Get The Latest Insights

By Jessica Ellis | May 21, 2021

Threat actors routinely impersonate brands as part of their attacks. Brand abuse can occur anywhere online, and impersonating a reputable company automatically gives credibility to a threat that might otherwise be instantly identified as suspicious. Because brand impersonation is so broadly used across the threat landscape, security teams need to have complete visibility into the top brand threats targeting their organization. They also need efficient workflows that extract actionable intelligence from potential brand threats. 
At their core, digital brand threats are incredibly effective because they exploit the reputation of a legitimate company to convince individuals the message or deliverable they are interacting with is valid. This is, however, where their similarities end. There are many kinds of digital brand threats, each with its own requirements for collection, curation, and mitigation. Below are the top four digital brand threats organizations should familiarize themselves with, as well as best practices to minimize their impact. 


Threat actors register hundreds of thousands of look-alike domains every year to impersonate digital brands. These domains are designed to mislead, and in order for organizations to gather related intelligence that is timely, they must first identify which domain threats are targeting their brand as well as where they live. 
Look-alike domains can be used in a number of ways including:
  • Hosting fraudulent websites
  • Hosting malware
  • Distributing phishing emails such as BEC 
  • Diverting website traffic from legitimate sites
  • Delivering spam
  • Delivering malware lures
Look-alike domains achieve high levels of believability because they incorporate an element of the brand name or asset that may represent the business. 
In order to effectively collect domain intelligence related to brand abuse, security teams should collect data from the following sources:
  • TLD Zone Files
  • SSL Certificate Transparency Logs
  • DNS Traffic
  • DNS Queries
Continuous monitoring of these sources can result in swift detection of look-alike domains that contribute to digital brand abuse. 
Following the identification of a domain-related threat, collected data should undergo threat-specific curation that includes a combination of technology and human analysis. Security teams should employ expert analysts who specialize in handling processes defined per threat-type to ensure data is properly prioritized and follows the appropriate workflow for successful mitigation. 

Social Media

Digital brand threats on social media are some of the top security concerns to organizations due to the accessibility, simplicity, and global reach that threat actors exploit. Brand threats can take many forms including misuse of an asset, executive impersonations, and pages with unauthorized content or logos. Monitoring for these threats is especially challenging due to the volume of data security teams must sift through, and failure to identify and mitigate an attack may result in reputation damage and financial loss. 
Below are two examples of brand threats on social media channels:
Executive Impersonation
Fake Twitter Page
Successfully collecting brand intelligence on social media means identifying all platforms that apply to your organization. From there, security teams should mine data using algorithms to find relevant threats. This data should be analyzed by using both threat-specific automated logic as well as human analysis. Takeaways from this multi-stage process should include:
  • Threat classification
  • Determining severity
  • Eliminating false positives
  • Adding context

Open Web

Open web threats abuse brands through imposter websites that host unauthorized use of intellectual property, create false associations, and promote illicit activity. Overwhelmingly, brand threats present on the open web involve phishing sites that mislead victims into surrendering their credentials. Threat actors accomplish this by abusing an organization’s brand to trick victims into believing they are interacting with a trusted, reputable business. 
Sufficiently identifying these sites requires not only extensive visibility across all readily accessible, related content on the web, but also strong anti-evasion detection. Threat actors frequently take steps to prevent automated crawling tools from detecting malicious content. 
Collection sources for open web data should include:
  • Continuous web crawling
  • Search indexes
  • Domain registrations
  • SSL transparency logs
  • Passive and active DNS queries
Because of the massive volume of data available on the open web, security teams should initiate workflows that operate according to specific, relevant threat-types detected. This includes curation particularly designed to increase the speed of mitigation, and overall will result in high-fidelity, actionable intelligence. 


Threat actors use official company logos, trademarks, and images to impersonate legitimate brands and convince victims to install clones of popular applications. 
These cloned apps are widely available as well as convincing, and can attribute much of their success to abusing the sense of security associated with a trusted brand. Cloned apps are available in both official and unofficial app stores and if downloaded, can result in stolen credentials and SMS authentication codes. Collecting intelligence on unauthorized clones and out-of-date versions of legitimate mobile apps requires continuous monitoring of online app stores for brand references.
Mobile banking Trojans also pose a significant threat to brands by impersonating legitimate business apps or games to steal credentials. Triggered when a legitimate banking or commerce app is launched, these Trojans overlay the screen with a fake login page, steal sensitive data, then transition back to the legitimate app so as not to alert the victim. To prevent this fraud, security teams need to gather intelligence on apps and brands targeted by mobile banking Trojans and take steps to disrupt the overlay mechanisms used to impersonate their login screens.  
Learn more about how PhishLabs helps protect your brands from these and other digital threats with our Brand Protection and Digital Risk Protection Solutions.
Additional Resources: