Daylila

Cybersecurity · Sunday, 5 July 2026

01 · Briefing · what happened

Fake Aldi sites are selling air conditioners that don't exist to a sweltering Britain

Cybersecurity 3 min 2 sources

As a record heatwave empties the shelves of cooling units, criminals have cloned Aldi's website to sell bargain air conditioners that never arrive — and the same trick is impersonating footballers to push illegal betting apps.

Key takeaways

  • Criminals have cloned Aldi's website to sell cheap air conditioners during the heatwave, using fake countdowns and "only 5 left" warnings to rush hot, frustrated buyers into handing over card details.
  • The defence costs nothing: a huge discount on a sold-out item, plus a timer telling you to hurry, is the red flag — stop and check the site's actual web address before you pay.
  • The same borrowed-trust trick is impersonating footballers with AI-generated video and fake BBC articles to push illegal betting apps, run from offshore havens where enforcement is near-impossible.

Britain is in a record heatwave, air conditioners are sold out in the shops, and criminals have noticed. Over the weekend, the security firm Kaspersky uncovered a fake website that copies the supermarket Aldi almost exactly — right down to the logo and real product photos — and sells air conditioning units at a third of the normal price [1]. You pay, your card details go to the criminals, and no unit arrives.

How the fake shop works

The site is a careful copy of a real one. One listing offers an “energy efficient” air conditioner and heater for £28.13, down from £64.44, with “only five left in stock” [1]. Another lists a portable unit for £149.99 against a claimed usual price of £474.99, with “just 11 units left” [1]. The site shows a running count of other shoppers viewing the item and a countdown timer on the special price [1].

None of that is real. It works because of pressure, not deception you would normally miss. “When demand spikes, warnings that only a few items are left or that a discount is about to expire can easily compel users to enter financial details,” said Olga Altukhova of Kaspersky, whose team found the sites [1]. The heat, the empty shelves, and the fake countdown together are designed to make you act before you think.

Aldi was the best-known brand copied, but not the only one [1]. Aldi says its genuine offers appear only on its official site and social accounts, and that it works to identify and report the fakes [1].

The tell is in the address bar

There is no clever technology to detect here. The fake shop’s whole trick is getting you to skip one check: the website’s actual address. A discount that large on an item everyone wants, paired with a timer telling you to hurry, is the red flag [1]. Kaspersky’s advice is plain — stop, and check the URL and the design before you type a card number [1]. If you are unsure, search for the retailer’s name in a separate tab and use the link that comes up, rather than one from an email or ad [1].

If you have already handed over card details on a site like this, contact your bank, report it as fraud, and change any password you reused elsewhere [1].

The same trick, wearing a footballer’s face

The heatwave scam borrows a supermarket’s name. A second scam this weekend borrows people’s faces. Illegal online casinos called Nightwin and QH88 hijacked the identity of two of the world’s most famous footballers — Real Madrid’s Jude Bellingham and Manchester United’s Bruno Fernandes — to present them as official partners, using fake news articles and AI-generated video [2].

For Bellingham, the casino bought advertising space on Instagram carrying a made-up story attributed to the BBC, claiming he had launched his own honest betting app, complete with his sponsor’s stylised signature [2]. A tap on the ad led to an app with a fake 4.9-out-of-5 rating and an invented 1.9 million downloads, then straight to the casino [2]. Neither player has anything to do with it [2].

These operators run from offshore havens — Nightwin is licensed only in Curaçao, through a shell company registered there, and can be reached from inside the UK even though it appears nowhere in Britain’s gambling register [2]. That is the point of the setup: enforcement is close to impossible. As the Guardian put it, you cannot sue ghosts [2]. A deepfake video of a trusted face is cheap; chasing the company behind it is not.

02 · Lesson · why it matters

The scam doesn't beat your judgment — it rents a name your judgment already trusts

Trust is a shortcut we build so we don't have to check everything twice. A good counterfeit doesn't break that shortcut — it wears the face of someone at the end of it.

The check you already skipped

When you see the Aldi logo, you stop checking. That is what a logo is for. You have bought from Aldi, or you know someone who has, and the name carries all of that history in a single glance. So when a website shows you that logo and a real product photo, some part of you has already decided it is safe before you read a word.

The criminals cloning Aldi this week did not defeat your caution. They walked in behind it. Your trust in the real Aldi is the thing they borrowed — the whole scam is a rented name, pointed at your card.

Trust is a shortcut, and shortcuts can be forged

You cannot verify everything. Nobody has time to read a shop’s business registration before buying a fan. So we lean on names, logos, ratings, familiar faces — signals that let us skip the checking. Most of the time this is exactly right. A society where you had to prove every stranger’s honesty from scratch would grind to a halt.

The forger’s trade is to counterfeit the signal, not the thing behind it. A fake 4.9-out-of-5 rating. A made-up “1.9 million downloads.” A story dressed as a BBC article. None of it is the trustworthy thing itself — it is a copy of the sign that points at trustworthy things. And the copy is cheap. An AI-generated video of Jude Bellingham costs almost nothing; the reputation it borrows took him a career to build.

The pressure is aimed at the shortcut

Notice what the fake shop adds on top: “only five left,” a countdown timer, a running count of other shoppers. That is not there to convince you the site is real. It is there to stop you from doing the one check that would save you — looking at the actual web address.

Trust-shortcuts fail hardest when you are rushed. The heatwave did half the work: you are hot, the shops are empty, and a bargain appears. The timer does the rest. Every scam that borrows a name pairs it with a reason to hurry, because the borrowed trust only holds for as long as you don’t stop and look.

Whose name gets rented, and who pays

Bellingham and Fernandes did nothing and lost something anyway — their names now sit on an app they never touched. Aldi did nothing and now spends effort hunting down copies of itself. The bank eats some of the fraud. And you, if you paid, are out the money and the afternoon.

That is the quiet unfairness of a rented reputation. The person whose face is borrowed, the company whose logo is copied, the stranger who gets the scam text — none of them chose to be in this, and the cost lands on all of them. The forger picked exactly the names we already trust, because those are the ones worth stealing.

The web of trust holds us all

We are all standing on trust we did not personally verify. You trust the logo; the shop trusts its brand protects it; the footballer trusts his name means what he built it to mean. Each of us is leaning on a signal we assume is honest — and that assumption is the surface every counterfeit aims at.

You cannot stop trusting names; a life spent verifying everything is no life. But it is worth knowing how thin the sign is, and how far it can be from the thing it points to. The bargain that appears right when you most want it, wearing a face you know, asking you to hurry — that is the shape of a borrowed name. Seeing it doesn’t make you clever. It makes you slow down for the one look that the whole trick depends on you skipping.

03 · Lab · your turn

The Bargain That Found You

Rehearse spotting a borrowed-name scam by slowing down for the one check — the web address — that fake urgency is built to make you skip.

04 · Hope · carry this

The same trust that scammers borrow is the real thing underneath — most names really do mean what they say, and the defence that keeps yours safe costs nothing but a second look.

Across the beats