While customer data breaches are garnering a lot of media attention, a subtler but equally problematic cybercrime is slowly on the rise — domain spoofing.
In this context, cybercriminals register domain names that are virtually identical to an entity’s legitimate domain name and/or brand, often with subtle misspellings or the addition of business designations or generic words describing the entity’s business. The false domain names are so similar to a company’s actual domain and/or brand that they appear legitimate.
The cybercriminals then use the deceptively similar domain name to create email addresses and send emails impersonating a company or its employees, sometimes using the names of the entity’s actual employees — a tactic commonly called “email spoofing.” Those emails typically contain malware in links or attachments, which are triggered by clicking the link or opening the attachment. Other email spoofing schemes attempt to trick recipients into providing login credentials, providing payment card information, or routing wire transfers to the cybercriminal’s bank account.
How Are Domain Spoofing and Email Spoofing Successful?
Anyone can buy a domain name from a registrar. Registering a domain name is easy and usually inexpensive. There are many variations of a legitimate domain name that would be difficult for customers to distinguish. For example, an entity may have a legitimate business domain of <company.com>, so a cybercriminal will register and use the domain <c0mpany.co>.
Moreover, cybercriminals are increasingly taking extra steps to make fake emails look like they are legitimate emails from a company to create customer confusion. For example, cybercriminals may copy the company’s logo, color scheme, and standard email formatting to take advantage of the customer recognition and trust that the company has built in its company branding.
Accordingly, although some domain and/or email spoofing scams appear suspect on their face, others are harder to detect as the cybercriminals behind these types of attacks are researching and obtaining detailed information about real transactions and other business activities to avoid detection. This is happening to businesses. It is happening to banks. It is happening to law firms. In fact, the FBI’s Internet Crime Complaint Center reported in its 2018 Internet Crime Report that there were 15,569 victims of spoofing and 26,379 victims of phishing in 2018, totaling losses of more than $70 million and $48 million respectively (total loss figures that the FBI has cautioned are likely artificially low because some victims do not report losses to the FBI).
When Brand Protection and Cybersecurity Intersect
So what can a company do to protect itself from these cybercrimes? Prevention and awareness are the best defenses. While a business can implement a number of technical safeguards to protect its employees from receiving spoofing emails, it can also implement domain portfolio management strategies to help avoid cybercriminals from sending those emails in the first place by:
- Registering and holding domain names consisting of:
- common domain extensions — for example, in addition to <bestcompany.com>, register and hold domain names with at least the major gTLDs, such as <.co>, <.org>, <.net>, and <.info>;
- common misspellings and variations of the entity’s name and main URL — for example, <bestc0mpany.com>, or <besttcompany.com>;
- common punctuation marks — for example, <best-company.com>; and
- common or company-specific business designations or generic words — for example, <bestcompanyllc.com>, or <bestcompanyfurniture.com>.
- Redirecting all alternative domains to the company’s legitimate domain.
- Subscribing to a domain name watching service to receive notices when domain names are registered that are similar to the entity’s major brands.
- Bringing appropriate Uniform Domain-Name Dispute-Resolution Policy (UDRP) proceedings against domains containing subtle misspellings of the entity’s brands and/or name to recover domain name registrations from cybercriminals.
Above all, brand owners must be proactive in protecting domain assets as part of the overall brand protection strategy. These domain strategies will complement the company’s other safeguards against phishing, spoofing, and business email compromise. In today’s world, where sensitive information is exchanged freely through electronic means, staying one step ahead of cybercriminals protects customers and the company from abuse of company brands online.