In late 2022, American Express was at the center of a brand impersonation attack. The attackers impersonated this well-known financial services brand to attempt to steal confidential information from victims at a nonprofit organization.
The brand impersonation attack started with an email message that looked like it came from American Express. It included a malicious link that if clicked, would take the victims to a malicious landing page where they would unwittingly provide the attackers with their sensitive information.
If the attackers had succeeded, they could have compromised 16,000+ mailboxes and also caused massive damage to American Express’ reputation.
Brand impersonation attacks like the one targeting American Express are a serious security problem for companies worldwide. Brands in many industries are at risk of being impersonated and used as weapons to cheat victims of money, sensitive information, or both. This blog uncovers these industries based on recent research and trends.
What is a Brand Impersonation Attack?
In a brand impersonation attack, scammers pretend to represent a well-known brand in order to steal victims’ sensitive information, money, or identities. Email is the weapon of choice for many scammers. They create and send fraudulent email messages that request the victim to take some action that will benefit the scammer, such as providing credit card details or transferring money to the imposter’s bank account.
Victims trust the message and often fall for it because it appears to come from a trusted, known, and legitimate brand. Brand impersonation attacks can be financially devastating for the victims. But they can also be very costly for impersonated brand in terms of financial losses, tainted reputations, and damaged customer relationships.
The Current Landscape of Brand Impersonation Scams
Brand impersonation-based phishing attacks are getting worse and affecting companies in many industries. In June 2023, Bolster’s threat research team uncovered a widespread brand impersonation scam that targeted hundreds of consumer brands – many of them well-known ones like Kate Spade, Nike, and Puma – between June 2022 and February 2023. Bolster’s findings show how famous and trusted brands are at risk of losing substantial amounts of money and experiencing severe reputational damage.
Between May 2021 and May 2022, brand impersonations had increased by 300%. A year later, a survey of hundreds of U.S. customers discovered that 78% of respondents had been targets of brand impersonation scams and Americans had lost a staggering $40 billion from such scams originating from robocalls or robotexts.
Another report revealed that in H1 2022, 15% of phishing emails impersonated a well-known brand, with famous tech companies like Microsoft and LinkedIn appearing in 20% of all such attacks. By May 2023, the percentage of famous brands being impersonated had shot up to 51.7%, according to the Cloudflare 2023 Phishing Threats Report. Further, between May 2022 and May 2023, attackers impersonated 1,000+ organizations but a majority, i.e., 51.7%, impersonated one of 20 large global brands like Microsoft, Google, WHO, or Facebook.
Brand Impersonation: The Most Vulnerable Industries
The Cloudflare report identifies 20 the most impersonated brands in 2022. This list shows that the industries that are most susceptible to brand impersonation attacks are technology, software, online services, financial services, telecommunications, and luxury goods.
The top 20 list includes big names like SpaceX, Chanel, AT&T, Mastercard, and T-Mobile. Furthermore, about half the well-known brands on the list are from the technology/software/online services sector, such as Microsoft, YouTube, Facebook, Apple, Google, Salesforce, and Amazon. Among these giants, Microsoft took the #1 spot as the most impersonated brand in 2022.
In addition, the report found that certain companies and industries are more vulnerable in certain geographies. Examples include automobiles (e.g., Toyota in APAC), airlines (e.g., LATAM Airlines in LATAM), and non-profits (e.g., WHO in EMEA). Other research shows that cybersecurity companies and educational institutions are also at risk of brand impersonation scams.
Why Some Industries Are More Susceptible to Brand Impersonation Scams
Now that we have established that some industries are more susceptible to brand impersonation than others, the question now is: why? What makes companies in these industries more attractive as both targets and weapons for clever scammers? Here are four reasons:
1. They are recognizable and trusted
Impersonated firms are almost always easily recognizable and trusted. Scammers take advantage of this recognition and trust to get victims to believe their fake messages and unwittingly provide the information or money the scammer is after. Simply put, impersonating a Microsoft, a T-Mobile, or a WHO increases the probability of a successful scam.
2. Potential for large payouts via counterfeiting
Consumer goods companies like Chanel and Louis Vuitton are attractive targets for brand impersonation because it allows scammers to engage in another crime – product counterfeiting. As Bolster’s research found, attackers impersonate such companies to trick unsuspecting shoppers into purchasing counterfeit goods on their fake websites – often for large payouts.
3. Access to sensitive information
Businesses in vulnerable industries have access to vast quantities of customer information, including personally identifiable information (PII) and credit card numbers. Thus, by spoofing companies like LinkedIn, Instagram, or Mastercard, scammers can not only get their hands on sensitive data, but also use it to perpetrate financial or identity fraud.
4. Online financial transactions
Online education companies like Masterclass, SaaS firms like Salesforce, and e-commerce giants like Amazon all engage in online financial transactions. By impersonating them, scammers get victims to share their financial information or make purchases on look-alike sites that ultimately benefit the scammer.
Protection from Brand Impersonation Attacks
Protection from brand impersonation attacks starts with awareness. All companies should understand their risk of being impersonated, particularly if they operate in the vulnerable industries discussed above. They should also secure their domain name and register multiple domain extensions to prevent scammers from using similar domains for impersonation purposes.
That said, the strongest safeguard against brand impersonation scams is technology. AI-powered automated tools like Bolster enable brands to monitor their digital presence and identify any websites or domains that may be masquerading as them. Bolster also automates takedowns of impersonators, thus providing reliable, 24×7 protection against brand impersonation attacks.
To know more about Bolster’s AI-powered capabilities for brand impersonation protection, request a free demo.