Digital transformation has opened many doors for financial institutions to more do business and reach their customers efficiently. However, the doors work two ways. A risk that’s becoming increasingly common is brand impersonation.
Brand impersonation is a type of phishing attack. Cybercriminals attempt to lure unsuspecting victims into giving away their sensitive banking credentials, usually by directing them to a scam site masquerading as their bank’s website. The financial services industry is the most targeted sector for brand impersonation scams, accounting for 23.6% of all such attacks, according to the Q2 2002 report by the Anti-Phishing Working Group.
Recognizing the threat that these scams pose is more important than ever to regional banks and credit unions. Scammers are not only becoming smarter and more sophisticated in their methods, but they’re also increasingly targeting smaller financial institutions rather than just the megabanks. But there are measures that can be taken to avoid brand impersonation.
The Forms Brand Impersonation Can Take
The most insidious type of attack is when a scammer creates a fake copy of an institution’s website, however brand impersonation can also involve any unauthorized use of an institution’s brand name, logo or brand messaging anywhere on the internet. Whatever the form, the intent is the same: to trick unwary employees and customers into sharing confidential information that can lead to data breaches, account takeover, identity fraud and stolen bank funds.
Until recently, most brand impersonation scams targeted large national banks and their customers. But as the sophistication of these scam methods has grown, so has the number of organizations that they target. Small regional banks and credit unions are now increasingly coming under attack, as borne out by an announcement this year from the National Credit Union Association on the growing severity of brand impersonation attacks against federally insured credit unions. Many of these smaller financial institutions and their customers are unprepared for either the severity or sophistication of these attacks, which can have a high success rate when the target is unaware of the danger.
Biggest Loss Isn't Money:
Stolen bank funds can have damaging financial consequences. However, the worst effect of a cybercrime incident is harm to the financial institution's reputation.
So much of the value of your brand lies in the trust you build with current and potential customers.
Most people choose to bank with you based on the faith they have in your brand. Studies show that the majority of consumers blame the impersonated brand for website spoofs, which erodes trust. Even if a successful investigation leads to a customer being reimbursed for losses, the stain on your reputation can linger long afterward.
How to Protect Your Brand Online
Prevention and vigilance are key when it comes to online brand protection. The harder you can make it for a scammer to secretly spoof your website or brand imagery, the more likely the scammer will be detected and stopped before they can strike.
Here are a few steps to enable you to accomplish that:
1. Create a unique brand. Your brand logo and imagery are what set you apart from other brands, so they should be as distinctive as possible. Avoid generic logos that can be easily copied or recreated.
2. Register your trademarks and copyrights. Ensure that all your brand names, logos and their variants are registered for copyright protection. You can do this through the U.S. Patent and Trademark Office and the European Union Intellectual Property Office.
3. Own your online presence. Protect your brand against impersonation attempts by ensuring you’ve taken ownership of your brand accounts across traditional and emerging social media platforms.
4. Implement a proactive monitoring system. Impersonation sites can grow like mushrooms in a cave, so you’ll need a proactive cybersecurity monitoring system that can detect them before they can strike. There are a lot of cybersecurity vendors out there, so make sure you choose one that understands the needs of your particular organization. In addition, ensure that they scan the internet for more than just lookalike domain names, as such methods can miss 71% of attacks.
5. Create a response plan. Have a response plan in place for when an online brand impersonation that targets your patrons or employees occurs. Of course it’s best to find spoof websites, social media accounts, and mobile apps before your customers do, which is possible thanks to AI and machine learning.
How to Perform a Website Takedown
Most brand protection vendors have built relationships with registrars, hosts and other providers to accelerate takedowns. But not all vendors are created equal, so be sure to ask your provider about their takedown success rate and speed. If you plan to try handling takedowns in-house, here are steps to implement a scam site takedown.
1. Confirm that the suspicious site is unauthorized. When you detect a suspicious site, confirm that it isn’t a site that’s been deployed by your marketing or HR teams without your knowledge. The site may also belong to an authorized partner or agent, carrying your branding. Such sites should be categorized among your inventory of web properties.
2. Determine the impersonation site’s objective. Once you’re sure the suspicious site is an unauthorized impersonation, determine what the scammers are trying to do. Does the site aim to defraud your customers by stealing their credentials? Is it misusing your trademarks? Be aware that fraud sites are usually less time-consuming to take down than those who are infringing on your trademarks.
3. Report the site if it is engaging in fraud. When fraud is detected, immediately report it to the Federal Trade Commission and the FBI’s Internet Crime Complaint Center. Reporting brand impersonation fraud helps the authorities gather yearly statistics on fraud levels and better understand how these sites spring up.
4. Determine who the hosting provider is. You can use Whois Domain Lookup to determine the website hosting provider, to whom you will then need to send a takedown request. Be aware that not all hosting providers will respond to your messages.
5. Compile evidence for your takedown request. Take screenshots of the impersonation site and compile a list of the suspicious URLs that you want taken down. You’ll also need to gather screenshots and evidence of your authentic web pages and logos to show that the suspicious site is an impersonation. This can be a long process and each hosting provider will have its own criteria for assessing evidence and implementing a takedown request.
6. Draft and submit your takedown request. The Internet Corporation for Assigned Names and Numbers (ICANN) offers a guide for drafting takedown requests. Follow the guide closely and take into account any particular requirements of the hosting provider for a takedown request.
7. Continue monitoring and follow up. Even if you’ve done everything right, it can often take several takedown requests before the hosting provider takes action. If too much time passes without a response, then you can file a complaint with ICANN.
Even once the offending site is down, you should continue monitoring to ensure it doesn’t spring back up again.