Brand impersonation is a particularly thorny problem for CISOs. Cybercriminals piggyback off a trusted brand to push scam lures through various means to onto unsuspecting customers. They could disguise themselves as part of the organization’s IT team or someone familiar to trick employees into clicking on malicious links or send a message that looks like it is coming from a legitimate source to convince the recipient the contents are real.
Retailers, product creators, and service providers are increasingly having to deal with brand impersonation attacks. Mimecast’s “2022 State of Email Security Report” found that 90% of organizations experienced an impersonation attack over the previous 12 months. Further, the Mimecast “2021 State of Brand Protection Report“ found that companies on the BrandZ Top 100 Most Valuable Global Brands 2020 list experienced a 381% rise in brand impersonation attacks over May and June of 2020 compared to before the pandemic. New domains suspected of brand impersonation also rose by 366%. These impersonation attacks include not only the typical phishing or malware attacks, but also fraud that sells or claims to sell products or services on behalf of the brand. These include fencing of stolen items, non-delivery scams, and counterfeit or grey market sales of product.
“[Brand impersonation] is a fraud problem and a security incident problem,” says Josh Shaul, CEO of Allure Security. “People are stealing from you, and you’re trying to prevent the theft.”
Experts recommend that CISOs take a systematic and multidisciplinary approach to this problem. The right approach will not only require technology like automated detection, but also security leadership in helping business stakeholders to harden the brand on a number of fronts.
1. Engage in Trademark Basics
Shaul says that a “shocking” number of companies don’t go through the most basic actions of establishing and maintaining ownership of their brand’s trademark. The most fundamental step for hardening a brand from online attacks is to cover the basics like registering trademarks, logos, and unique product images, as well as keeping trademarks up-to-date.
“Once you lose control of the trademark, somebody else might register your trademark,” he says. “It’s a real problem for you. You can’t enforce it if you don’t own it, so you’ve got to start there.”
2. Take Ownership of Online Landscape
From there, the other basic component companies need to think about is taking ownership of a brand’s online landscape. This means not only picking up as many potentially relevant domain names as possible for the brand, but also setting up a footprint on all possible social media channels, Shaul says.
“A lot of companies are like, ‘Hey, we do social media, but we don’t do TikTok,’ or ‘We don’t do Instagram,’ and therefore they don’t set up a presence there,” he says. “If you don’t set up a presence for your brand on a major social platform, there’s nothing stopping somebody else from setting up a presence for your brand on that major social platform. Then you’ve got to try to recover it, which is kind of a nightmare. Just planting the flag is important.”
3. Monitor Domains
Organizations should not only be watching and monitoring the domains they own, but also their domain ecosystem, says Ihab Shraim, CTO of CSC Digital Brand Services.
“This means understanding the types of domains that are being registered around them because it’s a multidimensional cyber threat,” he says.
As he explains, often larger enterprises manage thousands of domains, which can make it difficult to keep tabs on and effectively manage the entire portfolio.
“Companies need to devise policies and procedures to monitor and mitigate threats associated with all their domains as an integral part of their security posture,” Shraim says. He explains that they should be continuously monitoring their domains and also digital channels within search engines, marketplaces, mobile apps, social media, and email to look out not only for phishing and malware campaigns but also brand abuse, infringements, and counterfeit selling on digital channels. “It is crucial for companies to understand how their brands are operating on the Internet.”
4. Leverage Threat Intel
Doug Saylors, partner and co-lead of cybersecurity for global technology research and advisory firm ISG, believes that organizations should leverage threat intelligence to help them with the adjacent domains and also the tricky tactics, techniques, and procedures used by bad actors in their impersonation attacks.
“Organizations need to invest in threat intelligence platforms that will help identify the use of fake domains, phishing campaigns, and other technologies to defeat the TTPs [tactics, techniques, and procedures] used to enable brand impersonation,” he says.
5. Consider Full-Cycle Brand Protection
Saylors is also a big believer in full-cycle brand protection. He recommends companies consider these services — not just for their detection capabilities but also their expertise in mitigation.
“They should engage the services of specialty firms that deal with the full lifecycle of brand protection to ensure scalability and absolute focus on reducing fraudulent activity,” he says. “These firms have advanced capability to identify fake sites, catalogs, and catalog entries and remove them through industrial-strength takedown procedures.”
As organizations evaluate online brand protection companies, they’ve got to keep in mind that this is another cat-and-mouse game detection category, where mileage may vary based on technology and how well companies keep up with evasive behavior from the attackers.
For example, when attackers found that their scams were being discovered through image processing and logo detection, they began with simple evasive techniques like changing the image file format and then evolved to use multiple nested images and text in a single collapsed image to trip up detection, says Shaul.
“So now, unless you can compare sections of an image, which is a super hard technical problem that some of us have solved, you can’t detect these things anymore,” he says. “They just bypass the evolving detections that organizations are putting out there.”
Another new tactic they’ve taken is creating generic fake shops and evolving them into branded shops over time, he says.
“The scammers are working hard to understand how detection is evolving in the industry, and doing things to try to evade detection as aggressively as they can,” he says.
6. Use Incident Responders Judiciously
Incident responders hate handling the mitigation of brand impersonation because it is a different skillset than a lot of analysts who get into the field for fun investigative work and not to chase down registrars to do takedowns, says Shaul. Even if a company can make it fun for their responders, they have got to be careful that they’re using their specialized responders in a cost-effective way.
He likes to tell the story of a banking customer that had been putting this on their IR team, who turned it into a fun exercise by breaking into phishing sites that were targeting the company’s brand and doing a lot of offensive security work.
“The IR guys were having a ball with it, but they realized, ‘Look how much time we’re spending basically just playing games with the attackers,'” he says. “They had their best people doing hard work to just clean up after scams that already happened.”
He suggests that by knowing in advance that response to these sites takes a different skillset than advanced analysts have, this might be a way to break in new security ops personnel and give early-career responders some experience through a planned career path that starts with impersonation takedowns.
7. Proactively Build Law Enforcement Relationships
Additionally, organizations should understand that they’re likely going to need to help from the authorities in many of these cases. Saylors says that CISOs should be working to proactively build partnerships with law enforcement agencies and other relevant government authorities around the globe.
“They should also have direct relationships with law enforcement organizations that will pursue and prosecute the criminals responsible for brand theft and the resulting revenue loss to legitimate companies,” he says.
8. Educate Consumers and Employees
Frequent and detailed awareness campaigns for customers about what brand impersonation looks like compared to the real deal can go a long way toward curbing their risk of falling for common frauds.
“Organizations, other than large banks, tend to fail in this area due to concerns about scaring their customers away,” he says. But actually, awareness campaigns like this can bring customers closer to the brand when they’re done right. Here’s a great example of what an awareness site can look like. This is a detailed fraud awareness article put together by Burton Snowboards that provides examples of fake Burton scam sites, with clues for their customers to look for in detecting a scam and some additional pointers. Communications like these can be used as a technique to not only build trust and goodwill among customers, but also build up the brand.
9. Differentiate Your Brand
One final thing that CISOs can encourage their organizations to do is to find ways to ensure all of their sites, pages, and experiences are visually and contextually recognizable as part of the brand. This is an opportunity for collaboration with the marketing department. Not only can customers recognize distinctive brands more easily, but it’s also a lot easier for automated detection searches to automatically find impersonated images and logos out in the wild, says Shaul.
“Ensure there’s something a little bit different about your brand that makes it so that your customers and even your employees can recognize it. That’s great for marketing but also helps security in a big way,” he says. “The more your brand has differentiated itself with the way it looks, the way it feels, the way it’s set — with little things like how your VPN looks — and the easier it is to protect the brand.”