Brand Impersonation Attacks are a Double-Edged Sword
 

First, the bad news: Email phishing campaigns and other malicious attacks that impersonate brands rose significantly in 2020. Now, the good news: The sheer number and high visibility of the attacks have increased awareness of the problem and the need to take action against it.     

Mimecast’s The State of Brand Protection 2021 (SOBP) report shows that email phishing campaigns and other malicious attacks that impersonate brands rose significantly during the pandemic-ravaged 2020, when doing everything from home — working, shopping, seeing a doctor, socializing — abruptly became the norm. 

Companies on the BrandZ™ Top 100 Most Valuable Global Brands 2020 list — Amazon, Apple and Microsoft are the top three — experienced a 381% spike in brand impersonation attacks in May and June 2020 compared with January and February 2020, before the pandemic hit, according to the SOBP. New domains suspected of brand impersonation also rose sharply in May and June 2020 — up 366%.

Email Phishing is a Leading Source of Brand Impersonation Attacks

An impersonation attack typically involves an email that seems to come from a trusted source, such as a colleague or — as we have seen so often during the last year — a familiar organization.

Take, for example, the IRS. Phishing schemes exploiting the IRS name and logo have landed high on the organization’s own “Dirty Dozen” list of common scams that taxpayers may encounter, especially during tax filing season.[1] This year, the IRS also warned of a scheme specifically targeting universities: “People should be aware of an ongoing IRS-impersonation scam that appears to target educational institutions, including students and staff who have ‘.edu’ email addresses,” noted the IRS in a statement.[2] “The suspect emails display the IRS logo and use various subject lines, such as ‘Tax Refund Payment’ or ‘Recalculation of your tax refund payment.’ It asks people to click a link and submit a form to claim their refund.”

The Better Business Bureau, meanwhile, recently warned of a Zoom-focused scheme, designed to prey on people inundated this past year with requests for Zoom meetings from their managers, colleagues, friends, religious leaders, personal trainers, healthcare providers and so on.[3]

“Out of the blue, you receive an email, text or social media message that includes Zoom’s logo and a message saying something like, ‘Your Zoom account has been suspended. Click here to reactivate,’” stated the BBB in an alert. “No matter what kind of phishing message you receive, scammers hope you will click on the link they’ve included in their email. These links can download malware onto your computer or lead you to a page where you are prompted to enter your login information. Entering your username and password gives scammers access to your account and any other account that uses a similar login and password combination.” [4]

These phishing schemes illustrate the ways in which attackers target specific groups of users and their vulnerabilities. The result? With the rising volume and increasing precision and quality of brand impersonation attacks, unwitting clicks on dangerous links soared 84.5% during the course of the year, the SOBP reports.  

The Verizon “2021 Data Breach Investigations Report” echoes these findings: “Phishing is responsible for the vast majority of breaches in [the Social Engineering] pattern,” states the report. “Business Email Compromises (BECs) were the second most common form of Social Engineering. This attack scenario reflects the meteoric rise of Misrepresentation, which was 15 times higher than last year in Social incidents.”[5]

Brand Impersonation Attacks Cut Both Ways

It’s also important to note that brand impersonation cuts both ways. Just as brand impersonation wreaks security havoc when end users click on malicious links — downloading ransomware and other malware — or turn over sensitive information, it can tarnish or even ruin the reputation of the brands that were spoofed.

According to Mimecast’s The State of Email Security (SOES) report, 42% of respondents indicated an increase in the number of incidents where their company’s brand was impersonated or misappropriated to create a counterfeit website, while an even greater number (47%) reported a rise in malicious email spoofing that made fraudulent use of their company’s domain.

Brand Impersonation Attack Fallout

Here are some important findings from the SOBP report for organizations to consider:

• It’s not just the Googles, Apples, Microsofts or even IRSes of the world that are at risk. No matter the company size or industry, if a brand has an online presence, it’s at risk.
• You may not know you have a problem without active monitoring.
• Brands are not only losing trust to impersonation schemes, they are also losing leads: Every click-through from a fake email to a spoofed web page could be stealing a marketer’s lead. Marketers and security teams must work together to achieve brand safety.
• It will be challenging and time-consuming to have spoofed web domains taken down, if they can be taken down at all.

Organizations are rightly worried. More than nine out of 10 respondents (91%) to Mimecast’s SOES survey said they would be concerned if a counterfeit website misappropriated their company’s brand, while 93% of respondents would be greatly concerned if bad actors spoofed their company’s email domain.

Encouragingly, the majority of people who expressed concern are taking action: An impressive 92% of respondents reported that their organizations are either making use of or have near-term plans to make use of a service to detect and protect themselves against counterfeit websites and other attempts to impersonate their brand. Of these, 77% have already deployed such a service.

DMARC Is a Key Tool for Fighting Brand Impersonation

Organizations are also taking a closer look at the use of DMARC, or Domain-based Message Authentication, Reporting and Conformance. DMARC is an email authentication, policy and reporting protocol that builds on two protocols already widely used by organizations: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Should an email fail both protocols, DMARC kicks in to help receiving mail servers determine whether to accept, block or quarantine the message. 

Using DMARC, organizations can set policies that help prevent spoofed email from reaching employees, customers and other recipients. According to the SOES report, 85% of respondents indicated their companies are either already making use of DMARC (26%), are in the process of implementing the protocol (30%) or plan to do so during the next 12 months (29%)

Likewise, more and more vendors are integrating DMARC into their products and services. Organizations looking to beef up their email and brand protection should include DMARC on their criteria list.

Tips for Mitigating Brand Impersonation Attack Risk

Fortunately, there are a number of other ways organizations can mitigate the risk of brand impersonation attacks — whether that risk comes from customers clicking on a link in a spoofed email or from an organization’s brand being impersonated in a phishing campaign. 

1. Layer defenses: Organizations’ existing platforms may include features that will help fight brand impersonation attacks, but they very likely are not enough. For example, Microsoft 365’s built-in security features go a long way toward protecting the organizations that use the platform, but nearly nine in 10 companies strongly believe they need additional layers of email security beyond what Microsoft provides, the SOES report found.
2. Leverage AI and ML: It’s still early days for artificial intelligence (AI) and machine learning (ML) as part of a cybersecurity strategy, but more than a third of companies are using the technologies to bolster their cyber defense. This number is even higher among companies that have a cyber resiliency strategy in place, according to SOES.
3. Place a higher priority on cybersecurity awareness training: The chances of a brand impersonation attack’s success depend on employees falling prey to it. Companies need to place a high (or higher) priority on ongoing training to help them identify, avoid and report suspicious activity.
4. Implement brand monitoring/protection services: Services that provide monitoring to identify brand impersonation, including the DMARC email protocol, provide context into issue severity, help brands mitigate the problem and help take down brand impersonation websites more rapidly than organizations could on their own.

Bottom Line

Brand impersonation attacks — which have spiked during the COVID-19 pandemic — are a double-edged sword: They dupe end users into providing sensitive information and/or clicking on links that download malicious content. And, when an organization’s own brand is used in an attack, brand impersonation chips away (or, in some cases, destroys) customers’ trust. By prioritizing security awareness training, a layered cybersecurity approach and the use of emerging technology such as DMARC, organizations can protect their customers and themselves.  

[1] “Dirty Dozen,” IRS

[2] “University Students and Staff Should Be Aware of IRS Impersonation Email Scam,” IRS.

[3] “BBB Scam Alert: That Zoom invite is really a phishing scam,” Better Business Bureau, Nov. 25, 2020.

[4] IBID.

[5] “2021 Data Breach Investigations Report,” Verizon.