The Role of Domains in Banking Login Scams: Lessons for the next new gTLD round
Banks have spent years educating customers about phishing, fake notifications, and credential-harvesting scams. Yet login scams continue to succeed, not because customers are careless, but because attackers are increasingly effective at mimicking legitimate banking experiences. SMS alerts, email notifications, and in-app messages now regularly direct customers to convincing login pages hosted on domains that appear legitimate under pressure.
According to the Australian Competition and Consumer Commission, Australians reported approximately $174 million in scam losses in the first half of 2025, with fake websites, online advertisements, and social media among the most common methods used by scammers. Many of these scams rely on impersonation and urgent prompts, such as warnings about suspicious activity or requests to verify account details, to push victims toward fraudulent login pages hosted on convincing domains.
What makes these attacks difficult to stop is not the message itself, but where it leads. Once a customer clicks a link, they are required to make a rapid trust decision about a domain name. In that moment, subtle differences between a genuine banking domain and a fraudulent one are easy to miss, particularly on mobile devices. Attackers exploit this by registering lookalike domains at scale and rotating them quickly as they are detected or taken down.
Industry analysis from the DNS Research Federation shows that newly registered domain names continue to play a significant role in phishing attacks. While many of these domains are blocked within days of registration, they often become active within hours and remain operational long enough to capture credentials before enforcement controls respond. For banks, this creates a persistent enforcement challenge and places an ongoing cognitive burden on customers who are expected to assess the legitimacy of unfamiliar domains under time pressure.
This is where dotBrand gTLDs change the dynamic. A dotBrand domain allows a bank to operate within a closed namespace that only it controls. Unlike traditional domains, no third party can register names under that extension. This removes an entire category of lookalike domains from the attack surface and gives banks a simple, enforceable rule to communicate to customers. If a link does not end in the bank’s dotBrand domain, it is not legitimate.
The value of this clarity is well established. Security guidance from organisations such as NIST consistently emphasises the importance of reducing user decision-making under stress. Rather than expecting customers to inspect URLs, certificates, or page design, dotBrand domains allow banks to anchor trust in a single, unambiguous signal. Customers do not need to analyse. They only need to recognise.
As banks continue to invest in fraud detection, customer education, and real-time monitoring, domain strategy is often treated as a separate concern. Login scams demonstrate how closely these areas are connected. When a fraudulent message leads to a believable domain, even well-designed security controls can be undermined. When the domain itself is unmistakable, many scams fail before credentials are ever entered.
The upcoming new gTLD round, administered by ICANN, represents a rare opportunity for banks to reassess how trust is signalled online. A dotBrand will not eliminate fraud on its own, but it meaningfully reduces ambiguity, simplifies customer messaging, and strengthens enforcement when abuse occurs. In a threat landscape that relies on confusion and speed, removing uncertainty can be a powerful defensive advantage.
Learn more about new gtld programme today
