Notifications
Clear all
Topic starter
10/06/2026 10:34 pm
TL;DR: Lookalike domains and impersonated verification pages are being used to harvest identity credentials and payment details, with Sumsub warning that these scams increasingly mimic trusted providers and even reference regulators to create urgency. The real control gap is not the login flow itself but the assumption that users can reliably distinguish legitimate identity interactions from fraudulent ones.
NHIMG editorial — based on content published by Sumsub: fraudulent lookalike websites impersonating its verification services
Questions worth separating out
Q: How should security teams handle lookalike domains that mimic verification flows?
A: They should treat them as active identity threats and route them through fraud, legal, and security response at the same time.
Q: Why do fake verification pages work so well against users?
A: They work because verification flows already ask users to provide sensitive information, so the attack feels normal.
Q: What do identity teams get wrong about phishing in verification journeys?
A: They often focus on authentication strength and ignore the trust boundary before authentication starts.
Practitioner guidance
- Harden domain and brand monitoring Track lookalike domains, typosquats, and cloned verification pages as active identity threats.
- Require out-of-band verification for sensitive requests Tell users to confirm identity checks and payment requests only through official bookmarks, known portals, or verified contact paths.
- Add impersonation scenarios to user guidance Train support and identity teams to recognise counterfeit verification flows, regulator spoofing, and urgent credential prompts.
What's in the full analysis
Sumsub's full article covers the operational detail this post intentionally leaves for the source:
- The specific takedown and dispute step the company has taken through WIPO under the UDRP process.
- The exact warning signs users should check when a verification page or domain name looks suspicious.
- The broader fraud pattern behind impersonation of technology providers and regulator references.
- The company contact path for reporting suspected copycat websites and messages.
👉 Read Sumsub's analysis of lookalike-domain impersonation and verification fraud →
Lookalike domains in verification flows: what should teams do now?
Explore further
11/06/2026 2:39 am
Brand impersonation is now an identity-governance problem, not a side channel to fraud. When attackers clone verification pages and borrow the language of trusted providers, they are attacking the trust boundary that identity programmes assume is stable. That boundary spans users, support channels, and verification workflows, so the control problem extends beyond authentication technology. Practitioners should treat impersonation monitoring as part of identity governance, not a separate awareness exercise.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to GitGuardian & CyberArk research.
A question worth separating out:
Q: Who is accountable when an impersonated verification site steals identity data?
A: Accountability usually spans identity, fraud, legal, and communications teams because the attack crosses organisational boundaries. The security team may handle detection, but the legal team may need to drive takedown, and support or communications may need to warn users. The right framework is shared ownership with a clear incident lead.
👉 Read our full editorial: Lookalike domains turn identity verification into phishing risk
