraudulent call centers are technologically equipped structures where CRM systems play a key role," the expert said. — They can create a full-fledged contact card with personal information about a person: phone number, banks where they are serviced, mentions of relatives, reactions to past calls.

Photo: TASS/DPA/Frank May

Conversation scenarios, fake document templates, and algorithms for switching between "employees" are built into the system in advance. According to Dmitry Lunevsky, fake documents are generated directly from this program in real time and instantly sent to the victim via messenger during the call.

Age differences: scammers are 1.5 times more likely to attack children

What schemes are used by intruders and how to protect yourself from them

This is how phone fraud turns into a personalized, technological attack, he noted. Visual or vocal "proof" of a legend reduces critical thinking and increases trust in what is happening. With the increasing availability of AI, such attacks are becoming more widespread and convincing, so it is increasingly difficult to distinguish fake from reality.