Websites are easier-than-ever to build...
They will be used to scam you.
There's a luxury backpack brand called Tumi, they offer high-end goods like bags, luggage, and backpacks. A friend of mine who has a Tumi bag got an ad on facebook for Tumi.
You’ll notice this links to the website tumisaleshop.com.
They clicked around for a little while and were about to buy something from the website when something unrelated stopped them. When they came back to the store several hours later, they googled Tumi they found a slightly different website (Tumi.com), which did not seem to have the same sales they saw before. I’ll refer to the facebook ad website as Tumi-Sale-Shop website and the google one as Tumi website.
As they began looking at the difference between these two sites they noticed a few discrepancies or issues. Minor things like the Tumi-Sale-Shop website had a 2024 copyright.
One of the more glaring differences is that the Tumi website has a legitimate email address for contacting them (service@tumi.com):
Whereas Tumi-Sale-Shop has a gmail (tumi@gmail.com).
Stranger discrepancies (and my favorite one) are things like how while the Tumi website has text on their about page:
whereas the Tumi-Sale-Shop website has screenshots of text.
The Tumi-Sale-Shop logo is an image.
While it’s embedded into the site for the Tumi website.
Critically, Tumi-Sale-Shop is on a dramatic discount (437$ off!)
While, the Tumi website does not have such discounts:
It seems clear to me that what is going on here is a scammer created a spoofed-company website in order to get people to make purchases and steal their credit card information (or at the very least steal the money they send over).
To seal the deal, looking on GoDaddy, making a website like this would cost less than 25$.
When I saw this, I was fairly impressed at the level of imitation that a scammer was able to do. And I wanted to know what I could do with an AI tool myself.1 My goal here is to communicate to laypeople who aren’t using AI tools, how simple making such an attack would be. So, I time-bound myself to 1-hour and 0$.
And I ended up with this Tumi re-creation website: https://tumi-nr4o-royrins-projects.vercel.app/
Here’s the process I took2:
I first went to V0 by Vercel (a website hosting company that do AI-powered workflows), and uploaded some screenshots of the Tumi website. I had approximately ~6 interactions, you can view my chat here.
With fewer than <10 minutes, I made this site:
And then, I downloaded that website locally starting point, and worked with Claude Code lightly to recreate their website. After the initial set up, I had Claude make regular commits of its progress, you can see my Github link here: https://github.com/RoyRin/tumi . 3
Within ~1 hour of very light work with Claude, I created this website. Here’s the link again.
Try it out. There’s even an accurate sizing-guide and terms and conditions webpage.
It is not perfect by any means, there are some broken links, and there are some pictures on the website that give it away immediately. However, by-and-large, it generally works. I left off all the purchasing and login backend logic, since that wasn’t the point of this demo. I imagine this could be handled relatively simply with an off-the-shelf API.
Conclusion
I want to emphasize that I truly do not know web-development at all.
The takeaway is not that I built an incredible application (click around for even 2 minutes, and you will find broken links everywhere). But rather that me, someone with no web-development experience, built a reasonable replica in under an hour. With a fully-automated loop between Claude Code and the real website (in this case tumi.com), creating 100 scam websites would cost only AI monthly fees + webhosting fees, averaging probably <$25 per site with minimal human involvement/overhead. Each one quite believable, and each one likely quite lucrative.
Through this post, I wanted to share my experience here and that this was possible. One simple takeaway I have is that it’s easier than ever to build these look-alike scams that imitate real websites/products, and people need to be generally on-guard.
Some General Recommendations
How to Protect Yourself:
Always verify the URL - Look for exact domain matches (tumi.com vs tumisaleshop.com)
A good tip is look for contact information - Real companies use their domain emails, not Gmail
Search for the deal independently - If it seems too good to be true (70% off!), go directly to the official site
Use credit cards, not debit (Credit cards offer better fraud protection)
How to Report Fake Sites:
For the brand being impersonated: Contact the real company directly (most have abuse@ or security@ emails - e.g. security@tumi.com). Some brands have dedicated "report counterfeit" pages
Domain/hosting level: you can report phishing websites to Google and Microsoft, I don’t know how effective this is, or what happens on the backend, but it can’t hurt
Google Safe Browsing - safebrowsing.google.com/safebrowsing/report_phish/
APWG (Anti-Phishing Working Group) - apwg.org/report-phishing/
Social Media:
If you see a “fake” ad on social media (e.g. Facebook), these platforms often have report features for fake ads.
Tip: Screenshot everything before reporting - fake sites often disappear quickly once reported.
Note: This experiment was conducted purely for educational purposes to raise awareness about online scams.
I have never thought about this before, and there are likely much better ways to spoof a website, like downloading the HTML from the website directly
Granted, I have a paid subscription to Claude code.