Fake Websites:What’s Driving Their Spread?

Protecting identities against the rise of fake websites: A recent press statement from the National Australia Bank (NAB) disclosed that the bank identified and assisted with the removal of almost 600 fake NAB websites in 2025. They went on to say that they discover on average two new fake NAB websites every day.

The fake NAB websites were in addition to the thousands of other fake websites, presumably of other Australian banks, ordered removed by the Australian Securities and Investments Commission (ASIC) over the same timeframe. It would not be unreasonable to assume these other banks are also continuously finding and acting on fake websites in a never-ending battle.

Why are Fake Websites Created?

The obvious question is what drives this ongoing creation of fake websites? One reason NAB proffers is fake endorsements used for fraudulent investment scams. However, the other reason is more obvious and no doubt more prevalent, phishing or credential harvesting. NAB actually cites a recent fake website impersonating their Internet banking platform.

The Limitations of OTPS Against Fake Websites

So, it comes as no surprise that NAB, and all other major Australian banks, use multi-factor authentication for Internet banking. This includes One-time-Passcodes (OTPs) delivered by SMS. Whilst these OTPs may provide protection where a fraudster uses a customer’s acquired Logon ID and Password to access a genuine bank’s website (though still susceptible to social engineering attacks), they provide no protection where a customer accesses one of these fake websites.

This is because the fake website simply acts as a relay to the genuine site, with the fraudster in the middle. Everything the customer enters into the fake site, i.e. Logon ID and Password, the fraudster enters into the real site. And this includes the OTP that will inevitably be sent to the customer’s phone, courtesy of an unauthorized transaction carried out by the fraudster. Once that OTP is entered into the fake website, it is entered into the real website and the circle is complete.

The Fundamental Flaws

This search-and-destroy approach contains two fundamental flaws. Firstly, it is a Whack-a-Mole strategy that is never-ending. This is self-evident insofar as NAB finds on average two new fake sites a day, every day. Secondly, there will always be a time gap between the deployment of a fake website and its subsequent discovery. This means there is a window for customers to be defrauded.

Voice Biometrics: Regaining Control

The next question is whether there’s an alternative strategy to the current approach? What if there was a way that would negate the OTP ending up being entered into the genuine website by the fraudster? This is what voice biometrics can achieve, by simply speaking the OTP rather than typing it into a browser. Voice biometrics binds an OTP to its intended recipient and denies the OTP its current anonymity. It can no longer be typed, collected, and re-typed. The level of complexity for a fraudster increases exponentially, inversely to its chances of success.

Anonymity of an OTP is its primary weakness, anyone in possession of that number string is deemed the legitimate owner. Binding an OTP to its legitimate owner through the strength of voice biometrics removes that weakness, which in turn removes the threat currently in the form of multiple fake websites deployed daily.

Request a demo today to discover how our voice biometrics can enhance identity verification to the highest level of security without compromising user experience.