Fake Customer-Service Chatbots
AI chatbots posing as brand support to extract logins, payments or remote access.
Last reviewed: 1 June 2026
What this scam is
Fake customer-service chatbot scams deploy AI-powered chat interfaces that impersonate the official support system of a real, recognisable brand — a bank, retailer, streaming service, telecoms company, or government agency. The chatbot is hosted on a fraudulent page, served through a paid search advertisement, or promoted via social media, and is designed to look and behave indistinguishably from a legitimate brand assistant.
Unlike earlier phishing pages that simply collected typed credentials through a static form, modern fake chatbots conduct a dynamic conversation. They respond naturally to questions, follow support scripts that mirror the real brand's language and tone, and adapt their requests to the user's stated problem. This conversational fluency reduces suspicion — it feels like a real support interaction rather than a data-harvesting page.
The scam's goal is to collect account credentials, card numbers, security codes, or one-time passwords, or to persuade the user to install remote-access software under the guise of a technical fix. The stolen data is then used to empty accounts, make fraudulent card transactions, or sell credentials on to other fraudsters.
How it works
Scammers register a domain close to the real brand's domain — a character swapped, a different extension, or a phrase like 'support' or 'help' added — and build a page that mirrors the brand's visual identity. The page hosts a chatbot (often built with commercially available AI) pre-programmed with the brand's support flows and common customer queries.
Traffic arrives through several routes. A paid search advertisement appears above the genuine brand result when users search for '[brand] customer support' or '[brand] help'. A social media post from a fake brand account links directly to the fraudulent page. A phishing email or text directs users to click through for 'urgent account verification'.
The chatbot opens with a natural greeting and asks the user to describe their problem. It then follows a script that mirrors genuine support: it asks for an account email 'to look up the record', requests a verification code 'sent to your phone', asks for a card number 'to process the refund', or directs the user to download a 'diagnostic tool' that is actually a remote-access application. Each step is presented as a standard, necessary support procedure. Once the scammer has what they need, the chat ends or the user is told the issue has been escalated — the fraudulent activity begins behind the scenes.
Why this scam works
People contacting customer support are already in a problem-solving mindset. They are focused on resolving their issue and are primed to cooperate with whoever is helping them. This cooperative state makes it easier for a fraudulent support agent — human or AI — to request sensitive information that a person in a neutral state would refuse.
The AI chatbot removes the human inconsistencies that previously made fake support pages feel wrong. A real support conversation has a natural flow, remembered context, and an appropriate level of formality. Modern chatbots replicate all of these well enough to clear the threshold of 'this seems genuine'.
The search-ad placement is particularly effective. Users who search for official support contact information trust search results and often cannot distinguish between a paid advertisement and an organic result. Appearing at the top of results confers a strong implied credibility even when the site is fraudulent.
A typical pattern
A person searches for the contact details of their bank's fraud team after noticing an unusual transaction. The top search result is a paid advertisement for a site with a slight variation of the bank's domain. They click through and a professional-looking chatbot greets them. After explaining the situation, they are asked to confirm their account details and the one-time passcode sent to their phone 'to locate the account record'. They provide both. Within minutes, a real transfer is authorised from their account using the stolen credentials and passcode.
Common red flags
- Support chat reached via a search advertisement rather than the brand's official site
- The domain is slightly misspelled or uses an unexpected extension
- Chatbot asks for your full password, card number, or a one-time verification code
- Chatbot suggests downloading a tool, app, or 'diagnostic software' to fix your problem
- Chat conversation ends abruptly after sensitive details are provided
- Branding looks mostly right but has small inconsistencies in logo, font, or colour
- Chat reached via a link in an unexpected email, text, or social media message
- No telephone number, physical address, or verifiable contact details on the page
- The chatbot responses feel scripted but push for data rather than genuinely resolving the issue
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Hi! I'm [brand]'s AI assistant. To process your refund, please confirm your login and card details.
To locate your account and investigate the transaction, please enter the one-time code we just sent to your phone.
Our system has detected an issue with your device. Please download [tool] so our technician can perform a remote diagnostic.
Your account has been temporarily restricted. Verify your identity by providing your full card number and CVV now.
Refund approved! To transfer [amount] to your account, please confirm your sort code, account number, and card PIN.
I've escalated your case. In the meantime, our security team needs your current password to secure the account.
Common variations
- Fake bank or financial institution chatbot harvesting credentials and one-time passcodes
- Fake telecoms support bot that 'needs' account verification details for a billing issue
- Streaming service chatbot offering a refund that requires card details to 'process'
- Government or tax agency impersonation chatbot requesting national ID and financial details
- Tech support chatbot directing users to download remote-access software for a 'fix'
- Delivery or logistics fake chatbot requesting payment to release a 'held' parcel
How to verify before you act
Always navigate to a brand's support page by typing the official web address directly, using a saved bookmark, or clicking through from the official app — never from a search advertisement or a link in an email or text message.
Before engaging with any chatbot, verify you are on the correct domain by examining the full address bar. Check for minor misspellings, unexpected extensions (.net instead of .co.uk), or appended words like '-support', '-help', or '-service'. Legitimate brands do not run their primary support through third-party domains.
No genuine customer-service system will ask for your full password, your full card number plus CVV, or a one-time verification code sent to your phone. Verification codes are sent so that you can authenticate yourself to the brand, not so that you can read them to a chatbot. If asked for any of these, stop the interaction immediately.
If a chatbot suggests downloading any software to resolve your issue, treat this as a critical red flag. Contact the brand through a separately verified channel to confirm before installing anything.
Payment methods used
- Credentials/card details harvested
- Remote-access theft
Who is usually targeted
- Customers seeking support
- Refund seekers
What to do immediately
- Stop the chat immediately and close the page without providing any further information
- If you shared a password, change it immediately on every site where you use that password
- If you shared a one-time code, contact your bank or the real brand immediately — a transaction may have been authorised
- If you provided card details, call your card issuer to freeze the card and report fraud
- If you installed software, disconnect from the internet and seek technical help to remove it before reconnecting
- Report the fraudulent site to your national fraud authority and to the genuine brand so they can issue warnings
- Alert the genuine brand so they can report the fake ad and issue customer warnings
How to prevent it
- Navigate to brand support pages directly via the official website or app — never through search ads or links in messages
- Verify the domain carefully before entering any information into a chatbot
- Never provide passwords, full card numbers, or one-time passcodes to a chatbot under any circumstances
- Never install software at a chatbot's suggestion without independently verifying the instruction through the brand's official channel
- Use your browser's saved bookmarks for frequently used banking and financial sites
- If you receive a one-time code unprompted, do not share it — you initiated something you may not have intended
- Use a password manager: if the manager does not autofill on a page, that is a signal the domain is different from where your credentials were saved
Evidence to preserve
- The full URL of the fraudulent page shown in your browser address bar
- Screenshots of the chatbot conversation including all requests made
- How you reached the page: the search term used, the ad that appeared, or the link that was clicked
- Any software you were asked to download, including the filename and download source
- Bank or card transaction records showing any subsequent fraudulent activity
- Emails or texts that directed you to the fraudulent page
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Are brand chatbots safe to use?
Official chatbots on the brand's genuine site are generally fine, but they will never ask for your full password, full card details, or a one-time verification code. Reach support only via the official website or app — never through ads.
How do I find the genuine support contact for a brand?
Go to the brand's website by typing the address directly or using a saved bookmark, then navigate to their contact or support section from within the site. Do not use contact details or links from search advertisements or unsolicited messages.
Can a password manager help protect me?
Yes — a password manager stores credentials against the exact domain where you created the account. If you are on a fake site with a slightly different domain, the manager will not autofill, which is a valuable signal that the page may not be genuine.
Why would the chatbot need a verification code sent to my phone?
It would not. Verification codes sent to your phone are for you to confirm your identity to the service — not for you to read to a chatbot or support agent. Sharing a code sent to your phone is equivalent to handing over access.
The chatbot seemed very natural — are AI chatbots hard to fake?
Modern AI chat platforms are commercially available and easy to configure for impersonation. The quality of the conversation is no longer a reliable indicator of legitimacy. Domain verification and refusal to share sensitive data are the reliable controls.
What should I do if I installed the software the chatbot recommended?
Disconnect the device from the internet immediately. Do not use the device for banking or sensitive accounts. Seek technical assistance from a trusted professional to assess and remove any remote-access tools before reconnecting.