When customers see a message from your brand on social media or in their inbox, is it really your brand, or is it a scam? The odds are rising that it could be a con. Brand-impersonation attacks increased eleven-fold from 2014 to 2018, in part because they’re so easy. Anyone can create a social media profile, and many companies have unprotected email domains that criminals can hijack for real-looking phishing campaigns. Here’s how you can protect your brand and keep your customers’ trust.
Brand impersonation is big business
Scams that trick victims into thinking they’re dealing with a store, brand or service provider they trust are not new, but there are new developments making these attacks more common. One is the growing organization and sophistication of cybercriminal gangs, who carefully profile the types of victims they want to target and even set fraud quotas for their criminal employees.
Another factor is the ease with which scammers can use brands’ own tools to cloak their identity. Copying a brand logo or even a validation symbol like the Twitter checkmark takes only a few minutes and minimal skills. Because email was originally developed without safeguards to verify senders’ identity, many if not most brands’ domains are open to tech-savvy malicious users. Without raising any alarms, they can launch phishing attacks that appear to come from the brand’s email accounts. This practice is known as domain spoofing.
Automation has dramatically increased the speed and scope of brand-impersonation fraud attempts, too. Scammers now send nearly 23 phishing emails every second and launch a new phishing domain every five minutes. The result is a perfect storm of brand fakery targeting consumers and damaging brands.
Social media scams that steal customer data
Social media scams make the most of real-time interaction to quickly steal account credentials and payment data from consumers. Scammers create fake accounts that look like their target brand – complete with copied logos and forged account-validation symbols.
With these accounts, they can offer fake coupons and deals, show up in brand-related threads posing as customer service representatives and run fake contests. When Apple released the iPhone X, for example, criminals created more than 500 Apple-imposter social media accounts to promote fake iPhone giveaways. All hopeful victims had to do was follow a link to a website that would quietly steal their credentials, take their payment data, or install malware on their devices.
Email impersonations that defraud your customers
Phishing attacks – emails from scammers posing as brands, stores, or service providers – rose by 250% during 2018, according to Microsoft. In addition to domain spoofing, fraudsters also send emails from “lookalike domains” (such as mlcrosoft.com instead of microsoft.com), send malicious links, request victims’ login and payment credentials, and even threaten victims with consequences for nonpayment. This last method swept the U.S. last fall and winter when scammers posing as local utility companies threatened to cut power to victims unless they paid a fictitious unpaid balance immediately.
The fallout for brands after impersonation scams
Impersonation scams can hurt brands in several ways, even though brands are victims in these schemes, too. First and foremost, scams can drive away customers. Victims may blame the brand for not preventing the fraud, and research shows that 63% of consumers stop shopping with a brand after one bad experience. Other victims, as well as customers who learn about the scam in the media, may hesitate to open future emails from that brand, and that can cause marketing email campaigns lose effectiveness. News reports and social media discussions can also steer potential customers toward other brands.
Phishing scams also require damage control. Brands that are targeted need to warn their customers about the impersonation scam. They also need to try to find out how the phishing is happening. Are fraudsters using the brand’s domains to send email? If so, implementing better email security is an urgent priority. Are scammers setting up lookalike accounts on social media? Those accounts must be reported and monitored.
Reducing the risk of brand impersonation
There are three core areas that help companies protect their brands from abuse by cybercrooks: communication, security and monitoring.
Communication: Include a safety policy in customer-facing emails, on your social media accounts, and on your site, along the lines of “Brand XYZ will never contact you to ask for your customer login or payment card information.” Visual communication matters, too, so keep your logo, colors and other visual branding elements consistent across channels, so knockoffs are easier for customers to spot. And when scammers target your brand, let your customers know what to watch for.
Better security: Create strong passwords for your brand’s social media accounts, keep a running list of who has login access, and update passwords when there are staffing changes. To prevent domain spoofing, implement a DMARC sender authentication policy on all your email domains. This open-source protocol gives domain owners the power to detect and reject unauthorized users.
Monitoring: Use social monitoring tools to keep tabs on brand mentions and conversations. Report scam accounts when they appear and delete comments on your pages and posts by accounts impersonating your brand. For email, DMARC will show you who’s sending emails from your domains (employees, third-party tools like MailChimp and maybe fraudsters) and can flag or reject suspicious outgoing messages. Finally, respond quickly to customer reports of scammers abusing your brand.
Protecting your brand from impostors requires attention to what’s happening in your brand’s communication channels, as well as regular security improvements. These efforts are a good way to drive scammers away from your brand in search of easier targets. They’re also a must to build and maintain trust with your customers in an age when brands and consumers need to be allies in the fight against cybercrime.