Each year, around nine million older people in the UK automatically receive up to £300 to help with heating costs. Criminals are praying upon this opportunity by registering malicious domains and sending fake communications that mimic the UK Government. These scams often claim recipients must “apply” or “confirm details” to receive their payment, directing them to malicious websites designed to harvest bank information. But no application is required as payments are deposited automatically, and the Government has stated that it will never ask for personal or financial details. 

The scale of the problem is huge. As payment letters were being issued earlier this year, it was reported that scam texts surged by 153% according to UK government figures. 
 
Nominet has also seen a spike in registrations of malicious domains. Since August this year, Nominet has suspended nearly 100 domains that were registered to take advantage of those seeking the Winter Fuel Payment. Scammers hoped to use the fake websites in phishing attempts to extract personal information from those who might be eligible for the payment. 

As key terms used in the domains were clearly misleading, Nominet was able to identify these domains at the point of registration using their machine learning tool, Domain Watch. These domains were then reviewed and suspended by its analysts as abusive registrations. The team also worked in partnership with registrars to suspend reported and verified scams of this type that were already active. 

Often, these scammers try to trick people by using deceptive techniques in their domain name. One common method they use is called combosquatting. This is when they attempt to mix a legitimate brand, event, or recognisable phrase with additional terms. By making it seem familiar to the user, it comes across as trustworthy and because there’s no obvious typo, it can be easy to fall for.

An example of this is: winter-subsidy-gov[.]uk 

Taking advantage of other TLDs 

Large scale scams such as this are not just isolated to .UK. Despite this scam targeting UK consumers, criminals are targeting a number of Top-Level Domains (TLDs) to carry out their activities. 

In August 2025, NetBeacon Measurement and Analytics Platform (MAP) identified 2,227 unique domain names that appeared to be part of a coordinated phishing campaign. 

These domains are split across multiple TLDs, with the majority (45%, 998) in .cfd and .qpon (34%, 761). The remainder (21%, 468) are spread among 33 different TLDs. 

This campaign uses a technique called subdomain cloaking. This is designed to mislead victims by manipulating how a domain name looks. It works by adding one or more subdomains to create the illusion of a trusted website.  

These subdomains are combined with keywords or random characters in the main domain name, followed by any TLD like .UK. To make the fake website look even more convincing at first glance, familiar elements of the legitimate domain are placed toward the left side of the address. 

An example of this is: gov.uk-[keyword][random letters].[TLD] 

NetBeacon expects that attackers will quickly shift between TLDs and/or registrars. Registrars and registries should be aware of this trend and look out for ‘TLD-’ combinations, for example: com-, uk-, gov-, de-, ca-, org-, pl- etc. or -uk, -com, -gov etc.

Reporting this scam 

The rise in phishing scams linked to the Winter Fuel Payment shows how difficult it is to protect vulnerable groups from online fraud. The elderly, who may be less familiar with online security practices, are especially at risk. 

The combination of financial strain, seasonal urgency, and trust in government communications makes Winter Fuel Payments a prime target for exploitation. As these fraudulent tactics become harder to spot, it is vital that the public stays alert and that authorities and the internet industry work together to provide clear, consistent guidance to help keep people safe. 
 
The UK Government advises to report anything you think is suspicious. If you get a message asking for your personal details (for example, bank details or passwords), it could be a scam. 

If you suspect any malicious activity on a .UK, .CYMRU, or .WALES, it can also be reported directly to Nominet through this form. For other TLDs, reports can be submitted via NetBeacon Reporter’s centralised abuse reporting service. Any additional evidence, context and classification that can be provided with such reports will help speed up the process of investigation. 

Researchers, law enforcement, security professionals, and threat feeds should pay particular attention to making sure reports of malicious domains include the full URL, including subdomains and page path. Otherwise, situations that involve Subdomain Cloaking could be overlooked in analysis. A complete URL helps NetBeacon Reporter pass on actionable evidence to industry.