The Scary Speed of Phishing Website Deployment
Australians are being caught in seconds by sophisticated phishing attacks. The problem isn’t carelessness, it’s speed. Scams are engineered to move faster than human defences, and every delay costs victims and the brands they trust.
Australians reported $174 million in losses to Scamwatch, operated by the National Anti-Scam Centre, in the first half of this year. That represents a 26 per cent jump on the same period in 2024.
The scary truth is that phishing websites can be spun up in hours and begin netting victims almost immediately. But brands are not powerless. By embracing the latest technology innovations, automation, AI-powered detection, and scalable takedown tools, businesses can close the gap and fight back at the same speed scammers operate.
The Speed of Today’s Scams
Phishing has evolved into an industrialised operation. Criminal groups use automation and AI to launch attacks at machine speed, overwhelming victims and brands alike. Australians are being hooked in seconds, often losing money almost instantly with little chance of recovery once the funds move.
Technology is fuelling this surge. Fraud-as-service scam infrastructure, Deepfake voices, flawless fake emails, and templated phishing websites can now be created in minutes. Certain times of year make the problem worse. During the 2025 end of financial year, for example, the Australian Taxation Office recorded a 300 per cent spike in scam emails, each designed to exploit tax-time pressure. At the same time, “quishing” QR code–based scams has surged, silently redirecting victims to credential-stealing pages in seconds.
The reality is simple: customers are targeted at machine speed, while many brands are still relying on manual reporting and patchwork processes that cannot keep up.
Speed & Timing: How Jennifer Was Scammed
Jennifer, a professional traveller, described in the AFR how she fell victim to a scam that arrived at exactly the wrong moment. She had just sent a parcel overseas and was legitimately expecting delivery updates from Australia Post. When a text arrived claiming the recipient wasn’t home and that she needed to pay 75 cents for redelivery, the timing seemed plausible.
Distracted by cancelled holiday accommodation and boarding an international flight, she clicked the link and entered her credit card details. Within minutes, scammers had charged $2,550 worth of airline tickets to her account. Even though she cancelled her card almost instantly, her bank later refused compensation on the basis that she had authorised the payment by entering her details.
Her experience underscores the way scams work: they compress the decision-making window, remove time for reflection, and strike when people are most distracted. Jennifer didn’t fail because she was careless; she failed because the scam was designed to exploit speed and timing.
Phishing Websites: Live in hours, dangerous for days
Research confirms the velocity at which phishing sites become dangerous. All the way back in 2020, a joint team from Google, PayPal, Samsung, and Arizona State University completed one of the most extensive phishing studies to date. Over 12 months, they tracked 22.5 million user visits across more than 400,000 phishing pages. The research showed that the average phishing campaign lasted just 21 hours from the first to the last victim. Crucially, anti-phishing systems only detected attacks around nine hours after the first victim has already clicked through.
The riskiest period falls between nine and 16 hours, before browser warnings or detection systems kick in. During this interval, more than a third of attacks succeed, and nearly one in ten victims surrender their credentials. This short window highlights how quickly scams weaponise and why traditional detection often arrives too late. For brands and users alike, speed is the defining factor in phishing defence.
Zlabs analysis of 88,014 phishing URLs in early 2024 showed how quickly sites are weaponised. More than 60 per cent of new phishing domains secured SSL certificates within two hours, giving them the legitimacy of HTTPS. Half remained undetected for over a week, acting as effective zero-day threats long after they were live.
A 2025 Cornell University DNS-abuse study tracking nearly 700,000 phishing domains revealed that malicious registrations dominate (66.1%) and remain active for an average of 11.5 days after detection, further extending exposure windows.
The message is clear: phishing sites can go live in hours, capture victims in less than a day, and stay online long enough to cause serious damage. For brands, every hour matters.
Leveraging Technology to Protect Customers from Scams
Manual responses no longer work. To protect customers, brands must respond at the same speed scammers deploy attacks. That means harnessing technology built to detect, disrupt, and take down scams in real time:
- AI-Powered Detection: Machine learning can spot suspicious domains, impersonation attempts, and cloned websites far earlier than manual monitoring. Good applications like Unphish, don’t just rely on a few data sources, but leverage hundreds of data points and conduct deep analysis to identify scams, quickly.
- Automated Enforcement: Platforms like Unphish generate and lodge takedown complaints instantly, removing human bottlenecks.
- Upgrade your passive scam warning pages: Brands need to move towards interactive scam-assessment platforms like scams.report that allows users to paste or upload suspicious URLs or content. These technologies instantly evaluates risk and offers guidance on the next steps to take.
- Scalable Defence: Automation allows thousands of simultaneous takedowns, matching the industrial scale of attacks.
- Real-Time Visibility: Dashboards and analytics give brands immediate oversight of scam activity, helping them measure outcomes in hours instead of weeks.
- Continuous Monitoring: Persistent scanning for new domains, phishing kits, and brand impersonations ensures threats are found before customers fall victim.
By embracing automation and AI, brands can close the gap between scam launch and enforcement, protecting both customers and their own reputation. Scams move at the speed of machines. Brands cannot afford to fight back at the pace of humans. With phishing takedown automation, Unphish helps businesses keep pace, shut scams down fast, and prove to customers that their trust is well-placed.
About brandsec
Brandsec is a team of domain management and brand protection specialists. We secure corporate domains and enforce against phishing, impersonation, and scams. Powered by Unphish, our takedown platform, we detect and remove malicious sites and fake profiles fast. Trusted by leading brands, we deliver technology-driven protection across industries to safeguard customers and reputation.
