Protecting Your Brand Against Impersonation: What do you do when your company's brand has been used as bait in a phishing scam?

Phishing attacks are permeating the digital environment and spreading to new industries and sectors, as cyber-criminals seek to lure unsuspecting victims with the goodwill of legitimate businesses. In the second quarter of 2018 alone, the Anti-Phishing Working Group (APWG), a not-for-profit industry association, detected 233,040 unique phishing websites, 264,483 unique phishing e-mail reports (campaigns), and 786 brands targeted by phishing campaigns. APWG, Phishing Activity Trends Report: 2nd Quarter 2018 (Oct. 18, 2018). With such activity on the rise, all businesses need to understand and plan for the risks associated with phishing.

Phishing involves communications that use social engineering and technical subterfuge to obtain or access sensitive information, such as a customer's personal data or a user's account access credentials. For example, a cyber-criminal may use a spoofed email mimicking a legitimate business's trademarks and trade dress to convince customers to disclose their financial account information or click on a hyperlink that directs them to a counterfeit website. These types of attacks can be quite sophisticated, even going as far as to impersonate the business's actual employees and customize messages to target specific recipients (i.e., "spear phishing").

When customers and company employees are tricked by phishing scams, the results can be distressing and expensive for both those whose information was compromised and those who failed to safeguard that information. But, there is also another victim of phishing scams that is often overlooked - the impersonated business.

The impersonated business may be affected by phishing scams in significant ways, including harm to its reputation, loss of goodwill, and costs associated with responding to customer complaints or the need for additional validation methods in future communications.

Fortunately, a business can take some steps to mitigate the effects of being impersonated in a phishing scam and to protect its brand from being used as bait in future attacks.

Key Steps to Take

If your business's brand has been used as bait in a phishing scam, some immediate steps you can take include:

1. Notify Customers & Vendors: As soon as possible, the business should consider informing its customers and vendors through both typical communication channels and social media to alert them to the scam and provide information about available resources, including www.identitytheft.gov.
2. Notify Authorities: Next, notify appropriate authorities, including reporting the scam to the FBI's Internet Crime Complaint Center and the APWG, and potentially filing a complaint with the FTC.
3. Take Down Malicious Websites: Although it can often be difficult to track down perpetrators of phishing scams or recover damages, steps can be taken to have the hosting provider take down any associated websites or to suspend their domain registration.
4. Monitor Brand: After responding to known phishing threats, the business should consider taking steps to monitor for other improper uses of its brand. Such steps may include setting up a fraud reporting hotline or engaging an anti-phishing service that uses software to scan for counterfeit domain registrations.
5. Review Information Security Policies: When your business's brand is used in a phishing scam, it can be a sober reminder of just how vulnerable your own employees may be to such scams. The event provides an opportunity to review, update and implement information security policies designed to safeguard the business's proprietary information and other sensitive information held by it, such as personal data regulated by government agencies.