The Security Risk Most of the Industry is Ignoring
Brand monitoring is typically sold as a reputation issue, not a security concern. But the pandemic has illustrated that lack of brand monitoring can give hackers the upper hand.
Are you monitoring how people use your brand name online? You should be, and not just for the traditional reasons. Brand management companies have long sold their services as reputation management tools, helping companies to find potential reviews or comments before they explode virally, allowing them to get ahead of any issues and shape the narrative in a way that works for them.
If not reputation, then these tools often exist in marketing’s bailiwick, illustrating how customers talk about products and problems and helping the team to understand what solutions their users are looking for in their world.
But as business has moved even more online in the wake of the Covid-19 pandemic, monitoring has become a more of a security issue than anything else.
Take the news about Covid-19 vaccine scams, where the Wall Street Journal reported that as of last week Homeland Security had seized $33 million in illicit proceeds related to websites that were claiming to offer the Covid-19 vaccine to people willing to pay $30 a dose. These scammers created websites that appeared to be run by Moderna, Pfizer, or BioNTEch SE—all reputable companies that did not initially realize their names were being used to scam customers.
But even these scams paled in comparison to the site that hackers had set up to mimic the site of Regeneron Pharmaceutics Inc., the biotechnology company that provided the treatment used on former President Trump late last year when he had Covid-19. This website’s goal wasn’t to sell fake doses of the medicine, but rather to collect information that could be used in phishing attacks.
The industry pattern of creating websites for new projects has only furthered user confusion- with most people trusting that a site that looks to be legitimate is in fact legitimate, even if the domain name is different from the one that they expect.
On one hand, if hackers are stealing money or information from your customers, that is obviously a reputation issue. It isn’t hard to imagine people who thought that they had paid Moderna money for a vaccine being upset with Moderna once their vaccine never materializes. But the security risk of pretending to be a legitimate site and acquiring information, especially login credentials, is even more dangerous.
It’s bad enough when a user’s account information is breached, as once within one part of a system it is easier to access additional systems. But what if it’s not a user’s account information that is acquired by hackers, but an employee’s?
Unfortunately, there are quite a few companies that know this horror all too well. The loss of even one administrator’s details can cause huge issues. For example, the 2020 Twitter attack that led to a vast swath of celebrity and politician verified Twitter accounts soliciting bitcoin from their followers was the result of a spear phishing attack that stole an administrative password from a single Twitter employee working from home. Marriot also suffered a data breach in 2020 that revealed the personal information (including passport numbers and credit card records) of 5.2 million guests when hackers obtained the login details of two employees.
In fact, anywhere between 70% and 90% of all successful malicious breaches are due to social engineering and phishing attacks, rather than unpatched software or software exploits. This means it is much more successful for hackers to follow the same playbook as the ones who targeted Regeneron than it is for them to try to “brute force” their way into your system.
What might this look like? One attempt that we’ve seen in the wild involved sending an error message to users from a financial institution that they were likely to have an account with, such as PayPal. The user then found themselves at a mockup of the PayPal website and were prompted to insert their login credentials before being forwarded to the actual website. This meant that users were unaware that anything unusual had occurred, even as their credentials had already been logged and stolen. This isn’t particularly unusual; according to Webroot, as of 2018 financial institutions represent the vast majority of impersonated companies.
In a particularly egregious case, we had one client whose entire website was mirrored and job postings listed in order to acquire financial data from job candidates applying to work with the company. In another case we found multiple social media imposters set up for one of our clients, working to gather details from companies and individuals who worked or wanted to work with them in the future.
But, as we mentioned, it isn’t just users that are targeted. We have come across cases where VPN software was mocked up, phishing for employee logins to internal systems, or where login screens to websites were mirrored before malicious error messages were sent to the administrators of record.
How, then, do companies avoid the security risks of similar phishing attempts? Obviously the first goal should be to teach employees about online safety and how to avoid giving information to people who are searching for weaknesses. But as 2020 has shown, that often isn’t enough to guarantee success.
Another strategy is to employ brand monitoring. This is a service that we regularly offer our clients: we track the way your brand and names associated with it are being used online in order to locate potential mirrors and hacking attempts before they become a problem. Using tools that constantly crawl the internet and social media for mentions of your brand, your leadership team, and the images associated with both of those, we are able to find people pretending to be part of your company before they become an issue.
Such a brand monitoring strategy has the added benefits of helping you to better target your customers and keep abreast of marketing trends, as well as improving your customer support and helping you to stay on top of customer issues before they get out of control. Our experts are well versed in industry tools and can set you up with such a strategy quickly—making sense of the digital noise without requiring that someone on your team take time away from running your business.
Interested in finding out more? Contact us: