Brand Protection

    ROI Analysis: Keeping Brands Safe from Digital Impersonation

    Forrester cites the return on investment in brand protection against spoofed websites: hundreds of thousands of dollars per year for a typical small to midsize business.

    by Karen Lynch
    gettyimages-624857617.png

    Key Points

    • Brand impersonation websites are proliferating, increasing companies’ costs and decreasing revenue.
    • Companies battling on their own to protect their brands from these websites spend a lot to scan for spoofs, prove their case and get them taken down.
    • Brand protection services can get all this done more effectively and for less money, according to Forrester research.

    There may well be imposter websites out there on the internet impersonating your good brand name to scam your customers. To keep your brand safe, you need to find them, prove what’s going on and get the sites taken down. The bad news is how much this usually costs to do. The other bad news is what it could cost not to do it. What’s worse is that you may not even know it’s happening to you.

    The good news, however, is that cybersecurity companies have been perfecting the rapid detection and takedown of fraudulent websites. Using their brand protection services can deliver significant savings in time and money, according to recent market research, while also helping to preserve brand value and customer trust.

    For instance, Forrester has found that a small to midsize company could save nearly a half million dollars over three years using a brand protection service. That’s just counting the improvement in security and legal costs versus DIY efforts to scan for fraudulent websites, investigate them and request their removal. Less quantifiable are the potential business costs of lost leads, customers and sales as lookalike websites hit your marketing ROI.

    This blog on protecting against brand impersonation is the fifth in an ROI series featuring research that Mimecast commissioned from Forrester on a range of topics that also covers blocking and monitoring malicious emails, checking employees’ risky behavior, retiring on-premises archives and streamlining e-discovery. Forrester aggregated Mimecast customer responses to develop a model showing the cybersecurity ROI of a composite small to midsize company — an ROI that the market research firm calculated to be 225% over three years across all five areas. More specifically, that means $3.9 million in total benefits versus a $1.2 million investment for licensing, security team training and a part-time system administrator. Organizations can apply Forrester’s analysis to their own threats and cybersecurity responses.

    Trends in Website Spoofing for Brand Impersonation

    Fake websites impersonating trusted brands have proliferated in recent years. First, a cybercriminal registers a domain that's very close to the URL of a commercial brand. Then they build a site that looks like the brand’s. Then, using phishing emails, they lure the brand's customers and partners to the site and trick them into revealing sensitive information like credit card numbers, Social Security numbers or login credentials. The phishing emails they use may also fake a company’s domain — for instance, transposing two letters in a brand name so that the spoof is hardly noticeable in customers’ inboxes.

    Three web spoofing statistics point to a growing trend:

    • Nine out of 10 companies surveyed in Mimecast’s recent State of Email Security 2021 report said they are concerned that counterfeit websites will misappropriate their brand.
    • Four in 10 respondents said they’d already seen web spoofing attacks increase at their company in the past year.
    • Mimecast’s forthcoming State of Brand Protection reports that clicks on unsafe links rose 84.5% in 2020.

    Web Spoofing in Action

    Here are just three examples of fraudulent websites at work:

    • In one case cited by Frost & Sullivan, cybercriminals cloned companies’ branded login pages for a cloud service, tricking employees into submitting their email and password, which could then be used to access companies’ systems, infect them and steal data.
    • Retailers are hit particularly hardby spoofers selling bogus merchandise — or, more often, just taking shoppers’ money.[i]
    • An information security manager told Forrester about an imposter website that scammed job seekers in their name. “They were telling people they would get them a job in exchange for $10,000.”

    Forrester Findings on Brand Protection ROI

    In focusing in on fraudulent websites, Forrester’s ROI report described how difficult it is to find and neutralize them. A malicious actor might set up scores of imposter websites at once — anywhere in the world — but they might carry out illegal activity from only one at a time.

    Some Forrester interviewees had once had a team of analysts scanning the web for fraudulent sites. When the security and legal teams identified an illegitimate site, they spent weeks or longer gathering proof that the site operated illegally, communicating with authorities and getting the site taken down. But convincing internet service providers (ISPs) of their claims’ legitimacy was challenging, and there was no guarantee of success.

    Forrester calculated that, for a small to midsize company, the typical cost of chasing spoofed websites includes about 3,000 hours of analyst time a year (at $50/hour, fully burdened) to monitor the web, investigate possible imposter domains and take them down.

    To neutralize a single fraudulent website, costs include:

    • 24 hours of legal time at $300 per hour
    • 150 hours of internal analyst time at $50 per hour (fully burdened) to prove and document the website activity and its damage to the company

    The other option is to hand this work over to a brand protection service such as Mimecast’s. The service provider scans for imposter sites, investigates them, reports likely offenders to the customer, and then leverages relationships with ISPs and others to get the sites taken down quickly.

    Time is money. In security operations, Forrester estimated that using brand protection services reduces in-house monitoring to about an hour per month. In-house work to take down a site — essentially a call to the service provider — is reduced to minutes. All in, the ROI calculated by Forrester is $479,000 over three years.

    Protecting Reputational and Marketing ROI

    As described in the separate State of Brand Protection report, web spoofing puts customers and partners at risk, as well as your company’s brand. Add lost customer trust, strained business relationships, reputational damage, and sales losses to the cost column of your brand protection ROI analysis. And consider that the longer a site is impersonating your brand, the more you could lose.

    When it comes to marketing ROI, for example, related findings in the report show that email marketing campaigns can suffer a decline in marketing leads, a rising cost-per-lead, or both, as customers lose trust in web links. Meanwhile, media buyers have also been placing ads on fake pages, unknowingly wasting millions of ad dollars.

    Brand Protection Solutions and Best Practice

    Brand protection solutions use machine learning and internet scans to identify cloned sites, blocking them before they launch or stopping them in action. They scan the entire world wide web, day and night, for suspicious activity. Other techniques include embedding agents on customers’ sites to catch web “scraping” by criminals who then use the brand’s colors, images and coding on fake sites. Automation is used to accelerate notification of fraudulent sites to internet registrars and ISPs. Emails carrying links to spoofed websites are limited using the standard known as Domain-based Message Authentication, Reporting & Conformance (DMARC).

    Even if companies use brand protection services, though, they still have work to do. For instance, best practice calls for collaboration between IT security and marketing departments — which operate in separate silos in most organizations — for mutually beneficial results. Awareness of the problem also needs to be raised across the company and beyond, to suppliers and customers.

    The Bottom Line

    Companies have a lot to lose to cybercriminals who spoof their websites and fool their customers, partners and employees for ill-gotten gains. You can fight brand impersonation yourself or hire brand protection services to do it for you. Research from Forrester shows that brand protection services do a better job

    [i]Online Shopping Scams,” AARP

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top