With brand attacks and scams on the rise around the world, brand protection is business-critical. 

Organizations must protect their investments in digital and social platforms and maintain their online brand reputation by detecting, identifying, and remediating brand abuse incidents outside the perimeter. That’s where online brand protection comes in, and this guide shows you the steps you need to take. 

What is online brand protection and why do you need it?

An effective online brand protection strategy allows organizations to preserve their digital reputation while putting an end to fake domain names, impersonations, account takeovers, trademark infringements, and other forms of malicious brand abuse.

• Domain-based attacks, such as look-alike domain names, are increasingly being used by threat actors to lure unsuspecting users to a fraudulent domain. These attacks deceive users into providing personal information through activities that could also include typosquatting, common URL misspellings, or homoglyphs, which use similar-looking alphabet characters to draw users to malicious websites.
  
• Impersonations on social media, email, mobile apps and spoofed domains represent a real risk to brands that have spent time and revenue developing their reputation and following online. Social media impersonations, in particular, offer actors a quick and cost-effective way of reaching an engaged audience.
  
• Account takeovers on social media, email and elsewhere of both corporate and executive accounts can be extremely damaging to brands. In the past few years we have seen notable, high profile executives have their social accounts taken over, giving them immediate access to followers in order to conduct crypto scams or other phishing attacks. 

How do you prevent online brand abuse and protect your digital assets?

Step 1: Conduct an audit & define your needs 

Your brand likely operates across a variety of digital platforms and channels. You may also manage a portfolio of brands with a myriad of connected assets across these channels. As a brand owner, you’ll need to address which elements you own and where in the world they’re hosted – and subsequently at risk – online. 

Start with an audit of all of your branded assets that exist in the “gray space” (sites and spaces where you, customers, and threat actors actively engage on the internet that none of you own). You’ll need to create a repository of all of your logos, brand terms, sub-brands, domains, etc. You’ll also want to consider any high-profile executives, employees, or VIPs to monitor. By doing this first, you can set your business up for success by tackling brand abuse at the early stages.

Next, take inventory of your attack surface. This requires assessing the various digital channels and data sources where your brand has a footprint. 

Your digital footprint and online brand reputation isn’t limited to corporate social media accounts and owned domains. Brand owners must consider any digital channel where customers, clients, or employees engage with your brand or branded assets. For example, although your business might not have a dedicated and moderated Reddit forum, customers may be susceptible to impersonations and scams that exist on the platform. Likewise, illicit sites and Deep and Dark Web channels may pose brand risks such as intellectual property (IP) piracy, counterfeiting, leaks, and infringement. 

Once you have a list of all of your protected and copyright assets and a bird’s-eye view of the external attack surface, you can more easily identify gaps. Using this view, map your biggest risks and identify potential challenges with your security team. These might include identifying sites you may have little access or visibility to, or where to reallocate team members to manage your presence on these sites.

Step 2: Establish proactive protection measures

Once you’ve audited your brand’s assets and mapped out your attack surface, you can take a few proactive protection measures. To start, make sure you’ve registered all trademarks and domains and have defined valuable assets as well as use cases. 

If you’re using an external threat protection platform, you’ll also need to properly configure threat alert rules and parameters. For example, you’ll want to set up alert rules that cut through the noise and trigger only when your security team needs to know or take action. It’s critical to minimize false positives and hone in on the threats that pose an immediate security risk.

It doesn’t stop there. You’ll also need to proactively register domain names with common typos. You’ll do the same for social media. Proactive domain name registration and social media account creation with common misspellings, variations, and homoglyphs prevents hackers from targeting your brand or executives through “typosquatting” impersonations. 

Additionally, there’s a misconception that not having a presence on social media or other channels means you’re without risk on those channels. In reality, it’s quite the contrary — you may be facing increased impersonations on platforms where you don’t typically operate or frequently monitor. For that reason, it’s a best practice to create profiles and accounts on all social media channels for your brands and high profile executives. 

Step 3: Leverage continuous brand monitoring and automation

Protecting your company outside the perimeter requires 24/7 online brand protection; it is ideal for security teams and brand owners alike to focus on addressing external threats to their brand, executives, data, and customers. 

Monitoring for malicious domains, fake accounts, attack chatter, and account takeover attempts is an effective way to ensure the only people engaging with your followers, customers, and clients are legitimate. However, the sheer number of brand impersonation attacks online make them difficult to tackle manually. In a report published in May 2020 (Addressing the Rise in Phishing and Financial Fraud), ZeroFox observed almost twice the number of malicious domains compared to 2019 figures. In the first half of 2022 alone, ZeroFox observed over 2.7K malicious domains on behalf of customers with over 7.5K unique malicious domains from July 2021-July 2022. Without relying on some sort of automation, it would be nearly impossible to detect these brand impersonations at scale, particularly if they aren’t using a direct name match. 

Impersonation detection automation often used in digital risk protection software monitors for risky behavior on key accounts. This includes detection of account takeover attempts and brand abuse, like trademark infringement, logo misuse, piracy, and leaked proprietary content. Through your software, you’ll establish and tune automation rules to watch parked domains and domain registrations for similar keywords through the collection of multiple data sources across the web. This requires a combination of AI analysis and detection of metadata, logos, reverse image searches, and text. 

Furthermore, you’ll need the ability to dive deeper than the surface web to process and analyze information across the Deep and Dark Web. Dark Web forums, which brand owners may otherwise be unable to access, house the Underground Economy where your information and protected assets could be up for sale and subject to brand impersonation attacks. Automated monitoring via scraping of these forums can help you uncover attack chatter or sensitive data leaks and breaches that mention brand assets such as IP, product names, and domains.

Step 4: Employ human analysis and intelligence

Due to the sheer volume of raw threat data you need to ingest and analyze, it can be difficult to discern what poses an immediate threat. AI models with technology such as computer vision can help reduce the noise and add context, but you still need the critical component of human intelligence for impactful brand intelligence. 

Brand intelligence, which is a function of cyber intelligence, specifically focuses on protecting an enterprise’s digital presence. Brand intelligence solutions employ humans to collect and analyze data across public and digital platforms, including surface, Deep and Dark Web, social media, mobile app stores, and more with the unique focus on identifying risks to the organization’s brand(s), products, and data. 

Typically, a human SOC analyst team will analyze the data collected by automated methods. They’ll review alerts, triage threat levels, and either escalate them to the correct party or provide a deeper level of investigation. Through this process, you’ll gain clarity that just isn’t possible with automation alone. 

Human intelligence will also monitor Dark Web forums and chat rooms for brand mentions that can help you thwart attacks in the planning phase or quickly identify potential threats or breaches. For example, they’ll help you decipher early warning signs of attacks wherein personal identifying information (PII) has been leaked, etc. 

Human intelligence is also critical for providing contextual recommendations for actioning, such as applying risk scoring for detected threats or facilitating content takedowns. 

Human intelligence is especially important when physical security is involved. For example, if there are threats made online targeting your physical location, you’ll need help to efficiently and effectively identify the credibility of threats to inform your response. 

Step 5: Implement adversary disruption for threat remediation

Threat remediation activity has grown significantly. Across all industries, ZeroFox has seen a 94% year-over-year (YoY) increase in scam takedowns submitted and then subsequently removed.

You must pursue various takedown types to disrupt the adversary who is creating the malicious content and scams. These include the takedowns of impersonating social accounts, infringing domains, IP abuse, piracy, etc. Each of these takedowns may require differing steps, such as working with providers, proffering evidence, and following specific processes for removal per that provider’s takedown request policies. 

Taking on this process manually can be time-consuming and expensive. Instead, many organizations choose to either leverage specialized takedown services or rely on services provided by their cybersecurity vendors.

For example, removing offending content from social media is a much different process than removing a fraudulent website in accordance with the domain host or registrar. It’s a good best practice to establish and maintain provider-specific runbooks that capture the takedown types, policies, and processes needed to effectively prosecute takedowns for each use case. If you decide to work with a managed service provider, it’s important to choose a vendor that specializes in all takedown types.

In addition to takedowns, remediation of brand threats can also come in other forms. For example, remediation may include the addition of known malicious domains to industry block lists (like Google Safe Browsing). When a bad actor attempts an account takeover, remediation may also include the triggering of other automated actions like locking down branded social accounts. Typically, a managed service provider can execute these actions.