Brandjacking: What It Is, Why It Matters, and How to Keep Your Website Safe
In today‘s digital age, a company‘s online presence is one of its most valuable assets. But as brands invest more in their digital identities, opportunistic scammers and fraudsters are finding increasingly sophisticated ways to exploit them. One of the most pernicious and fast-growing threats is brandjacking – a scheme in which bad actors impersonate a brand online to deceive people and profit from its reputation.
Brandjacking incidents are skyrocketing. According to research by Mimecast, 61% of organizations were victims of some form of brand impersonation attack in 2020, up from 33% in 2019. And a study by Agari found that consumers lost over $5.3 billion to phishing and related schemes in 2021 – much of it facilitated by brandjacked websites and accounts.
The danger is clear and present for brands of all sizes and sectors. In this post, we‘ll take a deep dive into what brandjacking entails, the most common forms it takes, how it can harm your business, and most vitally – powerful strategies you can start implementing today to fortify your brand against digital copycats and scammers.
What is Brandjacking? An Overview
At its core, brandjacking is the act of hijacking a company‘s brand – its name, logo, content, or other identifying elements – without authorization, usually to deceive people for financial gain or reputational damage. While some instances, like parody social media accounts, may be relatively harmless, most brandjacking is carried out with malicious intent by scammers looking to profit from a brand‘s established trust and credibility.
Brandjacking attacks are rapidly growing in both volume and sophistication. Mimecast reports that domains suspected of brand impersonation spiked by 366% in 2020 compared to 2019, while the Anti-Phishing Working Group detected over 300,000 phishing websites in December 2021 – many masquerading as legitimate brands. And with AI tools enabling more convincing fake content, the issue will likely only intensify.
The motives vary, but most brandjackers are after a brand‘s customers – and their money and data. Tactics include selling counterfeit products, tricking users into revealing sensitive info, installing malware, and intercepting payments meant for the real brand. Others seek to tarnish a brand‘s image by publishing offensive or misleading content in its name.
While some high-profile brandjacking targets have included Apple, Microsoft, PayPal and other large corporations, no brand is immune. Scammers go after companies of all sizes and industries – as long as there‘s profit potential in the brand name. Smaller businesses can be especially vulnerable, as they often lack the resources for round-the-clock monitoring and mitigation.
The Brandjacker‘s Bag of Tricks: 3 Main Plays to Know
Brandjacking is an umbrella term covering multiple methods bad actors use to impersonate and exploit brands for their own gain. While attack vectors are ever-evolving, most fall into three main buckets. Let‘s unpack each one:
1. The Evil Twin Website
One of the most prevalent brandjacking ploys is website spoofing – creating a website designed to mirror a legitimate brand‘s site, complete with identical logos, colors, fonts and imagery. The goal is to make the fake virtually indistinguishable from the real McCoy.
Spoofed sites often employ URLs very similar to the actual brand‘s domain, such as:
- Swapping .com for .net, .co or another suffix
- Inserting a hyphen (brand-name.com)
- Adding words like "official" or "verify"
- Using common misspellings (amaz0n.com)
When unwitting users land on these doppelganger domains, they‘ll usually try to log in, enter payment details, or perform other normal actions – not realizing their precious info is flowing straight to fraudsters. Some spoofed sites also attempt to install malware like keyloggers and backdoors onto visitors‘ devices.
2. The Snarky Social Imposter
Another popular brandjacking avenue is creating fake social media profiles that appear to belong to real brands. While some are clearly parodies, like the @BPGlobalPR account that poked fun at BP during the Deepwater Horizon scandal, others are wolves in a brand‘s clothing.
These malicious imposters often interact with a brand‘s real followers to spread scams or misinformation. In 2018, scammers created a phony Twitter account mimicking Tesla‘s official support handle and duped eager fans into sending bitcoin payments for a chance to win a free car. The fraudulent account racked up likes and retweets before Twitter shut it down.
Even brandjacked accounts made as jokes can be a major headache for brands if they go viral. In 2015, someone created a fake Facebook account for Target and posted inflammatory replies to customer complaints, forcing the retailer to do damage control.
3. The Phishy "Urgent" Email
By now, most of us have seen suspicious emails purporting to be from a familiar brand, urging us to click a link and log in or update our payment info to resolve an "urgent" issue with our account. There‘s a reason they‘re so common – they work. In fact, 82% of companies say email is the source of their most damaging cyberattack.
These phishing messages often leverage psychological tricks to manipulate targets:
- Authority – Impersonating a trusted brand to inspire compliance
- Scarcity – Threatening loss of service to spur quick action
- Social proof – Citing other "happy customers" who complied
When panicked users click the enclosed link, it ferries them to a spoofed website to capture any data they enter. Some phishing emails also carry malware payloads that infect the user‘s device if opened.
The Compounding Costs of Brandjacking
Far from a mere nuisance, brandjacking can inflict major damage on its victim brands. The ripple effects on a brand‘s finances, reputation and customer relationships can linger long after an attack is discovered and mitigated.
Some of the key ways brandjacking hurts businesses include:
Lost revenue. When scammers siphon off sales of counterfeit goods or swipe customers‘ credit card numbers, that‘s money that should have gone into the real brand‘s coffers. And the losses can accumulate fast – one estimate pegs the total value of counterfeit products sold online at $1.8 trillion in 2020.
Angry, confused customers. A recent survey found that 63% of consumers would lose trust in their favorite brand if they fell victim to a phishing scam impersonating it. When a customer‘s finances or data are compromised by a fake site or account, they often blame the brand itself – dinging its reputation as their grievances go viral.
Expensive legal battles. Going after brandjackers for trademark violation and other offenses takes time and money. Apple reportedly spends over $500K per year on anti-counterfeiting legal fees alone. The costs climb higher when scammers operate overseas, complicating jurisdiction and enforcement.
Damaged search presence. When spoofed websites outrank the real brand on search engine results pages (SERPs), they can intercept valuable traffic and leads. Clawing back that lost visibility with paid ads gets expensive fast.
Lost lifetime value. Even if a brandjacking incident doesn‘t directly fleece a brand‘s customers, it can still make them warier of engaging with that company in the future. According to research by Mimecast, 61% of people would hesitate to spend money with a brand after receiving a suspicious email in its name.
The bottom line: Failing to protect against brandjacking doesn‘t just bite into short-term sales – it erodes the very brand equity companies work so hard to build, damaging vital customer relationships and hampering long-term growth. As a Forrester Consulting study for Mimecast found, firms that have suffered phishing incidents leading to breach have experienced more than $6 million in additional costs.
5 Key Strategies to Shield Your Brand from Digital Impersonators
Now for the good news: While no brand is 100% safe from brandjacking attacks, there are concrete steps you can take to drastically reduce your risk and contain potential fallout. Here are five fundamental moves to make in fortifying your digital presence:
1. Register trademarks for core brand assets
Job one is obtaining legal protection for your brand‘s intellectual property – things like your business name, product names, logos, mascots, taglines and other defining elements. In most cases, that means applying for trademarks.
Having registered trademarks makes it much easier to prove your rights to your brand property and to pursue bad actors for infringement. In the U.S., trademarks are registered through the United States Patent and Trademark Office. Similar bodies handle the process in other countries.
In addition to your brand name and logo, consider trademarking:
- Product and service names
- Company taglines and ad slogans
- Abbreviations, acronyms and nicknames
- Signature colors and designs
- Mascots and other brand characters
If you sell physical products, you can also record your registered trademarks with U.S. Customs and Border Protection (CBP). This helps CBP officers identify and block imported goods that infringe on your marks.
2. Monitor vigilantly for brand abuse
You can‘t fight brandjacking if you don‘t see it coming. That‘s why investing in robust monitoring systems is essential for spotting threats early, before they snowball into full-blown crises.
Online brand protection services like Mimecast‘s, BrandShield and Red Points use AI and machine learning to continuously scour the web, social media, app stores and online marketplaces for signs of brand impersonation and IP infringement. When incidents are detected, they send real-time alerts and reports to help guide enforcement.
On the DIY front, Google Alerts can help you track web mentions of your brand and related keywords like "scam," "fake" or "complaint." Tools like Hootsuite and Sprout Social also let you monitor your brand name on social media.
Pay special attention to:
- New domains resembling your brand name
- Social media handles and pages using your branding
- Marketplace listings of counterfeit versions of your products
- Fraudulent mobile apps posing as yours
Importantly, educate your employees on how to spot and report suspected brandjacking activity. Your people can act as crucial eyes and ears in the fight against fakes.
3. Proactively secure your digital real estate
One of the easiest ways to thwart website spoofing is to deprive scammers of the domains they need to create convincing fakes. Wherever possible, register not just your brand‘s exact URLs, but also common misspellings and variations, like:
- Singular/plural (nike.com vs. nikes.com)
- Hyphens (coca-cola.com vs. coca-cola.com)
- Additional words (airbnb.com vs. airbnbrentals.com)
- Alternate TLDs (chase.com vs. chase.net)
In addition to .com, consider buying up versions of your domain on other popular top-level domains (TLDs) like .net, .co and .biz. You may also want to grab relevant domains on country-specific TLDs if you have a presence in those markets, like .ca for Canada or .de for Germany.
You don‘t have to build out unique sites for each of these domains – just set them up to redirect to your main website. That way, visitors still land on the real deal if they type in a close variation of your URL.
4. Have a playbook for rapid response
Even the most vigilant brands can still fall victim to brandjacking. That‘s why it‘s critical to have a clear action plan in place for when incidents do occur. The faster you can identify and neutralize threats, the less damage they can do.
Your rapid response plan should cover:
- Roles and responsibilities of your response team
- Criteria for assessing an incident‘s severity and prioritizing response
- Protocols for alerting affected customers and the public
- Steps for gathering and preserving evidence
- Processes for contacting hosting platforms, social networks, etc. to remove fake content
- Guidance for when to get lawyers and law enforcement involved
Teams should regularly drill the response plan to ensure all members know their duties and communications channels are clear. Also ensure contact details for key internal players and outside partners (hosting providers, platforms, legal counsel, etc.) are up to date.
5. Educate your customers and the public
Your customers can be powerful allies in combating brandjacking – if you arm them with the knowledge to spot and avoid scams. Make a habit of communicating:
- Your official website URL and social media handles
- How to identify verified emails and accounts from your brand
- What information you will and won‘t request via email
- How to report suspected scams and abuse
When brandjacking incidents do occur, notify customers right away through your official channels. Describe what happened, what you‘re doing about it, and what customers should do if they were affected.
Also consider reaching out to industry associations and media outlets that track and write about brandjacking trends. The more widely you can spread the word about specific scams targeting your customers, the fewer victims they can claim.
Playing the Long Game Against Brandjackers
In a digital world, a brand‘s online presence is one of its most powerful yet vulnerable assets. By impersonating trusted brands, brandjackers can deceive customers, pilfer revenues, and inflict lasting reputation damage. Brands that fail to mount a strong, proactive defense will only see the threats metastasize.
But those that invest in a comprehensive brand protection strategy – spanning user education, monitoring and swift enforcement – can nip emerging risks in the bud and send scammers packing. While the battle against brandjackers is never over, the right preparation and foresight can keep your brand‘s integrity intact, so you can focus on delighting real customers and driving real growth.
