Cybercriminals continue to evolve, refining their tactics to impersonate trusted financial institutions with increasing precision and frequency. While large national banks have long been targeted, fraudsters are now focusing more heavily on credit unions, community banks, and regional institutions. These organizations often serve close-knit member and customer communities, making them attractive targets for brand impersonation schemes.
The SPOOF ’25 Brand Impersonation Threat Reports aim to raise awareness about how today’s most dangerous fraud tactics work and what banks and credit unions can do to stay ahead.
This blog explores the latest threat techniques revealed in the report and offers insight on how to protect your organization.
LOTS Attacks:
Criminals Hiding Behind Trusted Services
“Living off Trusted Sites” (LOTS) refers to an attack strategy in which cybercriminals abuse legitimate, widely used web services to run scams, harvest credentials, and deploy phishing content. These platforms, which many financial institutions also use for legitimate purposes, give criminals cover and credibility.
This tactic is not new, but its use is surging. Our data shows that 11.5% of all impersonation attacks now exploit trusted services. The most commonly abused platforms include:
- Glitch.me
- DuckDNS.org
- GitHub Pages
Unlike typical domains, which were impersonated twice on average in our dataset, domains on trusted services were impersonated nearly 30 times each. These platforms are difficult to block because they are often essential to business operations and widely trusted by consumers.
Scammers target trusted services for several reasons, including:
- Using existing infrastructure for an attack is less expensive and time-consuming.
- Many banks and credit unions use web services like GitHub to run services, host test environments, and more. When fraudsters use the same systems as banks, stopping them takes much more diligence and care.
- Consumers often trust many web service providers inherently, making potential victims more likely to trust links from these sites and web pages hosted there.
- Many security teams and tools classify web service providers as legitimate – meaning they can’t be blocked without interrupting business or personal needs. For this reason, attackers will advertise LOTS-based scams or infrastructure for sale on the dark web as “fully undetectable.”
How You Should Respond
There’s no single fix for abusing legitimate web services for malicious purposes. Some of the largest corporations in the world (e.g., Microsoft) manage these trusted services, and even their top-tier cybersecurity teams haven’t solved the problem.
However, there is hope.
Don’t assume web service providers prioritize protecting your brand. Their interest in preventing impersonations will never be as strong as yours. Allure Security detection data shows that brand impersonations can be identified on these platforms, but it requires proactive effort. Given the constant stream of new web pages, automated and continuous monitoring is essential to protect your brand.
Anti-Bot Technology Is Used to Conceal Phishing Operations
Scammers believe that malicious sites hidden behind Cloudflare’s antibot technology are untouchable, meaning they cannot be detected, nor can they be removed. They’re not entirely wrong.
In order for organizations to truly monitor these hidden threats, they would need to assemble a team of highly-skilled cybersecurity professionals to manually investigate potential instances. Given the scale at which attacks occur, this approach is not feasible. It would require too large of an investment to be cost-effective. Fraudsters recognize this and use anti-bot technology to their advantage.
The appearance of anti-bot technology can also be used by fraudsters to avoid detection. We have encountered schemes in which a fake Cloudflare Turnstile (an anti-bot verification system similar to CAPTCHA) was embedded on a decoy page. Victims were lured to the page through phishing emails, text messages, or social media posts, and when they interacted with the captcha, they were redirected to the real phishing page. However, if a security crawler or researcher accessed the page directly, it redirected to a benign site.
This redirection creates the illusion of legitimacy by displaying a branded security challenge while evading detection from all but the most sophisticated automated monitoring. We expect fraudsters to continue capitalizing on this deficiency until banks adapt. Training, experience and skill is necessary to counter these attacks.
How You Should Respond
Most online brand protection solutions rely on automated scanning to detect malicious content, but bot protection tools like Cloudflare Turnstile prevent most solutions from analyzing these sites. This severely limits visibility.
When evaluating vendors and solutions, ask whether they have successfully identified threats hidden behind Cloudflare Turnstile or similar anti-bot protections. Whatever automated approach the bank uses to monitor these threats must be at this level of sophistication.
New Registrar Policies Allow Scams to Resurface
Recent changes at domain registrars such as NameSilo and Hostinger are making it easier for scammers to reuse previously banned domains.
Historically, when a domain was reported for impersonation or fraud, the registrar would suspend the domain, effectively taking it offline. However, starting in March 2024, some registrars began allowing these domains to be deleted instead of locked. This means the domain can be re-registered, sometimes by the same fraudster, within days.
In one case, a domain hosting fraudulent content impersonating several financial institutions was taken down by NameSilo. Two days later, it was back online, hosting a similar scam. NameSilo confirmed the domain had been deleted (rather than suspended) and then re-registered by a new user.
For credit unions and community banks, this introduces a recurring threat. Simply reporting and removing a scam domain is no longer enough. Ongoing, real-time mmonitoring is critical to ensure that fraudsters don’t bring the same attack back under the same address.
How You Should Respond
Unfortunately, registrars taking down a domain does not guarantee long-term protection. A scam targeting a bank or credit union and its customers/members could relaunch on the same domain.
Put practices in place to regularly monitor a malicious domain after takedown to ensure it isn’t re-registered for use by the same or another fraudster.
Fraudsters Continue Hiding Scams in Compromised Websites
Instead of creating new domains, fraudsters often hide phishing content on compromised websites. By preserving the original homepage and placing malicious pages in subdirectories, they evade detection by most security tools.
How fraudsters benefit from this tactic:
- Newly registered domains attract more scrutiny than established ones.
- Many vendors’ risk algorithms use domain age as a significant factor in assessing risk.
- Older domains tend to be too numerous to examine closely. This allows phishing pages on compromised websites to operate unnoticed for an extended time.
- Hosts and registrars may hesitate to take down an entire domain, instead contacting the website owner and giving them time to address the offending content. This delays the takedown, allowing the scam more time to ensnare victims.
How You Should Respond
Scammers continue to adapt their methods to avoid detection. So, banks need to employ a multi-layered detection strategy. Many scams redirect visitors to a brand’s official web page to avoid arousing suspicion. Reviewing web referrer logs for unexpected redirects can uncover scams hidden in websites that may otherwise seem benign.
Fraudsters Are Stepping Up Their Game
— So Should We
The techniques cybercriminals are using today are more advanced and more difficult to detect than ever before. This evolving threat landscape affects all financial institutions, including credit unions and community banks, whose reputations are built on trust and whose members often assume safety by default.
Staying ahead requires vigilance, advanced monitoring tools, and a willingness to hold service providers accountable. While external platforms may host the scams, the burden of protection lies with you.
Get the Full SPOOF ’25 Report
Learn more about evolving threat tactics and our original research into who fraudsters are targeting today.
Related Articles
-
Diamond Bank Addresses Spoof WebsitesDiamond Bank is a community bank with 14 branches and thousands of customers... -
Credit Union Supercharges Takedown CampaignsDo-It-Yourself Takedown Struggles A credit union based in the southern United States supports... -
Fraudsters Steer Clear of ORNL Federal Credit UnionORNL Federal Credit Union manages $4.06 billion in assets, serves over 219,000 members,... -
SharkBot Trojan Embedded in Mobile Banking ApplicationDuring a recent partner mobile malware scan, Allure Security identified a rogue mobile... -
How to Remove Spoof Mobile ApplicationsTo remove rogue mobile applications (an unauthorized version of your mobile app) from... -
Zelle Fraud: How to Protect Your Customers and Brands from ScamsSince its launch, the peer-to-peer payment app Zelle has gained immense popularity. In...