Overview of Advisory: 2025 Texas Flooding Crisis Scams

Date: July 2025
Author: PreCrime Labs, BforeAI
Classification: Public Intelligence Summary

In the wake of the severe 2025 Texas flooding disaster, PreCrime™ Labs, the research division at BforeAI, identified a surge in opportunistic domain registrations and digital infrastructure aimed at exploiting public fear, disaster relief mechanisms, and donation campaigns. This behavior is consistent with past threat actor patterns during crises, leveraging real-world emergencies to socially engineer victims into scams, data theft, or fraud.

Key Findings of 2025 Texas Flooding Crisis Scams

The research team identified over 70 suspicious or malicious domains within 10 days of the flooding onset, out of which 13 were registered within a week, exactly when the news of the Texas flooding started making headlines. Other than this, 46 domains have been updated since January 2025. This indicates that even if a spike in registrations of scam domains isn’t seen again in 2025, it doesn’t mean that the threat has passed. The Fort Worth Star-Telegram reported on a Blue Ribbon Study in the 14 years from 1986 to 2000, Texas had 4,722 flash floods, making the risk of Texas residents being targeted in this way a frequent problem.

Many of the domains analyzed as part of this advisory feature typical themes that leverage flood-related services, donation drives, and legal fraud baits like fake flood insurance claims and lawsuits. The researchers also observed volunteer registration forms with PII-harvesting (personal identifiable information) risks and Google SEO or sponsored ad manipulation.

Some additional unique observations include infrastructure patterns linked to prior natural disaster scams and several domains hosted on cheap/free registrars, with rotating hosting infrastructure. Nearly all domains avoided immediate blocklist coverage and are not yet flagged on threat intelligence platforms.

• 45 domain registrations observed to be suspicious.
• Less than 10% blocklisted on VirusTotal or major threat feeds (Until BforeAI started disruption)
• Most hosted with free page builders (Cloudflare Pages, Freenom, etc.)

Example Domains of Concern

A blog-style webpage (texas-flood-today.pages[.]dev) labeled “Texas Flood Today” appears to have language-specific targeting unrelated to regional aid bodies. It was also hosted on potentially unknown domains not affiliated with any official or media source.

A commercial website (prayfortexas[.]store) branded as “Pray for Texas”, offering merchandise like “Flood Disaster Relief Shirts”, “Pray for Texas” apparel, and politically branded tote bags. A common theme that has been seen during disaster relief-based malicious campaigns is themed merchandise under the guise of solidarity and support. Such websites use emotionally charged language and imagery (“Pray for Texas”, “Flood Support”, “Tragedy Shirt”) to drive purchases with no visible or verifiable link to actual relief efforts or nonprofits.

Another website (texasstrongnba[.]us) of a similar nature was found using NBA athletes’ imagery and logos to market “Texas Strong” merchandise under the pretense of supporting flood relief efforts. While the language suggests an official affiliation with NBA Summer League players, no clear or verifiable evidence is provided to support this claim.

A full list of the 45 suspected domains can be provided upon request.

• Reuse of subdomain-style phishing paths (/register, /claim, /donate, /volunteer)
• Cloning of known relief or news pages
• Some domains redirecting to Telegram or WhatsApp bot links
• WHOIS privacy enabled on 94% of domains
• Majority hosted via Cloudflare, GoDaddy, Freenom, 000Webhost

For Security Teams / Providers

Implement automated blocking or sandboxing of newly registered domains (NRDs), especially those incorporating crisis-related themes during high-impact events like natural disasters. This reduces exposure to phishing and malware delivery infrastructure that often mimics government aid or relief organizations. It is advisable to enhance predictions and flag keywords like “relief,” “floodclaim,” “donate,” and “texasflood” in threat detection rules.

Establish direct coordination channels with ICANN-accredited registrars and domain abuse desks to fast-track the identification, verification, and takedown of fraudulent domains. A faster response window is critical to limit victim exposure and infrastructure reuse.

For Government & Relief Agencies

Ensure that verified domains for aid, relief funds, and crisis communication (e.g., FEMA, Texas.gov, Red Cross) are widely shared and amplified across media outlets, social platforms, and emergency broadcasts at the earliest stages of a disaster. Early awareness reduces reliance on search engine results where impersonator domains may appear. Launch dedicated portals or hotlines that allow the public to report suspicious donation links or impersonator websites in real time.

Explore our latest PreCrime™ Labs report:

Elon vs Trump Feud Drives Malicious Domain Surge

BEC in the Financial Services Sector

Ready to see BforeAI in action?
Get a personalized demo

Talk to one of our experts and deploy in minutes.
No implementation needed. Works right out of the box!