Dec 17, 2024
11 Smart Approaches to Combat Brand Impersonation Scams
As a business owner, you protect your reputation and build your brand. Imagine your dismay upon discovering that someone has created a website impersonating your brand to scam your customers. Brand impersonation can not only damage your reputation and scare away potential customers, but it can also pose serious risks to your customers and your bottom line. In this article, we’ll unpack the ins and outs of brand impersonation and provide practical brand protection strategies to help you recognize, prevent, and protect yourself from these scams. With our help, you can secure your digital identity and business reputation.
One way to protect yourself from brand impersonation scams is to use Bustem's copycat detection tool. This resource helps you monitor the web for lookalike sites that can confuse your customers and damage your brand.
Table of Contents
4 Methods of Brand Impersonation Attacks (and How to Tell They’re Scams)
How to Protect Your Digital Identity Against Brand Impersonation Scams
What is Brand Impersonation and How Does it Work?
Brand impersonation, or brand spoofing, is a phishing tactic that involves cybercriminals falsely representing themselves as your organization or one of its employees. This is typically done to get people (e.g., your customers or other users) to believe they’re interacting with your company. This way, they’ll be more willing to share their personal or otherwise sensitive information.
You know those fake Walmart or Amazon emails you always get in your junk mail? Those are just two examples of the types of mass brand impersonation you’ll commonly see nowadays. The idea is to get you to click on a link that takes you to a fake login portal, where you’ll be prompted to provide sensitive information such as your username and password. Since the attacker controls this phony site, they can easily steal your login credentials or other information.
Understanding Brand Impersonation Attacks and Their Risks
Brand impersonation attacks are often a shotgun “spray and pray” approach wherein an attacker sends out mass emails to a bunch of people with the hope that at least a few will fall for them. Bad guys ride the coattails of the trust your company has established with customers to trick them into doing one or all of the following:
Logging into a fake account portal that enables the attacker to steal their login credentials
Making payments for fraudulent products or services
Providing other desired sensitive information
Installing malware onto their devices
But what do some of these brand impersonation emails look like? In truth, you’ve probably already received some and just didn’t know it. Let’s take a quick look at a couple of brand impersonation scam emails I’ve received in the past few months.
Spoofed Display Name: With the display name “Apple Support,” the attacker attempts to masquerade as Apple. The recipient will likely only see the display name on a mobile device.
Sense Of Urgency: The attacker creates a sense of urgency by telling the user their account has been locked and they must take action.
Link to Fake Login Page: The call to action links to a fake login page designed to steal the user’s credentials.
Look at the invoice numbers and amounts, ranging from $214 to $463. Notice that the emails are all sent to me using the BCC field instead of including me as the only email contact. These factors, coupled with the fact that the senders’ email addresses have nothing to do with Norton and the messages are super generic, help me recognize that these emails have “phishing” written all over them.
Common Brand Impersonation Scams and Attack Vectors
Brand impersonation attacks can occur in many ways. Attackers often create emails, text messages, social media profiles, and/or websites that look like they’re from a legitimate brand to win the trust of their targets.
A few of the most common organization or brand impersonation scams you’ll find include:
Tech support scams
These scams often involve an attacker coercing a victim into downloading malicious software onto their devices under the false premise that their device is infected with malware. FBI data shows that 23,903 tech support fraud complaints were received in 2021 with losses surpassing $347 million.
Vendor scams
Not all targets are consumers. In some cases, attackers will impersonate one business to target another. In these cases, cybercriminals will send fake invoices via email to trick the target organization’s employees into clicking on them and installing malware.
They’ll go as far as to create fake websites and domains that closely resemble the real organization’s website to trick the victim into visiting it.
Subscription scams
Attackers convince unsuspecting users that they’ve been charged for services or products. They must call a call center or download some software to get a refund. (Think of the Norton LifeLock scam we talked about earlier.)
Law enforcement scams
Bad guys have no shame. Many cybercriminals have no qualms about pretending to be someone at your local police station or even impersonating a federal agent. Here, they’ll threaten targets with fines or even prison if they don’t comply with their demands.
Job offer/recruitment scams
Nothing is sacred. Beware of fake job recruiters whether you’re unemployed or just looking for a new position. These are among the lowest-of-the-low scammers who prey on individuals; they make false promises of great jobs to lure them into sharing sensitive information.
Related Reading
4 Methods of Brand Impersonation Attacks (and How to Tell They’re Scams)
1. Email Mass Brand Impersonation Attacks: The Cybercriminals’ Go-To Approach
This method is a favorite approach for many cyber criminals because emails are cheap, quick, and easy to send. However, what makes them particularly attractive is that they can simultaneously use these electronic messages to target many potential users.
Cybercriminals can send emails from domains like yours to trick users into providing info, opening malicious attachments, or going to phishing or malicious websites. This approach doesn’t require that they have access to your account (such as in an account takeover [ATO] attack. More on that in a second).
Let’s consider the following example of a brand spoofing email I received that was targeting American Airlines customers:
This phishing email is well put together. The grammar is pretty good, the graphics look official, and the “American Airlines” display as the sender is nice. However, if you dig a little deeper, you’ll start to notice a few key points that give away this is a spam email.
Let’s start with what the sender’s email address looks like when you go beyond the surface:
Let’s look at the URL that the OK button is trying to direct you to:
That part doesn’t look very official, does it? Not. And it’s important to note that Googleapis links are commonly tied to phishing scams and are used to distribute malware. This means that if I end up clicking on the link, it could result in malware being installed onto my phone or computer. Yikes.
Let’s consider another example that, in some ways, is a little trickier. It comes from what appears to be a legitimate email account and domain. This may have been a case of an account takeover attack, which means that an attacker gained access to a legitimate email account and used it to send out phishing or malicious messages.
The first glaring issue here is that I don’t do business with this organization, nor am I one of their patients. Second, let’s take a closer look at a link that was embedded in the View Attachments button:
This link would take you to an unknown website URL that is designed to appear to come from Adobe. But not everything is as it appears; when I checked this link against VirusTotal’s search tool, the search result shows that it’s flagged as malicious:
Doing a secondary check before clicking on any unknown (and unsolicited) links is always a good idea. Clicking on this link increases the risk of getting malware onto your device or going to a phony login portal that can steal your username and password.
Brand Impersonation Phone Calls: Vishing Attacks
Cybercriminals use voice phishing (vishing) to carry out attacks. In this case, bad guys use phones (often with the help of automated dialers) or VoIP systems to call people while pretending to be well-known companies or organizations. Some common examples of vishing scams involve personating the following companies or agencies:
Technology companies,
Financial institutions
Law enforcement
Other federal agencies (such as the FBI or IRS).
Bad guys know that fear is a big motivating factor. This is why some threat actors love to use scare tactics to coerce or manipulate victims into doing something they normally wouldn’t (like handing over account information or other sensitive info).
Brand Impersonation SMS Text Message Scams: Smishing Attacks
SMS phishing, or smishing, is an approach cybercriminals use to drive targets to phishing or malicious websites. They send SMS text messages containing links to websites (under the guise of enticing surveys, sweepstakes, or gift card offers) to random or targeted users’ phone numbers to see who will bite. An example of such a text message is the screenshot displayed to the right.
The goal here is to trick victims into believing the messages are legitimate. This way, they’ll be more likely to click on the link in the message, which can lead to a fake login portal or a site with drive-by downloaders.
Some Cybercriminals Combine Multiple Phishing Methods: Brand Impersonation Attack Variations
Some brand impersonation attacks involve a combination of different attack methods. For example, you’ve received Microsoft subscription scam emails wherein the attacker says you’ve been charged for a phony recurring subscription. To cancel it or get a refund for the charges, you are prompted to call a phone number where they can walk me through downloading a remote desktop protocol (RDP) application that will give them access to my device.
The attackers use the excuse that I need to download the program to connect to their bank server to initiate a money transfer to my account for reimbursement. Of course, the truth is that the whole situation is utter nonsense: there is no refund, as the charge wasn’t real.
The attacker’s goal is to get me to give them remote admin access to my device so they can:
Install malware
Steal my information
Encrypt your files
Do other nefarious things
If you fall for even one of these scams, it’s bad news for you and will likely result in a payday for the attacker.
Related Reading
How to Protect Your Digital Identity Against Brand Impersonation Scams
Regular Monitoring with Google Alerts
Before you can deal with impersonators, you need to find them. A straightforward way to begin this detection process is by setting up Google Alerts associated with your brand.
This accessible Google tool allows you to monitor any keywords or keyword phrases. If you focus on keywords related to your brand, you can monitor when impersonators post fraudulent versions of your content anywhere on the web.
2. Register Your Domains and Intellectual Property (IP)
You should strengthen your content portfolio by registering your web domains and intellectual property at the relevant bodies. For example, if you want to protect your trademarks, you can register them at the U.S. Patent and Trademark Office.
You can register your domains at Google Domains or other domain registration platforms. By registering your domains and IP, you will have a foundation to enforce your rights and pursue impersonators who may have infringed those rights. Owning your intellectual property will also help you report incidents of impersonation on social media platforms and marketplaces.
3. Collaborate with Platforms
You should actively collaborate with platforms to help them crack down on users violating their policies by impersonating your brand. Record any evidence of impersonations and submit it to them via the appropriate channels.
Many platforms, like Instagram, have dedicated services that allow you to report intellectual property violations and bring brand impersonation issues to their attention.
4. Strengthen Your Brand and Connection with Customers
You can also protect your business from impersonators by strengthening your brand and establishing robust customer relationships. If your brand has a solid online presence, it will be harder for scammers to impersonate your brand and get away with it.
Customers are the first line of defense. Talk to them and make them aware of the risk of impersonators. Encourage them to report any suspicious interactions or potential signs of impersonation.
5. Secure Your Domain with an EV SSL/TLS Certificate
Installing an extended validation (EV) SSL/TLS certificate ensures you’re asserting your digital identity in the biggest way possible. An EV certificate ensures your company’s verified name displays as prominently as possible while also including more detailed organizational information in your certificate details.
Consider registering domains that closely resemble yours and installing redirects to your main site to keep cybercriminals from registering those domains and doing anything bad in your name.
6. Use Email Signing Certificates to Add Your Signature to Outbound Emails
Much like how monarchs and others throughout history used wax seals to authenticate their correspondences and ensure their integrity, you can use a special digital certificate (called an email signing certificate) to do the same with your emails.
Digitally signing your emails is the modern solution to an age-old problem of communicating securely with someone when you’re physically not in the same location. Using a cryptographic signature allows your email recipients to verify that your messages are authentic and haven’t been altered.
7. Protect Your Domain Against Unauthorized Usage by Setting Up DNS Records
Set up domain-based message authentication, reporting, and conformance (DMARC) records on your domain name system. This builds on the sender policy framework (SPF) and domain keys identified mail (DKIM) and helps to ensure that only authorized users can send emails on behalf of your organization’s domain. DMARC is also a requirement of BIMI, which we’ll discuss next.
8. Show Customers Your Emails Are Legitimate Before They Even Click on Them with BIMI & VMCs
Implementing brand indicators of message identification (BIMI) in combination with using verified mark certificates (VMCs) adds another layer of digital identity to your outbound emails. This allows you to brand your mail right in recipients’ inboxes.
Recipients know your emails are legitimate by looking at your verified logo next to my messages in their inbox. Apple and Google support using BIMI and VMCs to display your verified logo in emails users receive on their platforms.
9. Assert Your Digital Identity in Your Code to Secure Your Software & Supply Chain
If you’re a developer or publisher, this is for you. Digitally signing your software, patches, scripts, and other executables using a code-signing certificate enables you to prove their authenticity to browsers and operating systems. This process attaches your verifiable digital signature to your code using cryptographic functions, showing that your products haven’t been altered since they were originally signed. Doing this assures your users that my software is legitimate and hasn’t been modified without my knowledge.
It’s important to note that these certificates won’t stop attackers from claiming to be you and delivering unsigned code. They provide users with a way of determining whether your communications, website, or software are legitimate. This way, if they download software or receive an email from “your company” (i.e., an attacker) that’s not digitally signed or doesn’t contain your verified logo, it’ll give them a reason to pause.
10. Train Your Employees to Recognize Authentic Company Communications
Educating and training your employees about cybersecurity is crucial for helping them keep your organization safe. If my employees have no clue how to identify a legitimate email from an imposter’s fake one, you might as well post a sign-out front stating, “cybercriminals make yourselves at home.”
As part of the training you provide, you’ll want to educate your employees to recognize and decipher my legitimate communications quickly and easily. This way, they can quickly assess messages to determine their authenticity. A well-known example of a company that takes this approach is PayPal:
Dedicates an entire section of its website to educating users.
Sends out emails regularly to its users, warning about scams and providing examples of emails to avoid.
Displays other messages to educate users of the dangers of brand impersonation and other phishing scams
11. Keep Your Secrets Safe
We’re going to leave you with one final but essential thought. For you to put your digital identity to use in an effective (and secure) way, you must properly manage your PKI certificate keys, passwords, and other “secrets.”
If you don’t carefully manage your access information and even just one gets lost or stolen, you risk exposing your sensitive data and systems or someone signing things they shouldn’t in your company's name. Either way, the scenario will likely damage your brand and reputation, resulting in fines or lawsuits. It’s just bad news all the way around with no upside.
Find and Take Down Copycats with One-click Today
Brand impersonation is a top issue for ecommerce stores, and Bustem is here to help. Bustem is a powerful copycat detection and removal tool for ecommerce merchants.
Our platform automatically scans billions of websites to identify unauthorized use of your store's content, including:
Images
Videos
Headlines
Text
Once we spot copycats, we streamline the entire takedown process with pre-filled DMCA forms and comprehensive case management. Built by people who know the game inside out, our service offers 24/7 monitoring, instant detection, and bulk takedown capabilities to protect your brand assets.
What Happens When Someone Steals Your Content?
Copycats can be a major nuisance for e-commerce merchants. Bustem efficiently identifies and eliminates these problems. Our powerful copycat detection and removal tool scans billions of websites to find unauthorized uses of your store’s content.
Whether dealing with competitors using your product images, stealing your ad copy, or duplicating your blog content, Bustem helps you identify and eliminate copycats efficiently to protect your brand reputation.
How Does Bustem Work?
Bustem automatically scans for copycats 24/7, providing instant detection and bulk takedown capabilities to protect your e-commerce store. We identify the unauthorized use of your store’s:
Images
Videos
Text
Headlines
And more
Before streamlining the takedown process to help you eliminate these threats quickly, we provide pre-filled DMCA strike templates to simplify the process, even if you’re simultaneously dealing with dozens of copycats.
Related Reading
Brand Reputation Protection
DMCA Service Provider
Shopify Trademark Infringement