In August 2022, around 2,000 customers of American Express were targeted in a brand impersonation attack, in which cybercriminals created a fake website masquerading as the genuine brand’s site.
People assumed that the site was real and promptly entered their login credentials, only to be scooped up by the hackers, who sold them to other fraudsters via the Dark Web.
Although American Express moved quickly to remediate the attack, it couldn’t prevent the negative publicity that resulted from it. However, the company is not alone in dealing with this kind of threat, for the financial services industry is one of the major targets of brand impersonators.
How do brand impersonation attacks work?
Cybercriminals have come up with a hugely successful model for targeting banks and financial services providers. The attack begins with a phishing message sent to an unsuspecting victim via email or social media. The message purports to be from a customer service rep of a well-known financial services firm and informs the customer that they need to take some kind of action to secure their account. The messenger provides a link for “convenience” that supposedly directs the customer to their official website, but in fact, the website only looks like the real thing.
Many customers head to that website and enter their login information, blissfully unaware that they’re handing the keys to their accounts. The consequences of these attacks can be devastating, not just for the customer who loses money but also for the affected brands, as they result in negative publicity, brand shaming, and damaged customer relationships.
In its 2024 State of Digital Impersonation Fraud Resilience report, Memcyco, a provider of anti-website spoofing technology, revealed just how hard such attacks can be on customers. According to its research, just 2% of brands will reimburse customers who fall victim to such an attack. Companies can get away with this because the attackers didn’t exploit any vulnerabilities in their own websites or applications, meaning they can simply claim they aren’t responsible.
The good news for customers, however, is that this may change, as many governments across the world are said to be drawing up regulations that will force companies to reimburse their customers, holding the companies accountable for their failure to detect such attacks and warn their customers from falling victim to their fraud schemes.
Financial services are a top target
The impending arrival of legislation should be a wake-up call for the financial services industry, one of the top targets of brand impersonators. A May 2024 report by Mailsuite found that 249,615 of 1.14 million phishing scams carried out since 2020 involved brand impersonation. Four of the top ten most impersonated brands in the U.S. were banks or financial services providers.
The industry accounted for 24.57% of all known brand impersonation attacks that were reported between 2020 and 2023, trailing only the IT and technology sector, which accounted for 27.93% of such incidents.
It’s easy to understand why attackers are so focused on impersonating financial brands, as most companies in this industry boast high levels of customer engagement, and the information their customers provide is extremely valuable to criminals. Additionally, the industry is ripe for taking advantage of customers’ emotions. Money matters, and the offer of a rebate, a windfall, or a warning about a potential security breach will often grab someone’s full attention.
Victims get a rough deal
Victims of brand impersonation attacks can be left in dire straits. A recent case in point is the bankruptcy process involving Synapse, a U.S. financial services provider that recently admitted it has “lost” $85 million in customer funds, partly due to mismanagement and also as a result of online fraud. With the bank now going through the bankruptcy process, thousands of customers have been left unable to access their funds, as their accounts are frozen while investigators try to understand what happened.
Given the pain felt by the victims, it’s little wonder that 40% of companies surveyed by Memcyco admitted that their affected customers stopped doing business with them. That’s according to Memcyco’s report, which underscores the point that many customers hold the company responsible for failing to protect them.
Memcyco’s report also highlighted the lack of visibility into such attacks, noting that more than two-thirds of affected companies only discover they have been impersonated following customer complaints, many of whom will post about their negative experiences online, effectively “brand shaming” the company in question.
Protecting customers from website impersonation
Fortunately, there are several steps brands can take to forestall brand impersonation scams.
From a reputational perspective, the most important step is that brands should inform their customers immediately when they become aware that they’re being used as bait for impersonation scams. By alerting customers via email and social media, they can prevent many from becoming the next victim.
The next step is to notify both the authorities and the web hosting provider of the malicious website. While this can be a time-consuming process, brands can work with these entities to ensure fraudulent websites are taken down.
Financial services companies can also use modern anti-spoofing tools to monitor the web for any fraudulent websites that impersonate their brand. Some of the best anti-brand impersonation tools, such as Memcyco, can identify fake websites within hours of going live on the internet and even integrate real-time alerts that warn customers against interacting with them.
Financial services brands must be proactive
Brand impersonation attacks have been around for several years, but they’re a growing problem for businesses in many industries, especially the financial services sector. While banks and financial services organizations might not be responsible for malicious websites, it’s in their best interest to do all they can to mitigate their damage and protect their customers.