Share
FBI ADVISORY EXPLAINER

FBI warning 2026: fake login pages are hidden behind redirects that fool URL scanners

The FBI says scammers now route real victims to fake login pages while showing scanners and researchers a harmless, unrelated page. A link that "scans clean" can still be a trap. Here is what that means and how to protect yourself.

SafeBrowz Threat Research Security ResearchJune 29, 202611 min read

Can a login page look safe to a scanner and still steal your password?

Verdict: yes. A login page can pass a one-time URL check and still be a trap. The FBI warns that criminals use traffic distribution systems and redirect chains to show benign content to scanners and researchers while quietly routing real victims to a credential-harvesting page. The defense does not depend on any scanner being perfect: never log in from a link in an email, text, or ad. Type the address yourself or open it from a saved bookmark, then check the address bar before you enter a password. Turn on two-factor authentication so a stolen password alone is not enough.

The headline

On June 18, 2026, the FBI's Internet Crime Complaint Center (IC3) published a public service announcement, alert number I-061826-PSA, titled "Cyber Criminals Redirecting Users to Fraudulent Websites with Malicious Traffic Distribution Systems." It warns that criminals are using traffic distribution systems, or TDS, to quietly steer people from a link they trusted to a fraudulent destination, including fake login pages built to harvest credentials. The same machinery decides who sees the trap and who sees something harmless, which is what lets these fake pages survive longer than they should.

What a traffic distribution system actually is

A traffic distribution system is a piece of infrastructure that sits between a link and its destination and decides where to send each visitor. In legitimate marketing it routes ad clicks to the right landing page by region or device. In the hands of criminals, the FBI explains, it becomes a switchboard for fraud. The PSA describes a TDS as technology used to "route internet traffic visitors to different destinations after users visit webpages, click advertisement links, sign up for promotions and discounts, or download an application."

The key word is different. Two people can click the exact same link and land in two completely different places. One person gets a real-looking but harmless page. The next person gets a pixel-perfect clone of a bank or email login. The decision happens in a fraction of a second, before the page even loads, based on who the visitor appears to be.

According to the FBI, the criminal TDS profiles each visitor by attributes including IP address, geography, browser, operating system, and device type. That profile decides the route. A visitor who matches the target profile, a likely victim in the right country on the right kind of device, gets routed to the fraud. A visitor who looks like a researcher, a scanning service, or someone outside the target region gets routed to a clean page instead.

Cloaking: why a scanner sees one thing and you see another

This selective routing is called cloaking, and it is the part of the FBI warning that matters most for anyone who relies on a "check this link" tool. The PSA puts it plainly: "A cyber criminal can use a TDS to identify users in regions they are not targeting, allowing them to avoid detection by displaying safe content to undesired targets, including security researchers."

Read that again, because it is the whole problem. The criminal infrastructure deliberately shows safe content to security researchers. When an automated URL scanner visits the link, it often looks like a researcher: a datacenter IP address, an unusual region, a headless browser, no normal device fingerprint. So the TDS serves it the harmless page. The scanner records a clean verdict. Meanwhile, a real person on a phone in the target country clicks the same link and gets the credential trap.

That is how a fake login page passes a check and still steals passwords. The check was honest. It just saw the decoy. The FBI also notes that to obscure the final destination, the systems route victims through "a complex chain of intermediate nodes to hide the final malicious destination, making it difficult to trace and block." A scanner that follows the first hop and stops, or that the chain redirects to a clean page, never reaches the page the victim ends up on.

How victims get pushed into the chain

The redirect machinery only works if people click the first link, so the FBI lists the usual ways victims are funneled in. It names links in phishing emails, search-engine-optimization poisoning that promotes fraudulent ad links mimicking legitimate ones, and the compromise of legitimate websites that then quietly redirect their own visitors.

That last route is the nastiest. A website you have trusted for years gets compromised, and a hidden script starts feeding a slice of its visitors into the TDS. You did not click a sketchy ad or a suspicious email. You went to a site you knew, and on the way through, the switchboard grabbed you. From the destination, the FBI notes, criminals selectively redirect users to "compromised or fake login websites that can host phishing pages for online financial fraud" or prompt downloads of software updates that carry malware.

๐Ÿ›ก LIVE CHECK

Check a suspicious link right now

Got a login link from an email, text, or ad you are not sure about? Paste it below. Our 3-layer engine (Local + APIs + AI) follows the redirect and reads the page it lands on, then returns a verdict in about three seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

What SafeBrowz sees on the network

This is where the difference between a one-time link check and a browser-side engine becomes concrete. A standalone scanner gets one look at the link, often from an environment the cloak recognizes and disarms. SafeBrowz runs its 3-layer detection (Local + APIs + AI) and is built to handle exactly the redirect-and-cloak pattern the FBI describes.

  • Layer 1, local detection, resolves the final landing host, not just the link you started with. Following a redirect chain to where it actually ends is the first defense against a clean-looking first hop. Layer 1 then runs 60+ URL pattern signatures and 550+ brand signatures against that final host. If the page that finally loads carries a known brand (your bank, your email provider, a crypto exchange) on a domain that is not that brand's official one, it flags content-free, before any login form finishes rendering. A clone does not have to fool a model to get caught here. The mismatch between brand and domain is enough.
  • Layer 2, reputation and API checks, aggregates threat intelligence including Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and scam-TLD signals to catch destinations that other systems have already burned. This is the layer a pure cloak is designed to dodge, which is exactly why it is one of three and not the whole engine.
  • Layer 3, AI content analysis via our proxy (Premium), reads the live page the visitor actually receives, in 100+ languages. Because the extension runs in your browser, on your real device, in your real region, the page it analyzes is the same page the TDS decided to serve you, not a sanitized decoy handed to a scanner. It recognizes login-form mimicry and credential-capture layouts and can flag a brand-new clone the moment it loads, before any blocklist has it.

The honest scope: no engine catches everything, and a determined operator can still cloak against any single signal. What changes the odds is having three independent layers and, crucially, analyzing the page from inside the victim's own browser rather than from a scanning service the cloak can recognize and feed a decoy.

Where TDS cloaking spreads next

Cloaking is not new, but the FBI putting its name on a public advisory tells you it has gone mainstream, and mainstream techniques get cheaper and more automated. A few directions worth watching.

Cloaking as a paid service. The hard part of this attack is the routing logic and the fresh-domain supply, not the fake page. Expect more "anti-bot" and "filtering" panels sold to low-skill scammers, so a basic phishing kit ships with researcher-evasion built in by default. That pushes the survival time of fake login pages up across the board.

Tighter targeting per click. The same profiling that decides victim-versus-researcher can narrow further: only serve the trap to a specific country, a specific bank's customers inferred from referrer, even a specific time window after a breach. Narrow targeting means fewer scanner samples ever see the malicious version, which makes static blocklists slower to react.

Malicious ads and SEO poisoning as the front door. The FBI already lists SEO poisoning and fraudulent ads as entry points. As search results blend more AI-summarized links and sponsored placements, a poisoned result that routes through a TDS is harder for a casual reader to vet, because the visible link and the final destination are no longer the same thing.

The throughline: the trend is toward separating what a scanner sees from what a victim gets. Detection that only ever sees the scanner's view will keep losing ground. Detection that sees the victim's view is the counter.

Why a browser-side engine beats a gateway or a blocklist here

It is worth being precise about why this technique defeats some defenses and not others, because the architecture is the whole story.

An email gateway scans the link, not the page you land on. Security gateways often pre-fetch links to judge them. A TDS that profiles the visitor will happily serve that gateway a clean page, then serve you the trap when you click minutes later from your phone in your living room. The gateway saw the decoy. You see the real thing. The gateway cleared it.

A static blocklist is always one step behind a fresh chain. Blocklists work on domains and URLs that have already been reported. A TDS spins up fresh intermediate nodes and final hosts constantly, and it specifically tries to hide the final destination so it never gets sampled and reported in the first place. By the time a domain lands on a list, the campaign has rotated.

A browser-side engine evaluates the page after the redirect resolves, on your device. This is the structural advantage. SafeBrowz runs at the point where the cloak has already made its decision and served you, specifically, the page it wants you to see. There is no decoy to hand it. It follows the chain to the end, and it reads what actually rendered, brand mimicry and credential forms and all. The same property that makes the cloak effective against remote scanners, that it shows different content to different visitors, is neutralized when the detector is the visitor.

None of this makes a browser engine infallible. It makes it the right layer for this specific threat. Pair it with the human habit the FBI recommends, never logging in from a link, and the cloak loses its main advantage.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. Against the cloaked-redirect pattern in the FBI advisory, the engine is designed to judge the destination, not the decoy.

  • Layer 1, local: 60+ URL pattern signatures and 550+ brand signatures run inside the extension. It resolves the final landing host after the redirect chain and flags a known brand appearing on a non-official domain content-free, so a fake login page is caught before its form finishes loading.
  • Layer 2, APIs: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser and scam-TLD intelligence to catch destinations already known to others.
  • Layer 3, AI deep scan (Premium): AI content analysis via our proxy reads the live page the visitor actually receives, in 100+ languages, recognizes login-page and credential-capture mimicry, and can flag a brand-new clone the moment it loads.

Honest scope: SafeBrowz flags the fake login page on the device that lands on it, which is the right place to break a cloaked redirect. It cannot un-steal a password you already typed and submitted, which is why the habit of never logging in from a link, plus two-factor authentication, sits alongside the engine, not behind it. The free browser extension does this on desktop, and the SafeBrowz Android app on Google Play applies the same engine to links you open on your phone, where many of these texts and ads land.

Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

What these cloaked links look like

You cannot reliably tell a cloaked link apart by sight, and that is the point of the advisory. But the destinations still share the old shape: a real brand name glued onto a domain that is not the brand's, reached only after a redirect. These are illustrative patterns, not live domains, to show the shape attackers reuse.

  • secure-account-verify-login.com (a real bank login lives on the bank's own domain, never a generic "secure-verify" host)
  • mail-signin-session-renew.net (your email provider does not move its login to a separate "session-renew" domain)
  • tracking-redirect.click/r/aB3xQ (a short redirector that hands you off; the final page is what matters, not this hop)

The lesson is not to memorize bad domains. It is that the link you clicked and the page you end up on can be two different things, and only the second one can hurt you. So judge the page in the address bar at the moment you are about to type a password, not the link you trusted on the way in.

Red flags: when to assume a login page is a trap

  • You arrived by clicking a link in an email, text, DM, or ad, rather than typing the address. This alone is the FBI's number-one risk path.
  • The address bar is not exactly the official domain. Extra words, hyphens, an odd country code, or a brand name buried inside a longer host are all tells.
  • You bounced through one or more redirects to get there. A legitimate login does not usually pass you through a chain of unfamiliar hosts.
  • The page demands urgent re-login to "verify", "secure", or "renew" an account, with a deadline. Manufactured urgency is the oldest tell.
  • It asks for more than your password, a card number, a one-time code over the phone, a seed phrase. Real logins do not collect those on the way in.
  • It came from a search ad or a poisoned search result rather than the brand's own site. The FBI specifically names SEO poisoning and fraudulent ads.

Any one of these is reason enough to stop. Two or more, and you should assume the page is hostile and close it.

What to do right now

The FBI's individual-facing advice and the practical habit that defeats cloaking are the same: do not let a link decide where you log in.

  1. Never log in from a link. Not from email, not from a text, not from an ad. If a message says your account needs attention, leave the message and reach the account on your own.
  2. Type the domain yourself or use a saved bookmark. Open a fresh tab and type the official address, or use a bookmark you created when you knew you were on the real site. This bypasses the redirect chain entirely, which is what the cloak depends on.
  3. Check the address bar before you type a password. The FBI advises verifying the URL is authentic, and warns a malicious URL may look similar to a real one or sit on a subdomain of a legitimate domain. Read the actual registered domain, right to left, at the moment of login.
  4. Turn on two-factor authentication. If a stolen password is not enough to get in, a single cloaked page does far less damage. Prefer an authenticator app or a hardware key over SMS codes where you can.
  5. Report it to the FBI at ic3.gov. Filing a complaint at the Internet Crime Complaint Center helps investigators map these redirect networks. Include the link you clicked and the address you ended up on.

Updated June 29, 2026.

Block the fake page before you type

SafeBrowz is a free browser extension for Chrome, Firefox and Edge (Safari coming soon) plus a live Android app that follows the redirect to where it actually lands and flags a fake login page before you enter anything. Because it reads the page from inside your own browser, it sees what a cloaked link served you, not the decoy a remote scanner gets. It recognizes 550+ brands, auto-flagged when a page tries to impersonate them, with AI content analysis in 100+ languages for brand-new clones. Free forever, no account needed. Questions: [email protected].

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Android Get on Android

Bottom line: the FBI's warning is that a link and the page it lands on can be two different things by design, so a clean scan is never permission to type your password. Never log in from a link, type the address yourself, turn on two-factor authentication, and put SafeBrowz on your browser so the cloaked fake login page gets judged on your device, where the decoy cannot reach.

Frequently asked questions

Can a fake login page really pass a URL scan and still be dangerous?

Yes. The FBI's June 18, 2026 advisory explains that criminal traffic distribution systems show safe content to scanners and researchers while routing real victims to a credential-harvesting page. The scan is honest, but it sees a decoy. That is why you should never treat a clean scan as permission to log in from a link. Type the address yourself or use a bookmark, and check the address bar before entering a password.

What is a traffic distribution system, or TDS?

A TDS is infrastructure that sits between a link and its destination and decides where to send each visitor. The FBI describes it as technology that routes traffic to different destinations after a user clicks a link, ad, or download. Legitimate marketing uses it to route ad clicks; criminals use it to send likely victims to fraud while sending researchers and scanners somewhere harmless.

What is cloaking in phishing?

Cloaking is showing different content to different visitors. The FBI's PSA states criminals use a TDS to avoid detection by displaying safe content to undesired targets, including security researchers, while serving the real fraud to targeted victims. It profiles visitors by IP address, geography, browser, operating system, and device type to decide who sees what.

Why does this defeat a single URL check?

A single check usually gets one look at the link, often from a datacenter IP or a headless browser that the cloak recognizes as a researcher and feeds a clean page to. The redirect chain also hides the final malicious destination, so the scanner may never reach the page the victim lands on. The check records the decoy and reports it clean.

How does SafeBrowz handle a cloaked redirect?

SafeBrowz runs inside your browser on your real device, so it sees the page the cloak actually served you, not a decoy meant for a scanner. Its 3-layer engine resolves the final landing host after the redirect, flags a known brand on a non-official domain content-free, cross-checks reputation APIs, and uses AI content analysis to read the live page and spot login-form mimicry. No engine is perfect, but analyzing the destination from the victim's own browser neutralizes the cloak's main advantage.

What is the single best habit to avoid this?

Never log in from a link. If an email, text, or ad says your account needs attention, do not click through to log in. Open a new tab and type the official address yourself, or use a saved bookmark. This skips the redirect chain entirely, which is the thing the cloak depends on. Then check the address bar before you type your password.

Does two-factor authentication stop this?

It greatly reduces the damage. If a cloaked page steals your password but you have two-factor authentication on, the attacker still cannot log in with the password alone. Prefer an authenticator app or a hardware key over SMS codes where possible, since some advanced phishing kits try to relay codes in real time. Two-factor authentication is a backstop, not a reason to enter your password on a page you reached by link.

Where do I report a fake login page or redirect scam?

Report it to the FBI's Internet Crime Complaint Center at ic3.gov. Include the link you clicked and the final address you landed on. Filing helps investigators map these redirect networks and their hosting. If you entered credentials, change that password immediately on the real site, enable two-factor authentication, and watch the account for unauthorized activity.

Related reading