They can actually clone almost a full address with just maybe a two or three characters missing from it.
The only way to do that, is by creating a burn address. There's no profit for a scammer who burns the money he steals.
This is possible with vanity address generators.
Try it. Address
1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF holds 79,957.26462896
BTC. I'll make it easy on you: instead of 3 missing characters, try to create an address with 15 missing characters. You'll realize what you suggested is not possible.