By Jackie Snow
When Joann Fabrics filed for bankruptcy for the second time within a year this January, scammers seized the opportunity. Within days, a flurry of impostor websites appeared with URLs like "joannlosangeles.com, " "jo-annclosingonsale.shop" and "joanndiscount.shop" -- all designed to look nearly identical to the retailer's legitimate site.
The Joann scam sites, which used the company's name, branding and product images, pretended to offer merchandise at deep discounts with the aim of stealing shoppers' credit-card information and personal data. Customers who placed orders on these fake sites never received products but had their payment information compromised.
"The whole look and feel of the website was very similar to the real website," says Melanie McGovern, director of public relations and social media for the Better Business Bureau, or BBB. "If you're on your mobile phone, you're not looking at that URL when you click on an ad or a link in an email that says 'shop here.' "
These fake Joann websites exemplify the increasingly sophisticated website scams that can fool even careful consumers, according to the BBB. Scammers are creating realistic fake websites that look identical to the originals, imitating everything from well-known retailers such as Amazon and PayPal to toll-collection agencies, employment portals and financial institutions.
Such scams have been growing for years, but some cybersecurity experts worry that a new development will supercharge them: AI tools that enable criminals with limited technical skills to create nearly perfect replicas of legitimate sites in just minutes.
The process is simple: Attackers buy an AI-powered tool on a criminal marketplace or dark-web forum. They feed in the URL of a legitimate site, and the AI-powered tools instantly scrape the real page, clone its look and feel, and add fake forms designed to capture personal or financial details. Scammers can tweak the pages, translate them into multiple languages, and deploy them -- often in minutes -- without writing a single line of code.
"The scary thing is just how easy it is," says Robert Duncan, vice president of intelligence and strategy at cybersecurity firm Netcraft. "It allows more nontechnical people access to the tools, lowering the barrier of entry."
Casting a wider net
Joann Fabrics said it was aware of the fake sites and Facebook ads and had warned consumers that https://www.joann.com/ was the only legitimate website through which to buy Joann products. It also urged anyone who made a purchase through a fake site to dispute the charge with their financial institution. Joann sold off it branding to rival Michaels in early June.
It isn't clear whether the Joann impostor sites were created with the help of AI. But Netcraft has identified nearly 100,000 domains created with the help of illicit AI tools, impersonating 194 different brands across 68 countries. The firm estimates these fake sites now account for 6% to 7% of all phishing activity online.
The tool allows scammers to go after brands that previously weren't a big enough target for the amount of effort it would take to create a fake site. While Duncan says major companies have sophisticated systems to detect and take down impostor sites quickly, smaller businesses often lack these resources.
"The big enterprises, the very large brand recognizable names, expect this," says James E. Lee, president of the Identity Theft Resource Center, a nonprofit that helps victims of identity theft. "But it's small and medium businesses, really, any business today," that are now targets for cyber-fraud, he says.
Text messages purporting to be from legitimate companies -- known as smishing -- are a preferred way to lure victims to impostor sites, allowing attackers to bypass spam filters and reach people in a more personal, immediate way, says Tim Davis, lead cyber-threat intelligence analyst at the Center for Internet Security. Messages might claim to come from toll services, package-delivery companies or employers, and include links to sites with shortened URLs that hide their true destination.
How to protect yourself
While spotting fake websites is getting more difficult, cybersecurity experts say there are things consumers can do:
-- Instead of clicking on links to websites in text messages and emails, navigate to the company's official website by typing the address directly.
-- Study web addresses carefully. Scammers often add terms at the end of legitimate domain names, such as "kmart-jobs.com" or "amazon-sale.net" instead of the official kmart.com or amazon.com. Also, watch for subtle misspellings or substitutions in URLs, such as "1" instead of "i" or the number 0 instead of the letter O.
-- Be extra cautious when navigating to websites on a mobile phone because it's more difficult to spot a suspicious URL on the smaller screen.
-- Don't count on spelling mistakes or grammar errors in phishing emails or webpages to alert you to a fake site. While that used to be helpful, AI-generated content now produces flawless text, making this detection method obsolete.
-- If something feels suspicious -- such as urgent language demanding immediate action, requests for unusual personal information or deals that seem too good to be true -- stop engagement immediately. Report the site to authorities like the BBB or FBI's Internet Crime Complaint Center (IC3).
Jackie Snow is a writer in Los Angeles. She can be reached at reports@wsj.com.
(END) Dow Jones Newswires
August 20, 2025 10:00 ET (14:00 GMT)
Copyright (c) 2025 Dow Jones & Company, Inc.
Comments