Last updated: Phishing gets stealthier: 4 ways to defend your brand

Phishing gets stealthier: 4 ways to defend your brand

1 share

Listen to article

Download audio as MP3

Just a few years ago, it was easy to spot phishing. If an email or text seemed to be coming from a real brand, but contained misspellings, bad grammar, or blurry logos, you could bet someone was trying to trick you into clicking on a link as part of a campaign to steal your data, money, or identity.

Today, though, spotting illegitimate communications isn’t so easy. Most cybercriminals are much better at disguising their identities thanks to powerful, low-cost hacking tools or phishing-as-a-service kits on the dark web. These tools, many of which use artificial intelligence, can make communications from even the most illiterate scammer look professional.

What’s more, with rapid advances in Open AI’s ChatGPT, a free AI chatbot program built with natural language processing (NLP) capabilities, hackers now have a faster, better, and cheaper way of creating communications that mimic a brand’s personality or tone.

With all of these innovations, it’s no wonder that hackers launched 255 million phishing attacks in 2022, up 61% from the previous year.

Observers say that if this trend persists – which is likely – it could lead to consumers ignoring most legitimate marketing communications.

Gone phishing: 10 most-spoofed brands

All brands are at risk of being spoofed, but fraudsters often target big technology companies, shippers and social media networks.

Here are the top 10 most imitated brands in Q4 2022, ranked by their overall appearance in brand phishing attempts, according to Check Point Software:

  1. Yahoo (20%)
  2. DHL (16%)
  3. Microsoft (11%)
  4. Google (5.8%)
  5. LinkedIn (5.7%)
  6. WeTransfer (5.3%)
  7. Netflix (4.4%)
  8. FedEx (2.5%)
  9. HSBC (2.3%)
  10. WhatsApp (2.2%)

Data privacy + security issues are keeping execs awake at night.
We’ve got the solutions HERE.

4 ways to protect your brand

Phishing is a huge risk to brands, their marketing, and their reputation.

“All of this phishing activity can undermine brand value because when those emails come out, and consumers don’t know if they are valid or not, we sometimes mis-associate our negative experiences with the company being impersonated,” says Frank Dickson, a cybersecurity industry analyst with IDC.

“But the truth is that even large companies like Microsoft or Google can only do so much to thwart phishing in a meaningful way.”

So, if phishing is so hard to beat, what can you do to minimize its effect on your good brand name? Here are a few suggestions from industry experts:
  1. Adopt email security protocols
  2. Master your domains
  3. Defend your social media channels
  4. Educate your customers

Thwart the threat with email security 

While phishing is hard to defeat, organizations can at least slow its advance by implementing key security protocols at the email server level.

There are three that companies tend to use in tandem with one another:

  • Domain-based Message Authentication, Reporting and Conformance (DMARC) is an e-mail validation system designed to protect your company’s e-mail domain from being used for spoofing, phishing scams, and other cybercrimes. DMARC uses e-mail authentication techniques such as Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).
  • Sender Policy Framework (SPF) is an e-mail authentication technique to prevent spammers from sending messages on behalf of your domain. This gives you the ability to specify which e-mail servers are permitted to send email on behalf of your domain.
  • DomainKeys Identified Mail (DKIM) is a signature-based e-mail authentication technique involving a digital signature that allows the receiver to check that an e-mail was sent and authorized by the owner of that domain.

Before these standards, hackers could essentially send emails with the exact same domains as the brands themselves, says Roger Grimes, a defense evangelist for KnowBe4, a security awareness training platform. By using these protocols to authenticate emails before they can be delivered, many large companies have stopped that.

“The standards have been so successful that phishers have almost abandoned using real, legitimate brand domains,” says Grimes.

Master your domains to defeat dark forces

With email security protocols doing such a great job of severing one line of attacks, hackers shifted to creating their own domains. You’ve probably seen them. They often closely resemble the real thing, but deviate ever-so slightly, slipping a number, letter or symbol into unobvious places.

Most hackers don’t bother with doing this manually because there are numerous tools that let them create dozens or even hundreds of fake derivations. And it’s almost impossible to find all those after they’ve been generated, says Grimes.

One technological workaround is to deploy an automated tool for identifying look-alike domains associated with your corporate domain, says IDC’s Dickson. These will basically search both the publicly facing web as well as dark web and deep web sites to see who might be spoofing your brand.

An additional consideration for becoming the master of your domain is to subscribe to a reputation service. These also typically involve a search tool for seeing who, if anyone, is posing as you.

But they can also have hundreds of people doing the research as well as support services, like working with law enforcement to take down illegal domains, says Tony Sabaj, a Check Point spokesperson.

Step up social media security 

Brands also need to protect their social media channels from attack. If compromised, these channels can then become tools for launching phishing attacks, says Grimes.

“It’s really common for a hacker to break into a company, search through accounts payable and accounts receivable inboxes then send fake invoices and banking information changes to people,” he says, referring to business email compromise.

“They might say something like ‘hey, we just want to let you know we’re changing to a new bank and you should send your payments to this new bank routing and account number’.”

Educate your customers (and anyone who will listen)

One of the most important things a company can do to protect its brand is to inform customers about the threat posed by phishing attacks and what they can do about it.

Let them know about current phishing trends, like hackers sending unsolicited emails saying they’ve won something or that a shipment of something they never ordered has been delayed, or that their account has been taken over and requires technical support.

Also, regularly update customers on how you’re proactively working to combat phishing. Finally, take every opportunity to remind customers they need to play a part in protecting themselves.

Offer common-sense tips such as:

  • Suspect digital communication with odd domain names, fonts, misspellings, grammar or images. These “tells” aren’t as common as they once were, but they do still exist.
  • Look for mismatches between supposed senders, email addresses, subject lines, and the message itself. For example, I recently received a poorly crafted email that supposedly came from Lowe’s claiming I’d won a Dewalt Heater. The sender’s email address didn’t include the hardware store’s name. The body of the message was topped with a logo from EA, the video game company. And instead of telling me how to get my heater, it said I’d asked for a password change and could click on an link to make that happen.
  • Be skeptical of communications that seem to come out of nowhere or asking you to do something you’ve never done before with the supposed sender, like sharing financial or personally identifiable information (PII).
  • Never click on links from anyone you do not know or trust, especially if they are asking you to choose a new password.
  • Also, look out for possible deepfake videos, which are being used for phishing. Although they’re getting slicker, you can usually spot them by looking for visual distortions like unusual head or torso movements and synching issues between the face, lips, and audio, writes Stu Sjouwerman, founder and CEO, KnowBe4.

A never-ending battle

In the end, companies should face the fact that fighting phishers is a back-and-forth battle. For every countermeasure brands throw up, cybercriminals will find another attack vector – which is why remaining alert to changing threats and focusing on people, processes, and technology is so critical.

“It’s a cat-and-mouse game for sure,” says Check Point’s Sabaj. “But there are a lot of things organizations can do to prevent phishing, and they need to in order to protect their brand value.”

Win trust + loyalty
with a data great strategy

Share this article

1 share

Search by Topic beginning with