What Can Brands Do About Brand Spoofing- And Why Should Marketers Care?

By Franco De Bonis, Marketing Director, VISUA

I’ve spent most of my working life working in, or for, brands, so I know that one of the things that is highest on any brand marketing team’s/manager’s mind is to maximise brand recognition and build trust. We want customers and consumers to feel warm, fuzzy and confident when our brand name pops into their heads. When they have a need, we also want our brand to be the first one that springs to mind.

I used to put a lot of effort into this myself, but thankfully in the days before cybersecurity became such a big issue. But what do brand reputation and cybersecurity have in common and what can brands do about it?

The Growth (And Expansion) Of Brand Spoofing

Spoofing attacks are not new and if you don’t know what it is, it’s quite simple. It’s when a bad actor/scammer pretends to be someone else in order to fool a victim. In the early days it was as simple as IP Spoofing, email address spoofing and domain spoofing. If you can’t wrap your head around it, think of it like this…

Bad actors/scammers employ numerous tricks to confuse victims into believing they are looking at a genuine email or website and clicking on a genuine link. Instead of lloydsbank.co.uk, they might use loydsbank.co.uk (some people simply wouldn’t notice the missing letter). Or they could add a link pointing to lloydsbank.accountauthentication.co.uk. Many people won’t know that it’s the last part, before the .co.uk, that has to be officially registered. So if you visited that link, you’re actually visiting a site called ‘accountauthentication.co.uk’ who have then created a subdomain called ‘lloydsbank’. On this subdomain, they can run an entire website or a single page that mimics that of the real Lloyds Bank.

Early examples were quite basic and had terrible spelling and grammar, so it wasn’t too hard to detect even if you did accidentally click the link. But today, scammers can create flawless, pixel-perfect, omni-device versions of a well-known login or payment page that will fool many people, unless they check very carefully.

This activity was somewhat under control in 2019, but then the pandemic happened and scammers found a new and exciting outlet for their trickery. They stopped relying only on the old faithful of well-known banks, entertainment sites, technology systems, tax offices, and such; instead, expanding out into delivery companies, health organisations, finance companies, file sharing systems and much much more. Importantly, they broadened out to spoof a wide variety of small and virtually unknown brands, while going full guns blazing on the world’s biggest and most used brands.

You might think that’s bad enough, but the bad guys have gotten entrepreneurial, launching ‘brand spoofing kits’ for sale on the dark web. For just a hundred dollars or so, you can buy a complete kit, with fully designed copies of major brands’ web pages and emails, ready-to-go!

Brand spoofing is such a popular tactic because it’s relatively simple from a technical perspective and very effective. Depending on which cyber security company you talk to, they’ll tell you that somewhere between 90% to 95% of all compromises began as a phishing email. No wonder when in a recent brand trust report by Mimecast, they identified that 79% of people have received a phishing email to their inbox and a staggering 54% of those have opened a phishing email!

If that’s not bad enough, when it comes to brand spoofing:

• 58% have landed on a spoofed website from search engines
• 56% have landed on a spoofed website from social media
• 55% have been directed to a fake website from a phishing email

So this is not just a problem related to email, which means consumers have to be vigilant in all channels and even in searches – which is tough because we all trust Google results, right?

So What’s It Got To Do With You?

As a marketer, you may be sympathetic to the victims of cybercrime that have been duped using a spoofed email or web page bearing your brand, but it has much greater ramifications than you might think. Financial institutions are already repaying customers and other victims who have been defrauded, thinking it was the real bank contacting them. This costs them millions in lost profits each year. So if you’re a brand marketer in a financial organisation, this has a very real cost to your business. But it’s even worse and affects more than just financial companies!

Although not directly related to consumer scams, loss of user data from a compromise can have massive implications, both financially from penalties and the loss of customer confidence.

Now think of all the work you do to have your customers and subscribers agree to receive emails from you and to make them open them, read them and take action. So what do you think happens when they get an email from someone pretending to be you? Well, according to Mimecast, almost half (46%) of consumers don’t hesitate to open an email from brands they use regularly, and 36% will happily click a link in that email!

Now consider that when asked, consumers said:

• 61% would lose trust in their favourite brand if that brand disclosed personal information to a spoofed version of its website.
• 61% would lose trust if their money was stolen due to impersonation.
• 57% would stop spending money with a brand if they fell victim to a phishing attack.

All the work you do to gain their trust and like your brand, gone, because of someone pretending to be you.

How Can Brand Marketers Fight Back Against Brand Spoofing?

There are a number of things you can do as follows:

1. Build in brand protection into your communications and messaging to customers
   Think about what banks do. That message that you hear – “We will never ask you for your login details or password in full online”. So let them know what you will ask them to share with you and what you won’t. Make sure your customers know what your email address and domain look like. Explain to them that you will never call them, etc.
   
2. Provide simple confirmatory actions that they can take
   Explain to them that if there is any doubt, don’t click the link, but instead visit your site or call you directly. Perhaps provide a resource on your website that shows all the ways they can confirm a genuine communication.
   
3. Apply DMARC
   This is a technical implementation that your IT team needs to do. In simple terms DMARC authenticates your domain as the only one that can send emails for your brand and blocks all unauthenticated emails from being sent. It won’t stop all attacks, but it will stop the most pernicious attacks that piggy-back off your domain.
   
4. Engage with cyber security and brand protection agencies to find and report these fakes
   This one is not really directly within your remit, but it’s something that a cross-functional team within your company can tackle. In particular your IT/Cyber Security team.
   
   Many specialist cyber security and anti phishing companies are now integrating computer vision into their phishing detection efforts, specifically to detect sophisticated brand spoofing attacks. Mimecast is one of those companies and because of that they can offer specific protection from brand impersonation attacks. Other companies, like Red Points can also offer proactive searches online for any web pages or social profiles that are spoofing your brand, through their impersonation removal service.

Most of these remedies take planning, time and also cost. But unfortunately, brand spoofing is not only here to stay but is an exponentially growing problem that can affect all companies, large and small. Ignoring the problem, however, can badly damage your hard-earned reputation and ultimately your bottom line.

…Spoof Me Twice, Shame On Me

But technologies, like Computer Vision for Phishing Detection can help to drastically mitigate the risk for your brand.

Ignore it at your peril.