Cloned retail websites increasingly appear in ChatGPT shopping results, leading users to fake stores that steal payment details. A recent report by Ask Silver revealed that ChatGPT included links to counterfeit versions of retailers such as Russell & Bromley and Dunelm in its responses.
These fake sites mimic the appearance of genuine brands and offer discounts up to 80%, but once orders are placed, they steal financial information without delivering products.
Anna Jones from Ask Silver told The Guardian that the AI model might have been intentionally “poisoned,” meaning malicious actors could have inserted fake web pages into the data ChatGPT uses, skewing its recommendations.
Scammers also manipulate corporate changes; for example, after Russell & Bromley went into administration in January 2026 and was bought by Next, it no longer has a standalone website, making fake domains like “therussellbromleyofficial” more compelling for consumers.
AI tools are designed to simplify information and present direct links, which makes users less likely to monitor links in chatbot responses than in traditional search engines.
Louise Baxter of National Trading Standards warned that as consumers rely more on AI for shopping advice, fraudsters will adapt quickly, exploiting new technology.
Although these scam sites may appear convincing, they often exhibit warning signs such as requesting bank transfers rather than credit cards or PayPal, using domain names that closely resemble those of official sites, offering unbelievable discounts, and lacking verifiable contact details.
Dunelm and Next are actively working to combat these issues; Dunelm advises customers to shop only through its official channels and is removing fake domains, while Next is tackling the fake Russell & Bromley websites.
OpenAI has confirmed that the counterfeit sites flagged by Ask Silver have been permanently removed from ChatGPT’s search index and added that users can report suspicious links through its reporting form.
However, it has not specified long-term measures to prevent similar cloned sites in the future. To stay safe, cybersecurity experts advise treating links from AI responses as initial references and always verifying the domain before making a purchase.