Social media is undoubtedly a huge asset to modern organizations. It helps them spread their message, promote their products and services, and communicate directly with customers, and users.
Along with those benefits, social media also presents a unique threat. Never before has it been so easy for threat actors to abuse the trust built up by an organization, damage its reputation, profit illegally, and even target loyal customers with cyber attacks.
What is Social Media Brand Impersonation?
For the most part, brand impersonation on social media takes three forms:
1. Direct impersonation
Sometimes called brandjacking, direct impersonation usually takes the form of fake social media accounts.
Social media is famous for its practically non-existent barriers to entry. As long as someone has an Internet connection and an email address, they can create a free account on any of the dozens of social media services.
And that's exactly what cyber criminals do; they create fake accounts in the name of a target organization that claim to be official. Once setup, they do everything possible to make the account seem legitimate, including copying banner images and account descriptions from the target organization's official social media accounts.
Once an account is ready, the owners will post messages, take part in ongoing conversations, use slogans and hashtags associated with the brand, and even comment on the real brand's posts and pages in response to customer questions. Since social media is designed to be consumed quickly, many people simply aren't alert enough to tell the difference between real and fake accounts under these circumstances.
2. False or misleading brand mentions
As easy as it is to set up a fake account, it's even easier to claim that a message, product, or URL is associated with a trusted brand when it really isn't. In these cases, cyber criminals will name drop trusted brands or individuals in their social media posts and communications to add credibility and/or claim endorsement. This tactic has been used to help sell dubious products or services, damage the reputation of targeted organizations, and even spread malware.
Since most people don't take time to verify the content of social media posts, it's easy for them to fall victim to this basic social engineering tactic.
3. Sale of counterfeit goods or services
Everyone is familiar with knock-off merchandise. In the real world, few of us are likely to be fooled by cheap imitations, although we might seek them out from time to time.
Online, things are different. It's very easy for criminals to advertise and sell counterfeit goods and services using real product imagery, as well as create websites or social media accounts that closely mimic those of legitimate brands. That means that for the unwary, it's easy to be misled into buying what you think is a legitimate item, only to discover your mistake when it arrives.
What's the Big Deal?
Brand impersonation is inevitable.
Is that really such a big deal? After all, you don't see Gucci or Rolex losing sleep over a few counterfeit bags and watches being sold on the streets, do you?
The difference with online brand impersonation is that the audience is potentially huge. Fake social media accounts in particular can cause organizations a huge amount of embarrassment. BP, for example, learned the hard way in the wake of the Deepwater Horizon oil spill, when a fake satirical account racked up twice as many followers as their genuine corporate account.
And while that might be an outlier in terms of reach, the damage caused when fake accounts are used to divert customers away from genuine lines of support can be very real. Customers are routinely tricked into giving up their account credentials, payment card details, PII, or even download malware.
Over time, these schemes can cause real damage to a brand's reputation and eat away at the trust built up between an organization and its customers.
What Can Brands Do About It?
Brand impersonation on social media isn't going anywhere.
Seemingly, the big social media providers are struggling to even stem the flow of fake political accounts. You can imagine how far up their priority list fake business accounts might be in comparison. And, if the top dogs aren't paying attention, it would be foolish to imagine that smaller players like download sites, auction sites, paste bins, and discussion boards are giving any thought whatsoever to brand impersonation on their platforms.
So what can organizations do to defend against the criminals creating mayhem and profit by impersonating their trusted brands and trademarks?
They can monitor the web for brand abuse, impersonation, and counterfeits, and take swift action to have them removed wherever they arise. However, unlike traditional social media threat monitoring that is tackled by the marketing team, this is a specialized approach. More specifically, threats can be monitored for on more than 600+ social channels including forums, blogs, and the major networks, and they can have a specified scope such as non-parody impersonation or threats against an executive.
At PhishLabs, we offer such solutions as part of Digital Risk Protection, where we offer intelligence and mitigation of external threats across email, mobile, domain, social media, deep, dark, and open web.
Additional Resources: