Financial Services Firms Urged to Take Proactive Measures Against Brand Impersonation Attacks
In August 2022, American Express experienced a brand impersonation attack that targeted approximately 2,000 customers. Cybercriminals created a fake website that appeared to be the genuine American Express site, tricking customers into entering their login credentials. The hackers then sold these credentials to other fraudsters on the Dark Web. Although American Express acted quickly to address the attack, it still suffered negative publicity. However, this type of threat is not unique to American Express, as the financial services industry is frequently targeted by brand impersonators.
So, how do brand impersonation attacks work? Cybercriminals have developed a successful method for targeting banks and financial services providers. It begins with a phishing message sent via email or social media, pretending to be from a well-known financial services firm’s customer service representative. The message informs the recipient that they need to take action to secure their account and provides a link to the official website. However, this website is actually a convincing fake. Many customers unknowingly enter their login information on these fake sites, resulting in devastating consequences. Not only do customers lose money, but the affected brands also suffer from negative publicity, brand shaming, and damaged customer relationships.
A report by Memcyco, a provider of anti-website spoofing technology, highlights the impact of these attacks on customers. According to their research, only 2% of brands reimburse customers who fall victim to brand impersonation attacks. Companies can avoid responsibility because the attackers exploit no vulnerabilities in their own websites or applications. However, there is hope for customers as governments worldwide are considering regulations that will hold companies accountable for failing to detect such attacks and warn their customers.
The financial services industry is a prime target for brand impersonation attacks. A report by Mailsuite reveals that out of 1.14 million phishing scams since 2020, 249,615 involved brand impersonation. Four of the top ten most impersonated brands in the US are banks or financial services providers. Between 2020 and 2023, the financial services industry accounted for 24.57% of known brand impersonation attacks, second only to the IT and technology sector with 27.93%.
It’s evident why attackers focus on impersonating financial brands. These companies have high levels of customer engagement, and the information customers provide is valuable to criminals. Additionally, the industry lends itself to exploiting customers’ emotions, as offers of rebates, windfalls, or warnings about security breaches grab attention.
Victims of brand impersonation attacks often find themselves in dire situations. For example, Synapse, a US financial services provider, recently admitted to losing $85 million in customer funds due to mismanagement and online fraud. Thousands of customers are unable to access their funds, as their accounts are frozen during the bankruptcy process. The pain felt by victims explains why 40% of companies surveyed by Memcyco reported that affected customers stopped doing business with them. This emphasizes that customers hold companies responsible for their failure to protect them.
Memcyco’s report also highlights the lack of visibility into brand impersonation attacks. Over two-thirds of affected companies only discover they have been impersonated after customer complaints, leading to negative online experiences and “brand shaming”.
To protect customers from website impersonation, brands must take several steps. First, they should immediately inform customers when they become aware of impersonation scams and use email and social media alerts to prevent further victims. They should also notify authorities and web hosting providers of malicious websites, working together to take them down. Financial services companies can employ anti-spoofing tools to monitor the web for fraudulent websites impersonating their brand. Tools like Memcyco can identify fake websites within hours of going live and provide real-time alerts to customers.
Brand impersonation attacks are a growing problem for businesses, particularly in the financial services sector. While banks and financial services organizations may not be responsible for malicious websites, it is in their best interest to mitigate the damage and protect their customers.