Since the beginning of March 2026, experts have discovered at least 15 phishing resources that mimic official "whitelists" of sites operating during mobile internet shutdowns. According to ESA PRO, the scheme exploits users' trust in state registries: the victim receives a link from a fake bank or provider employee, but instead of directly following it, searches for "whitelist" in a search engine, finds a fake site, and enters the received address there. In reality, this is a signal to scammers that the "client is ready to be scammed." There is no separate official registry for checking links — only publications on the Ministry of Digital Development website.
The essence of the fraudulent scheme with "whitelists"
Attackers create networks of single-page sites (landing pages) designed as state registries with agency logos. The resources are promoted through contextual advertising and SEO: they occupy the top lines in Yandex and Google for queries such as "check site for security", "whitelist of Russian sites", "registry of trusted resources".
The user, following the caller's instructions, enters one of these queries into the search, clicks on the advertising link to a fake site, sees familiar symbols, and enters the link dictated to him into the verification field. After that, the scammers receive confirmation that the victim is ready for further action and extort data from "Gosuslugi" or bank cards.
The scheme is used in different scenarios:
- calls from "authorities" demanding confirmation of data;
- fake prize draws;
- checks from intercom companies;
- notifications from the "provider" about the need for verification.
In some cases, the attackers themselves send a link to a phishing resource, but for persuasiveness, they first include it in a fake registry so that the victim has no doubts about the authenticity of the resource.
What is a "whitelist" in reality
The official "whitelist" is a list of resources and IP addresses that are not blocked during mobile internet shutdowns. It includes "Gosuslugi", government websites, Yandex services, VK, marketplaces, and telecom operators. However, there is no separate public registry where any user can check an arbitrary link. All legitimate checks are limited to the official channels of banks and the "Gosuslugi" portal.
Experts note: fake "whitelists" live for several days, after which the domains are replaced with new ones, and contextual advertising quickly picks up their promotion. Users should not enter links received from strangers into any third-party "registries" — this is a direct path to losing an account.
Read more materials on the topic:
- The Ministry of Digital Development called the messages about "whitelists" for home Internet a fake: restrictions apply only to mobile communications
- Whitelist is being replenished: The Ministry of Digital Development will update the list of services available under restrictions every week
- 120 platforms in the "whitelist": it became known who will retain access in case of network failures