The problem of website impersonation scams is growing, but many businesses don’t like the tools available to them.
The study, released on Tuesday by Digital Risk Protection Solutions Company Memcyco Nearly three quarters of companies have implemented a digital impersonation prevention solution to prevent online scams. However, only 6% are satisfied with the protection it provides for them and their clients. Eran Tsur, Memcyco’s CMO told TechNewsWorld that the results were “really shocking”.
According to the research, almost two-thirds (68%) are aware that their websites are impersonated and nearly half (44%) understand how this impacts their customers. The study was based on 200 full-time employees from director to C-level positions in the digital, web, security and fraud industries in the United States.
Matthew Corwin is the managing director of Guidepost Solutions, an international security, compliance, investigations, and auditing firm.
He told TechNewsWorld that “brand reputation can be severely harmed if customers are scammed by an impersonated site, which can erode trust in the business.”
The reputation of a business can be damaged by a website impersonation scam. Ted Miracco is the CEO of Approov Mobile Security, an international mobile application security firm, spoke to TechNewsWorld.
Leaning On Customer Reports For Detection
In addition, the study found that two thirds (66%) surveyed companies learned of impersonation website attacks through the incident reports of affected customers. Tsur said, “That is unbelievable.” “Not only do the deployed solutions fail to protect against or prevent these attacks, but the organizations have no clue whether or not these attacks have occurred.”
Corwin of Guidepost Solutions noted that businesses relying solely on reports from customers to detect impersonation frauds could miss important early warnings, and the chance to defend themselves against emerging risks proactively. “A reactive strategy puts the burden of proof on customers and can cause damage to customer relationships,” said Corwin.
Miracco from Approov said, “Learning of scams through customers is a sign that the attack has already affected individuals and caused harm before mitigation can even begin.” “Regular scanning is the only way to take down fake sites that mimic brands, but it’s difficult because you have anticipate events before they happen.”
“Working off customer reports is reactive and not proactive,” he said. I don’t think there is a good defense yet. Users should be more educated before they respond to emails that appear to be legitimate.
A study found that more than 37% businesses first learned about fake websites after customers who were scammed by phishing publicized their experience via social media.
The study asks how long businesses can continue to rely solely on customers for their threat intelligence when AI and phishing kit are increasingly available.
Tsur, Memcyco, said: “With these kits everything is fully automatic.” “You launch it and then forget about it.”
Cybersecurity’s worst nightmare
Corwin explained the availability of AI-driven tool and pre-packaged kits allows even individuals with less technical skills to execute convincing impersonation. He explained that AI-enhanced, phishing tools are able to mimic legitimate sites more accurately. This can deceive the most vigilant of users while amplifying the threat environment.
“Often,” he continued, “cybercriminals will also leverage domain names that appear nearly the same as the legitimate address of a company or brand but contain slight variations or errors, known as ‘combosquatting’ or ‘typosquatting.'”
“AI can be very dangerous,” Miracco added. “These tools, which are very easy to use even by people with no technical background, allow anyone to create sophisticated phishing campaign. It’s our worst cybersecurity nightmare come true — hand-delivered by companies that talk about how wonderful AI will be. “Sadly, early adopters are often bad actors.
Patrick Harr is the CEO of SlashNext Since the birth of the internet, website impersonations are a common occurrence.
“These were easy to detect by most users,” he said. “What has changed recently is two things — phishers are squatting on legitimate domains, and phishers are using phishing kits and AI to generate near-perfect website pages.”
“Without AI countermeasures for computer vision, they are difficult to detect and will increase the success of threat actors, not decrease it,” he said.
Strategies To Combat Website Impersonation Scams
Roger Grimes, a defense evangelist for KnowBe4, a security training provider based in Clearwater, Fla. recommended that all companies sending emails implement DMARC SPF and DKIM which are anti-phishing global standards. He told TechNewsWorld that the goal is to stop malicious emails or links that claim to come from a legitimate domain.
He explained that “for example, if I receive an email claiming it is from Microsoft, my email client/server can use DMARC and SPF to verify if the message actually came from Microsoft.”
Miracco advised that companies ensure all web traffic was encrypted using SSL/TLS certificate to make communications harder to intercept.
He also said that mobile applications must implement mechanisms that verify their integrity. This will ensure that all interactions with backend APIs come from legitimate instances of an app. They should also hire services to monitor for phishing tools, fake domains and other signs of impersonation.
Corwin stated that in order to combat tactics such as typosquatting they can register obvious variations of domain names or likely misspellings. This includes hyphenated domains, other popular extensions, and characters slightly shifted out of place.
He added that some services will automate the domain takedown process. Others will provide brand monitoring services to monitor for phishing domains and sites that contain intellectual property. These may be useful to some companies. However, there are many variations in domain names, and the current tools allow for easy creation of phishing sites.
Miracco said that companies shouldn’t just focus on technology defenses, but should also cultivate a culture of awareness about security among customers and employees.
“Website imitation scams are an evolving threat that require a multi-faceted strategy,” he said. AI has enabled the problem. We hope that in the near-future, we can deploy AI-enabled solution to prevent users from costly mistakes when using a fake site.