ChatGPT Shopping Scams: LLM Poisoning of AI Agents Exposes Brands to Fraud

Poisoned AI: How ChatGPT-linked Shopping Scams Trick Shoppers and Threaten Brands

Quick take for leaders

  • AI agents such as ChatGPT can surface cloned retail sites that look legitimate — shoppers often follow links without checking.
  • Security researchers found fake Russell & Bromley and Dunelm pages cited as sources; attackers exploited Russell & Bromley’s transition into Next (Jan 2026).
  • Immediate priorities: verify canonical domains, block suspicious payment methods, and open fast takedown channels with AI vendors.

When AI hands you a shopping link, trust can get weaponised

A security firm, Ask Silver, discovered convincing cloned retailer pages — including copies of Russell & Bromley and Dunelm — listed among sources that ChatGPT surfaced to users. Scammers registered lookalike domains (examples observed: therussellbromleyofficial, russellandbromleylondon, russellbromleyonlineuk, russell-and-bromley), advertised huge discounts (reported up to ~80%) and pushed risky payment methods such as bank transfers. Many shoppers followed the AI-recommended links without a second thought and landed on fraudulent sites.

How the scam worked — plain English

Modern chat assistants frequently use external web pages to answer product questions. These are AI systems that look up web pages to answer questions (aka retrieval-augmented systems). If cloned or malicious pages are indexed by search engines or otherwise enter the retrieval layer, an AI agent can present them as sources — and users may assume the assistant already vetted them.

LLM/data poisoning (simple definition): attackers add malicious or cloned pages into the web or a search index so an AI will find and surface them as credible results.

Anna Jones of Ask Silver warned that scammers may have “poisoned” the large language model by inserting malicious cloned webpages into the data the AI uses.

What happened, step by step

  • Discovery: Ask Silver identified cloned Russell & Bromley and Dunelm pages listed in ChatGPT’s cited sources.
  • Why Russell & Bromley was vulnerable: the brand entered administration and was absorbed by Next in January 2026, removing a single canonical domain and creating search ambiguity that fraudsters exploited.
  • Scam indicators: lookalike domains, extreme discounts (~80%), and requests for bank transfers — a high-risk payment method because reversals are difficult.
  • Response: OpenAI removed the fraudulent pages from ChatGPT’s index after reports and provides a reporting form; Next and Dunelm are pursuing takedowns and warning customers.

Louise Baxter, head of the scams team at National Trading Standards, cautioned that criminals adapt quickly to new technologies and consumers “shouldn’t assume a website is genuine simply because an AI tool suggested it.”

Responses so far

OpenAI removed the flagged pages from the retrieval index after they were reported and offers a policy-violation reporting channel. Retailers (Next and Dunelm) are coordinating takedown requests with registrars and asking customers to use official apps or domains. Regulators and National Trading Standards have issued warnings to consumers. These are the right first moves, but they are reactive — the problem exposes a structural gap in how AI systems verify and present external sources.

Why LLM poisoning matters for AI agents, products and brands

  • Customer trust is fragile: an AI recommendation that leads to fraud damages conversion rates and long-term loyalty more than a single phishing incident.
  • Revenue leakage: traffic diverted to fraud sites means lost sales and chargebacks, plus the administrative cost of remediation.
  • Regulatory and reputational risk: brands may face criticism for weak domain hygiene or for failing to warn customers about known AI-driven threats.
  • New attack surface: AI for business and AI for sales now adds retrieval layers and indexes to the list of places attackers can poison — brand protection must cover those layers.

What shoppers should do

How do I know a ChatGPT-recommended shopping site is legit?
Check the domain carefully (beware extra words like “official” or “deals”); go directly to the retailer’s verified domain or official app; avoid sellers that demand bank transfers — prefer card or platform payments that offer reversals; report fraud to your bank and to reportfraud.police.uk.

What are the red flags?
Unusually deep discounts, pressure to pay by bank transfer, newly registered domains with no social proof, and sites that block standard payment options.

Executive playbook: actions and SLAs

Prioritise speed. Below are practical steps with suggested owners and service-level targets.

24-hour actions (triage)

  • Verify canonical domains — Owner: Head of Marketing/Brand. SLA: within 8 hours publish an official domain list for all commerce channels and add to robots/manifest for bots.
  • Block and warn — Owner: CISO/Product Security. SLA: 12–24 hours disable links in your own bots/agents and add fraud domains to blocklists.
  • Customer alert — Owner: Head of Communications. SLA: 24 hours publish customer advisory and FAQs across site, app, and social channels.

7-day actions (containment & remediation)

  • Takedown requests — Owner: Legal/Brand Protection. Submit to registrars, hosting providers and payment processors; escalate via abuse channels.
  • Work with AI vendors — Owner: Head of Product. Formalise a reporting channel and request immediate removal of fraudulent sources from retrieval indexes.
  • Payment reversal support — Owner: Customer Ops. Coordinate with banks and advise victims on fraud reporting (reportfraud.police.uk).

90-day actions (prevent & harden)

  • Allowlist canonical domains in all commerce recommendation flows — Owner: Product. Reduce retrieval risk by deprioritising new/unverified domains.
  • Vendor SLAs — Owner: Procurement/Legal. Require AI vendors to include provenance metadata and a 24–48 hour takedown SLA for reported fraud.
  • Brand monitoring — Owner: Security/Brand Protection. Implement daily DNS/WHOIS/brand-scan feeds (brand-monitoring providers such as DomainTools or BrandShield are common choices).
  • Customer education — Owner: Marketing. Run a campaign showing how to verify domains and spot AI-sourced scams.

Technical mitigations product teams can implement now

  • Allowlist verified merchant domains for commerce-oriented AI agents and deprioritise brand-new domains during retrieval ranking.
  • Attach provenance metadata to web-sourced recommendations (domain verification, timestamp, crawl-source). Consider cryptographic provenance standards such as C2PA for signed merchant content.
  • Heuristics to flag suspicious offers: unusually high discount thresholds, missing SSL indicators, or payment instructions that exclude standard processors.
  • Require merchant manifests or signed feeds (signed product catalogs) before surfacing buy links in AI-driven recommender flows.
  • Implement automated similarity detection (screenshots, logos, UI fingerprinting) to identify lookalike pages quickly.

Governance, vendor asks and policy

Platforms that provide AI agents should be required to improve source labelling and to provide clear provenance so users and downstream services can assess credibility. Vendors should expose APIs for rapid takedown and return transparency logs that show which sources were removed and why. From a policy perspective, regulators should consider minimum provenance and transparency requirements for AI-driven product discovery — especially when those agents link directly to third-party sites.

Responses timeline (compact)

  • Discovery by Ask Silver → reporting to platforms and retailers.
  • Retailers (Next, Dunelm) and registrars pursue takedowns.
  • OpenAI removed flagged pages from ChatGPT’s index and offers a reporting form.
  • Ongoing monitoring and vendor negotiations to close the retrieval gap.

Final takeaways

AI for business and AI for sales are changing how customers discover products, and that creates opportunity — plus a fresh attack surface. Treat provenance and brand protection as core features of any AI automation strategy. Start with the 24-hour triage steps, formalise vendor SLAs, and bake domain verification into recommendation flows. Do this and AI agents become reliable sales channels instead of vectors for fraud.

0