Phishing attacks are nothing new to anyone who’s been online for the past three decades, but they’ve been growing in number and complexity in recent years.
The 2022 ThreatLabz Phishing Report reviewed 12 months of global phishing data and found that phishing is the most frequently-reported cyberattack to the FBI Internet Crime Complaint Center. On a global scale, there has been a 29% growth in phishing attacks compared to results from previous years and an astounding 400% increase in attacks on industries such as retail and wholesale. When it comes to brand impersonation, the Anti-Phishing Working Group found an all-time high of attacks using unique scam websites in December 2021–a number that more than tripled from the year before.
Meanwhile, other research shows that in the first half of 2022, 15% of phishing emails impersonated brands in increasingly sophisticated and convincing ways.
Graphs from the Anti-Phishing Working Group show the rise in phishing attacks and the high number of brands being attacked. Published September 20, 2022.
Retail and wholesale are not the only industries being targeted; these types of attacks affect people and organizations in every industry. Even the financial and government sectors are targeted, with the 2022 ThreatLabz Phishing Report stating that attacks against these sectors have in fact doubled!
Against this backdrop, you must prepare as if expecting to be the next victim–or be ready to deal with insurmountable losses. According to the Federal Trade Commission, online shopping fraud losses in the U.S. increased 56% in 2021 compared to 2020, reaching $392.4 million. Worldwide, the Federal Bureau of Investigation has stated that impersonation attacks surpassed $43 billion in actual and attempted losses between June 2016 and December 2021. According to that same report, in 2021 alone, the FBI’s Internet Crime Complaint Center received 20,000 complaints of business email compromise attacks with adjusted losses estimated to be almost $2.4 billion.
With attacks becoming a matter of “when”, not “if”, it’s vital that we all start taking measures to prevent the potential fallouts of an attack.
How the Online Fraud Epidemic Is Ruining Digital Trust
It is critical for brands to understand how these attacks happen to prevent them before it’s too late. Too often, brands only find out about being impersonated when a customer posts their complaints on social media, which damages brand reputation and customer trust, leaving both parties without a solution.
Regardless of the method used, the end goal of these attacks is usually the same: to take advantage of a brand’s trusted reputation to get its customers to disclose sensitive information. End-users may click on a seemingly legitimate link from where the attacker can steal user credentials, sell counterfeit goods, or scam users into transferring money to criminals. Attackers may even be looking to deploy malicious software on the victim’s infrastructure.
To unsuspecting victims, the website they’re visiting looks like a website by the brand they know and trust, using the same design and language, and even a similar domain name. By the time they realize something is wrong, it’s usually too late: they’ve already disclosed personal data.
You can see how phishing attacks damage trust between brands and their customers, who are now wary of responding to digital communications and hesitate before making transactions online.
According to Mimecast’s Brand Trust survey, 61% of consumers would lose trust in their favorite brand if they fell victim to a spoofing attack or email that impersonated that brand and obtained their personal information or had their money stolen. If your brand gets impersonated and customers become weary of your legitimate marketing campaigns and channels, it can impact your revenue by 10%-25% in a single year.
What Can Brands Do About Impersonation?
Part of the cunningness of these attacks is that they occur outside of a company’s usual security perimeters. A variety of solutions offer protection for targeted employees, including tools that scan incoming email traffic to company-controlled email accounts to identify blacklisted links and other suspicious content. Customers may get occasional emails from the real brand alerting them of risks related to phishing campaigns, fake sites, and scams, but this is often done after the fact.
Besides, studies have shown that users not only don’t respond to such informational emails but also become more hesitant to engage with the brand in the future. These communications leave consumers feeling as if the brand is shifting the responsibility of preventing impersonation onto them.
Brand impersonation is a particularly common attack vector that can help launch attacks such as phishing, fraud, malware injection, and more. It is intentionally designed to impersonate a reputable company through a fake website (known as domain hijacking or domain spoofing) so that trusting targets will provide their sensitive information–anything from credit card details to employee login credentials. In this scenario, there are two victims: the brand whose identity was stolen and the customer or employee who was tricked into giving away their information to the impostor.
Clearly, current solutions are not effective enough. Scanning for suspicious links doesn’t always detect suspicious sites. Even when suspicious sites are found, the process of getting them taken down can be long and tedious. With so many fake websites misleading customers, current solutions leave the onus on the customer to research the site they’re on and be educated on how to look for security certifications that may also be fake. Customers and companies need a reliable brand impersonation prevention framework that alerts brands when their websites are on the line, so they can stop attackers in their tracks before any harm is done to either brand or its customers.
Two Requirements of a Brand Impersonation Prevention Framework
To protect your company and end-users from impersonation attacks, there are two requirements a successful prevention framework must have:
1. Real-time Detection and Alerts
A real-time detection and alert mechanism which monitors the web for (mis)uses of your brand’s domains and provides full visibility into attempted attacks in real-time. This allows companies to take immediate action to protect their reputation and end-users. With real-time alert features, security teams can stop potential website spoofing, cloning, and account takeover attempts before they reach customers.
2. Proof of Authenticity Solution
An actionable way for customers to verify the authenticity of your website, emails, and texts, without making them feel like you’re dumping that daunting task on their shoulders. PoSA’s digital watermark, our proof of authenticity solution, provides instant visual cues to end-users so they know they’re navigating a legitimate website. This immediately assures them that your communications are genuine, increasing user trust–and therefore, their willingness to engage with you online.
Restoring Digital Trust
Our goal is for customers and brands to interact online with no hesitation. To make that possible, the Memcyco framework provides an authentication watermark to be used on a brand’s website, so customers can feel confident that those communications are authentic from the brands they want to engage with.
This watermark includes multiple features to increase customer confidence, such as customization to brand specifications and user-specific watermarks that can’t be forged. It can be installed in minutes with a single line of code without any user registration or installation needed, and is scalable for any company or marketing operation.
Seeing Memcyco’s watermark, customers can feel confident that the companies they engage with are stepping up and putting a security framework in place to ensure their clients’ online transactions and communications are safe. After all, customers should feel confident engaging with the brands they love and trust. Learn more about how Memcyco makes that possible here.
Eyal is head of demand generation at Memcyco
