Is Your Brand Being Impersonated? Here’s What You Can Do
One of my favorite journalists, Cory Doctorow, was recently duped by a brand impersonator. He tried to order Thai food by googling the name of his favorite restaurant. The top result was a sponsored post with the same name as the Thai restaurant he wanted, but it was a fraudulent website.
“We got scammed,” writes Doctorow. The new site was a lookalike for that of his regular restaurant, but the fake one had significantly marked up the prices and relayed the order to a different restaurant. The scammer also double-billed Doctorow for the order.
This brand impersonation incident is anything but isolated. The FTC reports that impersonation fraud jumped 85 percent between 2020 and 2021, resulting in $2 billion in losses. This increase comes from fraudsters using ever-more sophisticated technology. They not only publish phony websites and buy fake ads, but they also create deceptive social media profiles and counterfeit mobile apps in an effort to defraud consumers.
This kind of fraud is no longer limited to technologically proficient hackers, either. Low-code phishing kits allow bad actors to easily deploy fake websites with very little technical know-how needed. What’s worse, consumers are likely to associate any fraud with the brand itself. Around two-thirds of consumers believe it’s a business’s job to defend them against this sort of brand impersonation. What can businesses do to avoid these dangers?
How to catch brand impersonators
To protect your brand, the first step is to keep track of new sites that crop up, but that’s not an easy job. Each day brings 250,000 new websites, thousands of mobile app releases, billions of Facebook posts, millions of tweets, and millions of LinkedIn updates.
Some companies think it’s possible to stop this simply by searching for permutations of a brand’s domain. This reflects a common approach to brand impersonation known as “typosquatting,” in which a fake website uses a domain name remarkably similar to its legitimate counterpart in order to lure unsuspecting victims.
Unfortunately, if you base your detection efforts merely on permutations of your domain name, you can miss many other kinds of spoof websites. To keep up with attackers’ innovations, companies need to employ technology – such as machine learning and computer vision – to detect fraudulent websites more effectively.
For example, go back to Doctorow’s spoofed Thai restaurant. The website name and the branding imagery were very similar to the real deal. To fight this, businesses can use machine learning to create a system that recognizes images of the company’s logos, products, and other branding elements. They can then use computer vision to scan the web for images that match the brand’s trademarks. If a match is found, the system can flag the site as a potential spoof.
You’ve caught an impersonator. Now what?
If you’ve located a brand impersonation website, profile, or app, you can certainly complain to Google if it’s a website, or the social media platform if your impersonator is on LinkedIn, Facebook, or Instagram. But it’s not enough to simply leave it at that. You can’t trust that an impersonator takedown is complete until your team has personally validated that the content is no longer online. You need to be continually diligent and verify the content has been removed.
The trouble is, registrars, hosts, and online platforms don’t always make it easy. And time is not on your side. Each minute a scam lives can increase the number of victims. While you’re trying to call Google’s support number, there are immediate responses that can be taken in the meantime.
One effective method of fighting back is to submit problematic content to blocklists, a central database used by internet service providers and web browsers, which effectively blocks consumer access to harmful or fraudulent websites. This prevents 90 percent of internet users from encountering the content. You can also put out an alert on your own site and social profiles to warn customers to be on the lookout for the fraud, at least until you can verify the impersonator site has been taken down.
Remember that reputation matters. I suspect Doctorow’s restaurant tried to work with Google or credit card companies directly to get that fraudster taken down, but it seems that those efforts weren’t effective. That’s why hiring a company that specializes in detection and takedown is an increasingly popular route among brands. Hosting platforms and social media networks are faster to act when a reputable vendor, one they have an existing relationship with, is requesting the takedown.
When vetting vendors, you should note that some of them outsource takedowns to other companies, which can increase takedown time and negatively affect your customer service. Look for vendors that have direct relationships with registrars and hosts.
A comprehensive strategy to combat brand impersonation also goes beyond the website itself and looks at social media posts and profiles as well as mobile app store listings, both official and unofficial. It’s important to cover all the vectors that your company uses to communicate with customers. Even if one vector remains unprotected, you may be leaving your customers vulnerable to spoofs.
Josh Shaul
Josh Shaul is the CEO of Allure Security. He is known as a visionary security leader with expertise in building teams, creating strategy, and driving growth for security companies of varying sizes. He is passionate about providing comprehensive digital protection to businesses while inspiring trust and confidence in their customers and clients. He is recognized as a leader with strong diplomatic skills, a natural affinity for cultivating and nurturing global relationships and for possessing unwavering personal ethics and integrity.