Website impersonation scams are escalating, yet many businesses are dissatisfied with the effectiveness of their current protective measures.
A study released Tuesday by digital risk protection firm Memcyco reveals that nearly 75% of businesses have implemented digital impersonation protection solutions. However, only 6% of these organizations are satisfied with how well these tools safeguard them and their customers. “That’s quite surprising,” Memcyco CMO Eran Tsur told TechNewsWorld.
The study found that over 68% of businesses are aware their websites are being impersonated, and nearly 44% recognize that this directly affects their customers. The research, based on a survey of 200 senior employees in the security, fraud, digital, and web sectors from the U.S. and the U.K., highlights significant concerns.
“A spoofed website can result in substantial financial losses for customers if they’re tricked into disclosing login credentials or personal information,” said Matthew Corwin, managing director of Guidepost Solutions, a global security and compliance firm.
“Brand reputation can suffer significantly if customers fall prey to scams from impersonated websites, leading to a loss of trust in the company,” he added.
Website impersonation scams can have more severe consequences than just reputational damage. “There are direct financial losses from fraud, as well as indirect costs such as remediation, legal fees, and potential customer compensation,” noted Ted Miracco, CEO of Approov Mobile Security, a global mobile app security company.
Relying on Customer Reports for Detection
The study also revealed that two-thirds (66%) of surveyed companies learn about website impersonation attacks through incident reports from affected customers. “It’s concerning,” Tsur said. “The solutions in place aren’t preventing these attacks, and organizations often find out about them only after customers report issues.”
Corwin from Guidepost Solutions emphasized that relying mainly on customer reports can lead to missed early warnings and hinder proactive defense against emerging threats. “A reactive approach places the burden on customers, damaging relationships and trust,” he said.
“Discovering scams through customer reports means the damage has already been done before any mitigation can begin,” Miracco added. “Regular scans might help detect fake websites in advance, but predicting attacks before they happen is challenging.”
The study also noted that over 37% of businesses first learn about fake websites when customers affected by phishing scams share their experiences on social media, a practice known as “brand shaming.”
With the rise of AI and readily available phishing kits, businesses must question how long they can rely on customers for threat intelligence.
“AI and automated phishing kits make it easier to launch and manage impersonation attacks,” Memcyco’s Tsur pointed out. “These tools are readily accessible and can be set up with minimal effort.”
Cybersecurity Challenges
Corwin explained that AI-driven tools and pre-packaged phishing kits enable even less skilled individuals to execute sophisticated impersonation attacks. “AI can create near-perfect website replicas, making it harder for users to distinguish between genuine and fake sites,” he said.
“Often, cybercriminals use domain names that are very similar to legitimate ones, incorporating slight variations or errors known as ‘combosquatting’ or ‘typosquatting,’” Corwin added.
Miracco warned that the ease of using AI tools means that even those with minimal technical expertise can conduct elaborate phishing campaigns. “AI tools have become a significant threat, often falling into the hands of malicious actors,” he said.
Patrick Harr, CEO of SlashNext, noted that while website impersonations are not new, their sophistication has increased. “Phishers are now using phishing kits and AI to create almost indistinguishable fake websites,” he said.
Combating Website Impersonation Scams
Roger Grimes, a defense expert with KnowBe4, recommended that businesses implement DMARC, SPF, and DKIM standards for email protection. “These standards help verify if an email actually comes from the claimed sender,” he explained.
Miracco also advised ensuring that all website traffic is encrypted with SSL/TLS certificates to reduce the risk of interception and spoofing. Additionally, mobile apps should use attestation mechanisms to verify their integrity and monitor for phishing kits and fake domains.
Corwin suggested registering common variations and misspellings of existing domains to counter typosquatting and other similar tactics. “Brand monitoring services can help, but given the ease of creating phishing sites, the risk remains high,” he said.
Miracco added that addressing website impersonation requires not only technological defenses but also a strong culture of security awareness among employees and customers. “As the threat evolves, a multi-faceted approach is necessary,” he said. “AI may one day provide solutions that can proactively prevent users from falling for fake sites.”