Share
BANK PHISHING

Fake Chase and J.P. Morgan login website scam 2026: how to spot the lookalike before you log in

A link from an email, a text, or a search ad drops you on a pixel-perfect Chase or J.P. Morgan login page. The page is fake. The domain is the only thing that tells the truth.

SafeBrowz Threat Research Security ResearchJune 17, 202611 min read

Is this Chase or J.P. Morgan login page real?

Bottom line first: the only real Chase login is chase.com (and its own sub-hosts like secure01.chase.com and verified.chase.com). The only real J.P. Morgan sites are jpmorgan.com, jpmorganchase.com, and the corporate login at access.jpmorgan.com. Anything else, a lookalike domain, a free-host subdomain, or a link you reached from an email or text, is a phishing page built to steal your username, password, and one-time code. The fix is simple: do not log in through a link. Type the address yourself or open a saved bookmark.

Why Chase and J.P. Morgan are such heavy phishing targets

JPMorgan Chase is the largest bank in the United States, with more than 80 million retail customers. That single number explains the whole problem. When an attacker buys a list of stolen email addresses and blasts a Chase-branded login lure to all of them, a far higher share are real Chase customers than for any smaller bank. The brand is, in plain math, the most efficient finance target in the country.

Brand impersonation is not slowing down. Check Point's Q4 2025 brand-phishing research found Microsoft, Google, and Amazon at the top of the most-imitated list, with the banking and finance category a persistent presence quarter after quarter, because stolen banking credentials convert straight into money. J.P. Morgan's own security center publishes ongoing examples of fraudulent emails that impersonate the bank precisely because the volume never stops.

The email or text is just the delivery. The login page is where the theft happens. So this article is about the page and its address, not the message. Our separate guide to the Chase bank phishing email scam covers the lure itself; here we stay on the website you land on after you click.

How the fake login site actually works

The mechanics are mundane and that is what makes them dangerous. An attacker copies the real Chase or J.P. Morgan login page, often by saving the live HTML and CSS so it renders identically, then hosts that copy somewhere they control. The copy is wired to send whatever you type, your user ID, your password, and any one-time passcode, straight to the attacker in real time. Some kits relay your credentials to the real bank on the spot, so the page can even show you the genuine "enter your verification code" step and capture that too. That is how modern phishing defeats two-factor authentication: it asks you for the code and uses it within the same minute.

To reach you, the page needs a web address that looks close enough to the real one to survive a glance on a phone. Attackers reach for a few reliable tricks: a lookalike domain that swaps or adds a character, a free-hosting subdomain that carries the brand name in the host, or a long subdomain string that pushes the real domain off the right edge of a mobile address bar. None of these is the real bank. All of them are one keystroke of attention away from being caught.

What a fake Chase or J.P. Morgan address looks like

The real domain is the part immediately to the left of the first single slash after https://. Everything else in the string is decoration the attacker controls. A real Chase login always sits on chase.com; a real J.P. Morgan property sits on jpmorgan.com or jpmorganchase.com. The fakes below are illustrative examples of the patterns attackers use.

One classic is the homoglyph swap. Replace the lowercase "j" in "jpmorganchase" with a lowercase "i" and you get ipmorganchase.com, a different registrable domain that, on a small screen, reads as the bank. It is a separate website with no connection to J.P. Morgan, and registering one is a few dollars. Other lookalikes lean on a hyphen or an extra word to manufacture a "secure" or "verify" feeling:

  • ipmorganchase.com (an "i" swapped for the "j")
  • chasc.com (an "e" dropped to a "c")
  • cha5e-online.com (a "5" standing in for the "s")
  • chase-secure-verify.com (extra words that the real site never adds)
  • login-chase-account.com (the brand demoted to a word in the middle)

The other big family is brand-on-free-hosting. Platforms like Vercel, Netlify, Cloudflare Pages, and GitHub Pages let anyone publish a page in minutes on a subdomain of the platform. A scammer just names the subdomain after the bank. The two below are live-checkable patterns. Tap one and it loads into the checker further down the page, then runs a real scan so you can see the verdict for yourself:

  • chase-verify-login.vercel.app
  • jpmorgan-secure-access.netlify.app

A free-hosting subdomain is never safe by virtue of the platform behind it. vercel.app and netlify.app host millions of legitimate sites, but a subdomain like chase-verify-login on either one is content nobody at the bank approved. The brand name in the host is the tell, not the platform.

๐Ÿ›ก LIVE CHECK

Not sure if a Chase or J.P. Morgan login page is real? Check the link here

Paste the address of the login page you landed on (or the link from the email or text) below. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup. Do not enter your banking password anywhere except a page you typed in yourself.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

Red flags that give the fake away every time

You do not need to recognize the bank's exact login flow. The structure betrays the fake.

  • The domain is not exactly chase.com or jpmorgan.com. This is the single decisive check. Read the address right to left from the first slash. If the registrable domain is not chase.com, jpmorgan.com, or jpmorganchase.com, it is not the bank, no matter what the page looks like.
  • A hyphen or an extra word. Real bank domains do not bolt on words. chase-secure, chase-verify, login-chase, and jpmorgan-access-portal are constructions, not the brand.
  • A homoglyph. Letters that look alike at a glance: ipmorgan for jpmorgan, chasc for chase, cha5e with a digit. One swapped character is a different website.
  • The host is a free-hosting platform. An address ending in .vercel.app, .netlify.app, .pages.dev, or github.io with a bank name in front of it is user-published content, not a bank property.
  • You arrived from an email, a text, or an ad. Banks send statements and alerts, but the safe move is always to ignore the link and open the site yourself. A login page reached only through a forwarded link starts at a disadvantage.
  • It asks for everything on one page. Full card number, SSN, PIN, mother's maiden name, and your one-time code all at once. A real login asks for your user ID and password, then a verification step, and never your full card-plus-SSN-plus-PIN in a single form.
  • Urgency. "Account locked," "verify now or lose access," "unusual sign-in, confirm immediately." Pressure exists to stop you from pausing to read the address bar.

What SafeBrowz sees on the network

When the SafeBrowz engine looks at a fake Chase or J.P. Morgan login page, the attack reads consistently across all three detection layers. The signals stack, which is why a brand-new fake still trips the engine.

The first thing Layer 1 catches is the brand on the wrong domain, with no content required. A "chase" or "jpmorgan" or "jpmorganchase" token sitting on any registrable domain that is not the official one, including the homoglyph and hyphen-word families above, is a brand-impersonation profile on its face. The same content-free rule covers the lookalikes: an edit-distance-of-one neighbor of chase.com or jpmorganchase.com is flagged as a typosquat before any page even loads. Cyrillic and Punycode homograph variants of those brand strings are normalized and caught the same way.

Layer 2 cross-references the destination against Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser feeds, and runs a domain-age lookup. Bank-phishing hosts skew brand new. A login page on a domain registered last week, or on a free-hosting subdomain that by definition has no independent age or reputation, is exactly the profile these feeds and the age signal are built to surface.

Layer 3 is the content read. A cloned login form, a Chase or J.P. Morgan logo, a "Sign in to your account" headline, and a credential-plus-OTP field set, all served from a non-official host, is a textbook impersonation that the AI scan recognizes in 100+ languages even when no blocklist has seen the URL yet. The free-hosting subdomains we tested above, chase-verify-login.vercel.app and jpmorgan-secure-access.netlify.app, return a caution verdict from the free engine on the brand-on-free-host signal alone, before any content is read.

Which bank brands the attackers clone next

Phishing crews follow conversion rate. Chase is the most efficient US bank target by sheer customer count, so it leads. The believable next pivots follow the same logic of reach plus a credible login surface.

  • Chase sub-brands and product lines. Chase Sapphire, Chase Ink for small business, and the J.P. Morgan wealth side each have their own login feel. Expect "chase-sapphire-rewards" and "chase-ink-business" lookalikes aimed at higher-balance segments.
  • The corporate and treasury portal. access.jpmorgan.com is the institutional login. A fake aimed at a finance department, not a consumer, is a bigger single payday, so expect "jpmorgan-access" and "jpm-treasury" style lookalikes in business-email lures.
  • The other large US banks. Bank of America, Wells Fargo, and Citi share Chase's scale and the same brand-on-free-host pattern. The kit barely changes; only the logo swaps.
  • Payment rails attached to the account. Once a crew owns the login, the cash-out runs through Zelle and wire, which is why Zelle fraud-alert text scams so often arrive in the same week as a login-phishing wave.
  • Mobile-app impersonation. A fake "update your Chase app" page that pushes a sideloaded Android package is the app-store cousin of the login fake. See our coverage of the fake bank app APK scam.

The defense does not change brand to brand. The logo on the page is interchangeable; the structure, a brand token on a domain that is not the bank's, is not. That is the entire reason a structural defense beats a per-brand one.

Why browser-side lookalike detection beats email filtering for the link

Email and SMS filters do real work, and they catch a lot. But they are fighting the message, and the message is the cheapest, most disposable part of the operation. Attackers rotate sender addresses daily, keep the text short to dodge keyword rules, and hide the destination behind link shorteners and redirects so the dangerous part is invisible until you act on it. A filter that misses one in a thousand still lets plenty through when a campaign sends to millions.

The part that cannot change is the destination. To steal anything, the scam has to land you on a page that impersonates the bank and asks for your credentials. That page lives at a specific web address, and that address is what a browser-layer scanner reads directly, at the moment you arrive, regardless of which inbox or text thread delivered the link. A browser extension can recognize a bank brand sitting on a non-official domain and block the page before the login form ever renders. The message filter and the browser layer are complementary, but the browser layer is the one standing exactly where your password is about to be typed.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + a 550+ brand database (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It flags a Chase, J.P. Morgan, or JPMorganChase brand token on any non-official domain, edit-distance-one typosquats of the real domains, and brand-on-free-host subdomains, instantly and content-free.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser, plus a domain-age lookup (most bank-phishing hosts are brand new) and 30+ scam TLDs.
  • Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new fake login page that no blocklist has seen yet, including cloned forms served from free-hosting platforms.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any suspicious bank login link and get a verdict in seconds.

What to do right now

If a Chase or J.P. Morgan login page is in front of you and you are not certain it is real, here is the whole correct response.

  1. Do not log in through the link. Stop before you type anything. Open a new tab and reach the bank yourself, by typing chase.com or jpmorgan.com, by using a saved bookmark, or by opening the official mobile app. If there is a real alert, it will be waiting for you there.
  2. Read the address bar, not the page. Check the registrable domain (the part just before the first slash) is exactly chase.com, jpmorgan.com, or jpmorganchase.com. The padlock only means the connection is encrypted, not that the site is the bank, so a padlock on a lookalike is meaningless. Confirm the domain, not the lock.
  3. If you already entered your credentials, change your password immediately from a clean device you trust, not the one that loaded the suspicious page. Then call the number on the back of your card to report it and have the bank watch the account.
  4. Turn on or re-confirm two-factor authentication in the real app, and switch to an authenticator app or a security key if you were only using SMS codes.
  5. Watch for Zelle and wire fraud. A stolen login is most often cashed out through an instant Zelle payment or an outbound wire. Tell the bank to flag any pending transfers, and set transaction alerts so a new payee or wire pings your phone.
  6. Report it. Forward the phishing email to phishing@chase.com and to abuse@jpmorgan.com, file with the FTC at reportfraud.ftc.gov, and report to the FBI's Internet Crime Complaint Center at ic3.gov. Include the link and a screenshot.
  7. If you shared your SSN or full personal details, go to identitytheft.gov for a step-by-step recovery plan and place a free fraud alert with one of the credit bureaus. Our "I got scammed, what do I do now" walkthrough covers the first-hour playbook.

How a fake login site differs from the Chase email scam

The email and the website are two halves of one attack, and it helps to keep them straight. The Chase phishing email is the lure: a fake fraud alert, a "card temporarily restricted" notice, or an "update your information" demand designed to make you tap a link. The fake login website is the trap at the end of that link: the cloned page that actually harvests your user ID, password, and one-time code.

You can be hit by the website without the email at all. Search-ad phishing puts a fake login at the top of search results for "chase login," so a customer who searches instead of typing the address can land on the fake directly. See our guide to search-engine phishing through Google Ads. The same fake page can also be reached from a text, a social-media message, or a fake login pop-up on a site you trust. Whatever the delivery, the defense is identical: judge the destination by its domain, and only ever log in to a page you opened yourself.

Frequently asked questions

What is the real Chase login website?

The only real Chase login is chase.com, including Chase's own sub-hosts like secure01.chase.com and verified.chase.com. The only real J.P. Morgan sites are jpmorgan.com, jpmorganchase.com, and the corporate login at access.jpmorgan.com. Any other address, even one with "chase" or "jpmorgan" in it, is not the bank. Type the address yourself or use a saved bookmark instead of logging in through a link.

Is ipmorganchase.com a real J.P. Morgan website?

No. ipmorganchase.com starts with a lowercase "i" where the real domain has a lowercase "j" (jpmorganchase.com). It is a separate registrable domain with no connection to J.P. Morgan, and on a small screen it can read as the bank. This is a classic homoglyph lookalike. The real domain is jpmorganchase.com. Never log in on a one-character variant.

How can I tell a fake Chase login page from the real one?

Read the address bar, not the page. The registrable domain, the part immediately before the first single slash after https://, must be exactly chase.com, jpmorgan.com, or jpmorganchase.com. A hyphen or extra word (chase-secure, login-chase), a homoglyph (ipmorgan, cha5e), or a free-hosting host (anything ending in .vercel.app, .netlify.app, .pages.dev) means it is fake. A clone of the page can look perfect; only the domain tells the truth.

Does the padlock icon mean a Chase login page is safe?

No. The padlock only means the connection is encrypted (HTTPS). Scammers get free certificates, so a fake login page can show a padlock too. The padlock tells you nobody is eavesdropping on the data you send; it does not tell you who receives it. Confirm the domain, not the lock.

I entered my Chase password on a site that turned out to be fake. What do I do?

Act fast. Change your Chase password immediately from a clean device you trust, not the device that loaded the fake page. Call the number on the back of your card to report it. Turn on or re-confirm two-factor authentication, ideally with an authenticator app or security key rather than SMS. Then watch for unauthorized Zelle payments and wire transfers, set transaction alerts, and report the phishing to phishing@chase.com and reportfraud.ftc.gov.

Can a fake login page steal my one-time verification code too?

Yes. Modern phishing kits relay your login to the real bank in real time, so the fake page can show the genuine "enter your code" step and capture that code within the same minute, defeating SMS-based two-factor authentication. That is why the safest defense is never logging in through a link at all, and why an authenticator app or a phishing-resistant security key is stronger than SMS codes.

How do I report a fake Chase or J.P. Morgan website?

Forward the phishing email to phishing@chase.com and to abuse@jpmorgan.com. File a report with the FTC at reportfraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov, including the link and a screenshot. If you entered personal details, also start a recovery plan at identitytheft.gov.

Why am I getting Chase login lures if I am not even a Chase customer?

Attackers do not target by who banks where. They blast Chase-branded lures to huge lists of email addresses and phone numbers bought from data brokers. Because Chase has more than 80 million customers, a large share of any random list are real Chase customers, which is why the brand is impersonated so heavily. Receiving the lure is not evidence that anything is wrong with your account.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. It reads the domain so you do not have to. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

Related reading