🎣 Phishing Insurance Short read

Phishing site cloning an insurer's login page — active for a short time

Notmining Platform helped detect a near-perfect clone of an insurance company's customer portal shortly after it went live. The site was collecting login credentials and policy numbers. The security team was alerted and the hosting provider notified before significant damage occurred.

Fast Detection time
Short time Time live
Hosting Notified
Content Login clone

Customer portal clones work because they replicate trust: design, copy and navigation. Once the clone is live, the goal is typically to capture credentials and customer data during the first hours.

What happened

The site was published with a login page that closely matched the insurer's customer portal. The form fields forwarded credentials to attacker-controlled infrastructure, and collected policy numbers when available.

Response

After the alert, the team coordinated hosting notifications and blocked access via DNS/perimeter controls. The site remained live for a short time.

Key takeaways

  • The impact window is short: early detection is decisive.
  • Takedowns move faster with clear evidence and exact URLs.
  • Combining clone monitoring with domain monitoring reduces recurrence.

More success stories

🎣 Phishing

Lookalike domains targeting a regional bank — caught before launch

Financial Services Short read
🔓 Data Exposure

Employee credentials found on a dark web forum before internal IT was aware

SaaS / Technology Short read
👤 Impersonation

Fake X profile impersonating a CEO to solicit wire transfers

Professional Services Short read
← Back to all stories