What to do when cybercriminals use a company’s brand to con people with link manipulation, website spoofing, social media impersonation and fake texts.
- Cybercriminals use common marketing tactics to connect with their “marks.”
- They often hijack variations of a company’s branding to increase trust.
- Vigilance and education are key. So is knowing how to report an attack.
Who hasn’t received a customer service robocall or email, allegedly from Amazon, confirming a $1,600 iPhone purchase? This scam relies on Amazon’s brand value, the ubiquity of Amazon accounts and the looming threat of a big purchase to scare recipients into responding and becoming marks. Is that good for Amazon’s brand? Decidedly not. It’s even worse when it happens to smaller brands.
The customer service confirmation scam, whether by phone or phishing email, is just one example of how bad actors are hijacking hard-earned brand equity and using common marketing tactics to make their con. In fact, cybercriminals are deploying a complete range of marketing tactics to try and separate people from their money, as described in Mimecast’s The State of Brand Protection 2021 (SOBP) report. To cybercriminals, the brands they impersonate are just bodies they step over to get their way.
Here’s a look at some of the marketing tactics cybercriminals are using and ideas for how businesses can keep their brands safe.
Link Manipulation — and How Brands Can Combat It
For an investment of as little as $2.99, a cybercriminal can register a look-alike domain. Whether they buy a typo-variation of a company’s official domain or grab an alternative to the .com top-level domain, it doesn’t take much to spam out a barrage of phishing emails with what looks like an official branded link. When the link gets clicked, users are redirected to the cybercriminal’s site. The brand isn’t involved, or course — but try telling that to the victims.
These manipulated links are delivered via email and text and spring up like prairie gophers, requiring near-constant monitoring to keep up with detection. The first line of defense needs to be diligence and education.
According to the SOBP report, clicks on unsafe URLs delivered in emails dramatically escalated over 2020, nearly doubling over the first few months of the year. After retreating a bit mid-year, escalation continued. One interviewee saw 300,000 brand-impersonating emails in a single month.
Some actions brands can take to combat link manipulation include:
- Coach employees, especially customer-facing staff, to report suspicious emails or texts. Customer support may field inquiries from customers who have received an email or text they believe to be official but may in fact turn out to be fraudulent. Make sure reps don’t close the ticket without getting the email or text forwarded to them.
- Inspect each fake email for clues as to how it was sent out. If they came via a commercial system, report them to that commercial system. How do you know? Go to whois.com and enter the domain name in the search box. The second line of the record shows the name of the registrar. Reputable registrars will provide a way to report the abuse and have the power to take down the site. But they won’t do it without a report.
- Consider emailing customers to alert them if you believe an email or text with a fake link has been broadly deployed. Customers will appreciate the diligence, and it will help mitigate potential brand damage.
How Brands Can Combat Website Spoofing
Once cybercriminals have a look-alike domain name, why not create a look-alike website as well? With a little bit of certificate-spoofing, the resulting site can even have the enviable https status that many people rely on to establish trust. According to the SOBP, about 84% of manipulated links click through to certificate-protected sites. In fact, the report shows that suspicious domain registrations overall in the last two months of 2020 were 73% higher than in the first two months of the year.
A clue to finding website spoofs may lie right on a company’s server. Websites have logs that track every server request — including individual images — and display the name of the domain that made the request. If a hacker is hosting a version of a company’s home page, the images might still be coming from their original server location, and this can be seen in the server logs.
If server logs show an image is serving onto a different domain, especially if the referring domain is a variation to the company’s official domain name, it’s worth investigating. At the very least it might be a copyright infringement. At worst it could be a spoofed site.
It also makes sense to monitor the web analytics’ view of referral traffic. Spoofed sites might include links to the official site either by accident or in an attempt to gain SEO rank. Set up a report that excludes all the known big referral names — the search engines and social media — and then look through the report for suspicious domains. It will take some fine-tuning; the resulting report will do a good job of reducing the number of referrers to a manageable number.
You can also search for the malicious domain name by typing “site:domain_name” (replacing domain_name with the fake domain name) into Google. This will show its coverage in Google. Report the abuse to Google at https://safebrowsing.google.com and it will remove the site from its index.
Of course, this requires a whole lot of expensive, hard labor. Luckily, it can be automated. In fact, Frost & Sullivan’s report, Managing Digital Risk: The Security Challenge Beyond Your Perimeter, shows how a midsize or large business could save time and more than $1.14 million per year using Mimecast’s Brand Exploit Protect service instead of attempting the same thing in house, including legal fees.
Combating Business Email Compromise
With a spoofed domain and website in hand, it doesn’t take much for a cybercriminal to set up a mail server that uses the spoofed domain and sends phishing emails from it. The risks here are three-fold:
- The spam bad actors send out will look more legitimate to the unsuspecting public.
- With a little social engineering research, they could insinuate themselves into internal communications and get employees to click on malware.
- Worse, they could impersonate a senior executive in a business email compromise (BEC) attack, convincing an employee to change vendor payment information, for example. The result: Instead of paying the vendor, an unsuspecting company transfers funds into the hands of a criminal.
The best thing companies can do to combat BEC is to make sure their email security is set up to differentiate internal emails from external emails and includes the latest artificial intelligence (AI)-based BEC detection capabilities. You can also report BEC attacks to the FBI: In the United States, it’s wire fraud — a federal crime — to impersonate someone in this manner. Earlier this year, the FBI reported that BEC was by far the costliest cyberthreat in 2020, with thieves getting $1.8 billion.
Also, remember that education is always part of the answer. Use cybersecurity awareness training services to teach employees how to recognize a legitimate internal email and how to report suspicious emails.
In addition, make sure that legitimate marketing emails use protocols like DMARC so that email security systems can automatically identify potentially fake emails.
Social Media Impersonation
It’s ridiculously easy to set up a fake social media account that hijacks a brand. Cybercriminals may even use remarketing services to show up in the feeds of people who previously visited a spoofed site. It’s important that the social media team recognizes the problem and has a plan for being vigilant and responsive. Account hijackings are so common that the social media team might actually be ignoring it.
Fake social media accounts, especially those that impersonate, are a violation of most social media terms of service. Report fake accounts — especially those that are hijacking a brand — to the site. If the social platform allows it, take the time to look at the fake account’s followers. If it has a large enough following and especially if there is an overlap between the official account’s followers and theirs, make a judgment call as to whether to post something about it. As with alerting customers about fake links, social followers will appreciate the diligence.
The Bottom Line
Vigilance, detection and education are key parts of a company’s efforts to protect its brand.
Educate employees to recognize what real emails look like and set up a way for them to report potential abuses. Invest in efforts to detect fraudulent brand use — and remain vigilant because this fraud can spring up any time. For a broader and deeper understanding of how cybercriminals are abusing large and small brands alike, and what brands must do to protect themselves, read The State of Brand Protection 2021.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly