While customer data breaches are garnering a lot of media attention, a subtler but equally problematic cybercrime is slowly on the rise – domain spoofing. In this context, cybercriminals are registering domain names that are virtually identical to an entity’s legitimate domain name and/or brand, often with subtle misspellings or the addition of business designations or generic words describing the entity’s business. The false domain names are so similar to a company’s actual domain and/or brand that they appear legitimate. The cybercriminals then use the deceptively similar domain name to create email addresses and send emails impersonating a company or its employees, sometimes using the names of the entity’s actual employees – a tactic commonly referred to as “email spoofing.” Those emails typically contain malware in links or attachments and try to trick the recipient into clicking the link or opening the attachment. Other email spoofing schemes attempt to trick recipients into providing login credentials, providing payment card information, or routing wire transfers to a different bank account.
How is Domain Spoofing and Email Spoofing Successful?
- Anyone can buy a domain name from a registrar. Registering a domain name is easy and usually inexpensive. There are many variations of a legitimate domain name that would be difficult for your customers to distinguish. For example, an entity may have a legitimate business domain of <company.com>, so a cybercriminal will register and use the domain <c0mpany.co>.
- Cybercriminals take the extra step to make fake emails look like they are from your company to create customer confusion. For example, they may copy your company’s logo, color scheme, and standard email formatting to take advantage of the customer recognition and trust that your company has built in your company’s branding.
Although some domain and/or email spoofing scams appear suspect on their face, others are harder to detect as the cybercriminals behind these types of attacks are researching and obtaining detailed information about real transactions and other business activities in an attempt to avoid detection. This is happening to businesses. It is happening to banks. It is happening to law firms. In fact, the FBI’s Internet Crime Complaint Center (IC3) for 2018 reported 15,569 victims of spoofing and 26,379 victims of phishing in 2018, totaling losses of more than $70 million and $48 million respectively (and these total loss figures are likely artificially low because some victims do not report losses to the FBI).
When Brand Protection and Cybersecurity Intersect
So what can you do to protect your organization from these cybercrimes? Prevention and awareness are the best defenses. While there are numerous technical safeguards a business can take to safeguard against its employees from receiving spoofing emails, you can also protect your organization by implementing domain portfolio management strategies. For example, an organization should:
- Register and hold domain names consisting of:
- Common domain extensions – for example, in addition to <bestcompany.com>, register and hold domain names with at least the major gTLDs such as <.co>, <.org>, <.net>, and <.info>.
- Common misspellings and variations of your entity’s name and main URL – for example, <bestc0mpany.com> or <besttcompany.com>;
- Common punctuation marks – for example, <best-company.com>; and
- Common or company specific business designations or generic words – for example, <bestcompanyllc.com> or <bestcompanyfurniture.com>.
- Redirect all alternative domains to your company’s legitimate domain.
- Subscribe to a domain name watching service to receive notices when domain names are registered that are similar to your entity’s major brands.
- Consider bringing UDRP proceedings against domains containing subtle misspellings of your entity’s brands and/or name to recover domain name registrations from cybercriminals.
Above all, brand owners must be proactive in protecting domain assets as part of the overall brand protection strategy. These domain strategies will complement your company’s other safeguards against phishing, spoofing, and business email compromise. In today’s world where sensitive information is exchanged freely through electronic means, staying one step ahead of cybercriminals protects your customers and your company from abuse of your company’s brands online.