TL;DR: Fake government websites now use AI-generated replicas and lookalike domains to harvest personal data, with government impersonation scams costing consumers over $1.1 billion in 2023 and federal fraud losses estimated at $233 billion to $521 billion, according to Incode and cited U.S. government sources. URL checks help, but downstream identity injection is the real control gap.
NHIMG editorial — based on content published by Incode: .Gov: Your Best Defense Against Fake Government Websites
By the numbers:
- Government impersonation scams alone cost consumers over $1.1 billion in 2023, more than three times what was reported just three years earlier.
- ICANN expanded the list of top-level domains from about 22 to over 1,500.
Questions worth separating out
Q: What breaks when fake government websites collect real identity data?
A: The main failure is not the fake site itself, but the downstream workflow that trusts stolen identity data as if it proves the claimant’s identity.
Q: Why do fake government portals create more risk than ordinary phishing pages?
A: They target identity proofing rather than just passwords or login credentials.
Q: How can security teams detect identity injection in government service workflows?
A: Teams should combine document verification, biometric matching, and behavioural signals at the point where the identity is claimed.
Practitioner guidance
- Verify exact government domains before data entry Train users and frontline staff to check for an exact .gov suffix, clean spelling, and no hyphenated lookalikes before any personal or payment data is entered.
- Add claimant-authenticity checks to public-service intake Use biometric, document authenticity, and behavioural signals together so the system can detect when real identity data is being presented by the wrong person.
- Route fake-portal abuse into fraud and identity teams together Build a shared response path for phishing-like web abuse, benefit fraud, and identity verification failures so the same incident is not handled as three separate problems.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- The specific .gov checklist examples for spotting lookalike domains in real time.
- The identity verification flow Incode describes for detecting stolen-data injection at the point of application.
- The practical distinction between a fake portal as the collection mechanism and the downstream fraud path as the real damage.
- The FAQ section’s reporting guidance for government impersonation sites and consumer action steps.
👉 Read Incode’s analysis of fake government websites and identity injection →
Fake government websites and identity injection: what teams miss?
Explore further
Identity injection is the real control failure, not the fake website itself. The website is only the collection layer. The security break happens when valid identity attributes are trusted without enough context to prove that the presenter is the rightful subject. That is why public-sector verification needs to separate data validity from claimant authenticity. Practitioners should treat identity injection as the governing risk, not the phishing page.
A few things that frame the scale:
- Government impersonation scams alone cost consumers over $1.1 billion in 2023, more than three times what was reported just three years earlier, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Another relevant finding: DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
A question worth separating out:
Q: Who is accountable when a fake government website leads to downstream fraud?
A: Accountability usually spans the agency, the service owner, and the identity verification team, because the failure is distributed across intake, proofing, and transaction approval. Frameworks such as NIST Cybersecurity Framework 2.0 and privacy obligations under GDPR are relevant where personal data processing and security controls intersect.
👉 Read our full editorial: Fake government websites are shifting fraud into identity injection