The attack that happens where you can't see it
Most of your security program defends assets you control — your laptops, your cloud accounts, your code. Brand impersonation is different: it happens entirely outside your perimeter. An attacker registers a domain that looks almost exactly like yours, stands up a near-perfect clone of your login page or your invoice template, and starts deceiving people in your name — your customers, your partners, sometimes your own employees. Your firewall never sees a packet of it, your endpoint agents have nothing to detect, and the first you hear of it is often a customer asking why "you" emailed them asking for a payment.
That blind spot is the whole problem. The clone domain trades on the trust you spent years building, and the fallout — drained customer accounts, fraudulent wire transfers, a tarnished name — lands on you regardless of who registered it. For a lean team this feels unfair and unmanageable, but it isn't unmanageable. The same way external attack-surface management watches the internet for your exposed assets, you can watch it for the fakes wearing your name, and catch the impersonation while it's still being staged.
The shapes brand impersonation takes
It's worth naming the common variants, because each suggests a different signal to watch for:
- Typosquatting and lookalike domains.
yourcompany.coinstead of.com,your-company.comwith a hyphen,yourcornpany.comwith an rn-for-m swap, or a foreign-character homoglyph that's visually identical. These host phishing pages or send mail that slips past a quick glance. It's the same vehicle behind business email compromise — the lookalike address that pressures a finance employee into a wire. - Spoofed sender domains. Mail forged to appear from your exact domain — which is precisely what SPF, DKIM, and DMARC exist to blunt, and why a monitored DMARC report stream is an early-warning system, not just a compliance checkbox.
- Cloned websites and login pages. A pixel-perfect copy of your sign-in screen on a lookalike domain that harvests credentials — feeding the exact account-takeover and credential-stuffing attacks you defend against internally.
- Fraudulent fake accounts and ads. Social profiles, app-store listings, or paid search ads using your name and logo to push scams or malware to people who think they're dealing with you.
- Abused logos and assets. Your branding pasted onto fake invoices, support pages, or crypto-scam sites to lend them legitimacy.
You can watch the outside, too
The instinct is that anything outside your perimeter is unknowable. It isn't — the signals are public, and watching them is a discipline, not magic:
- Monitor for newly registered lookalike domains. Permutations of your domain that appear in registration feeds and certificate-transparency logs are an early warning: a freshly minted
yourcompany-support.comwith a brand-new TLS cert is a campaign being built. This is the registration-and-DNS-hygiene story from DNS security turned outward — watching for the bad domains, not just locking down your own. - Watch certificate transparency for your brand terms. Every public TLS cert is logged. A cert issued for a domain containing your brand that you didn't request is a strong, early signal worth catching the day it appears.
- Read your DMARC reports. Aggregate reports show who is sending mail claiming to be your domain. A spike from infrastructure you don't recognize is impersonation in progress — and the reason to move DMARC from
p=nonetowardreject. - Search for your brand where scams cluster. App stores, social platforms, and ad networks are where fake accounts and lookalike ads surface. Periodic checks for your name and logo catch what domain feeds miss.
From sighting to action
A monitoring signal is only useful if it drives a response. The playbook for a confirmed impersonation is well-worn:
- Triage by how convincing and how active it is. A parked lookalike domain with no content is lower-stakes than a live credential-harvesting clone of your login page actively phishing customers. Rank it by real harm, the same exposure-first logic you apply to internal findings.
- Warn the people being targeted. If customers are receiving phishing under your name, a proactive heads-up — on your real site and through your real channels — protects them and your reputation. A maintained trust center gives you a credible place to publish it.
- Pursue takedown. Report the domain to its registrar and hosting provider, the phishing page to browser-safe-browsing programs, the fake profile to the platform. Most have abuse processes; impersonation and trademark abuse are usually clear violations.
- Harden the path it's exploiting. A spoofed-sender campaign is the prompt to enforce DMARC reject; a cloned login page is the prompt to push phishing-resistant MFA so harvested passwords are worth less.
- Tie it to financial fraud watch. Executive-impersonation and fake-invoice campaigns aim at your money, so a sighting should raise alertness on the wire-fraud and BEC controls that catch the payment itself.
An active impersonation is a finding, not a footnote
A confirmed lookalike domain hosting a clone of your login page is a finding with an owner and a clock — its severity set by how active and convincing the fake is, and tracked through takedown the way you track any other remediation. Logging the sighting, the takedown request, and the resolution also builds the record that you actively monitor for abuse of your brand.
It strengthens the trust story, too
Customers and assessors increasingly ask how you protect them from fraud committed in your name. Evidence that you monitor for lookalike domains and brand abuse, enforce email authentication, and act on impersonation isn't a core control in most frameworks, but it's exactly the kind of proactive posture a security questionnaire and a mature trust center reward — and it drops into continuous evidence collection alongside the rest of your program.
One honest caveat: a platform can watch registration feeds, certificate-transparency logs, and DMARC reports for lookalike domains and spoofed senders, surface them as findings, and track the takedown — it organizes, watches, and proves the work. It does not register your defensive domains, take down a fake on your behalf, enforce your email authentication, or grant or guarantee any certification; the DMARC enforcement, the takedown filings, and any legal action are steps your team and counsel own, and trademark or fraud questions are a matter for counsel.
Brand impersonation happens outside your perimeter, so your firewall never sees it — but the lookalike domain cloning your login page and the spoofed email asking your customers for money both land the damage on you. You can watch the outside, too: monitor for newly registered lookalike domains, read certificate-transparency logs and DMARC reports for your brand, and treat a live clone of your sign-in page as a finding with a clock and a takedown. Catch the fake you before your customers do.