Brand impersonation

What it is#

Brand impersonation is the use of a brand's name, logos, visual design, and other identity elements on attacker-controlled infrastructure to deceive users into believing they are interacting with a legitimate organization. It is broader than typosquatting in that typosquatting focuses on the domain name itself, while brand impersonation encompasses the full experience, including page content, visual identity, and email templates.

An impersonation attack might combine any number of domain techniques (typosquat, combosquat, exact-match on a different TLD, homoglyph substitution) with cloned web content and stolen brand assets. A domain that is one transposition away from a bank's real address becomes far more dangerous when the page behind it replicates the bank's login screen pixel for pixel.

Scale of the problem#

Brand impersonation is not a niche threat. The Anti-Phishing Working Group (APWG) records over a million phishing attacks per quarter, with brand impersonation as the dominant tactic. Across any given twelve-month period, attackers create well over a million unique domain names reported for phishing, targeting thousands of distinct brands. Brand impersonation accounts for roughly half of all browser-based phishing attempts.

The economics of domain registration make the problem worse. Interisle Consulting's 2024 phishing landscape study found that 42% of all phishing domains were registered in new gTLDs, many priced under $2. The cheapest TLDs (.sbs, .top, .support, .bond, .lol) had the highest abuse rates. Bulk registration services accounted for 27% of phishing domains, with some campaigns registering over 17,000 domains in under eight hours. When a domain costs less than a dollar and can be registered programmatically, the barrier to launching a brand impersonation campaign is negligible.

Most targeted brands#

Quarterly brand phishing reports consistently place technology and logistics companies at the top of the list. Microsoft typically accounts for 20 to 40% of all brand phishing attempts, followed by Google, Apple, and major logistics brands. The concentration on identity providers is logical. A compromised Microsoft 365 or Google Workspace account unlocks email, cloud storage, collaboration tools, and single sign-on flows that cascade into connected applications.

Shipping and logistics companies form the second major cluster. DHL has ranked as the single most impersonated brand globally in some quarters, representing over 20% of all phishing attempts. Campaigns use domains like dhl-login-check[.]org to harvest credentials, email addresses, phone numbers, and home addresses. DHL is also the most impersonated brand in QR-code phishing campaigns. Shipping notifications create urgency and reach a broad audience, making them effective pretexts regardless of whether the recipient actually expects a package.

Financial institutions, social media platforms, and streaming services round out the top targets. Facebook and Netflix appear persistently in phishing brand rankings. The common thread is a large user base, a login page that users visit frequently, and credentials that have high resale or lateral-movement value.

The domain techniques used in these campaigns vary by target. Technology brands attract homoglyph and omission variants of their short, well-known names. Logistics brands tend to attract combosquats and keyword squats that pair the brand name with words like "tracking", "delivery", or "parcel". IDN homograph attacks using punycode and internationalized domain names add another dimension, particularly for brands with global audiences.

Attack surface beyond domains#

Brand impersonation extends across multiple channels:

• Domain-based. lookalike domains hosting cloned login pages, product pages, or support portals. Techniques include TLD squatting, keyword squatting, hyphenation, and subdomain takeover.
• Email. Spoofed or lookalike sender addresses paired with brand-matching HTML templates. DMARC enforcement prevents exact-domain spoofing but does not stop lookalike-domain email, which is why attackers register impersonation domains in the first place.
• Search ads and SEO poisoning. Purchasing ads for brand keywords that link to impersonation sites, appearing above organic results. Some campaigns also use SEO techniques to rank impersonation pages for branded search terms.
• Subdomain services. Hundreds of thousands of phishing attacks abuse subdomain resellers each year, and the number continues to grow. An attacker can create microsoft-login.example.pages.dev without registering a domain at all.

Attackers frequently combine channels. A phishing email linking to a lookalike domain that serves a cloned login page is the canonical pattern behind business email compromise campaigns.

Detection signals#

Identifying domain-based brand impersonation requires combining multiple signals, since no single indicator is reliable in isolation.

• String similarity. The domain name is confusable with the brand through typosquatting, homoglyph substitution, combosquatting, or TLD variation. Permutation generators enumerate these variants systematically.
• Certificate Transparency logs. TLS certificates issued for domains containing the brand name or confusable variants. A TLS certificate for a lookalike domain is a strong signal that the domain is preparing to serve HTTPS content.
• Visual similarity analysis. Visual screenshot similarity, and machine learning classifiers detect pages that replicate a brand's visual identity. Research systems decompose the problem into logo detection and brand recognition stages using deep learning. Evaluations of hundreds of thousands of real-world phishing sites show that visual similarity models perform significantly worse on real-world data than on curated benchmarks, highlighting the ongoing arms race between detection and evasion.
• Registration recency. Newly registered domains carry higher risk. WHOIS and RDAP data reveal registration age, and the APWG notes that 77% of phishing domains are maliciously registered rather than compromised from legitimate owners.
• Hosting infrastructure. Impersonation sites frequently use shared hosting, CDN fronting, or providers with weak abuse enforcement. Industry analysis shows that most of the top hosting providers used by phishers are US-based cloud platforms, with major cloud providers accounting for a substantial share of abused hosting instances.

The false positive challenge#

False positives are the primary operational burden. Legitimate entities (authorized resellers, news outlets, comparison sites, fan communities) may use brand names in their domains and display brand logos on their pages. A domain like microsoft-alternatives.com is not impersonation; a domain like mircosoft-login.com almost certainly is. The distinction often hinges on intent, which cannot be inferred from a domain name alone.

Scale compounds the difficulty. A major consumer brand may have thousands of domains registered that contain or resemble its name. Monitoring all of them requires automation, but prioritizing which domains warrant action requires combining the signals listed above rather than relying on any single indicator. A 2024 evaluation of visual similarity models against 451,000 real-world phishing pages underscores this point. Attackers evade single-signal detection through logo manipulation, layout changes, and hosting on otherwise legitimate platforms. Domain threat intelligence platforms that correlate registration data, DNS records, certificate issuance, and page content reduce the triage burden by surfacing convergent evidence rather than isolated flags.

Response options#

Once an impersonation domain is confirmed, several enforcement paths exist:

• Domain takedown. UDRP, URS, or direct abuse complaints to the registrar (see brand protection enforcement)
• Hosting abuse reports. Contacting the hosting provider to remove content
• Certificate revocation. Reporting fraudulent certificates to the issuing CA
• Search engine deindexing. Requesting removal of impersonation sites from search results via abuse channels
• Defensive registration. Proactively registering high-risk permutations before attackers do

A comprehensive brand protection strategy coordinates these response channels with ongoing domain monitoring to minimize the window between detection and takedown. Jurisdiction complicates response; impersonation sites hosted in jurisdictions with slow abuse-handling processes or unresponsive registrars can persist for weeks. Speed matters because the median lifespan of a phishing site is short, but the damage from credential theft occurs within the first hours.

Monitoring with Have I Been Squatted#

Have I Been Squatted approaches brand impersonation from the domain layer. For each monitored domain, the platform generates permutations across categories including omission, transposition, homoglyphs, addition, vowel swap, and combosquatting, then checks each variant against registration data. The extended Certificate Transparency search surfaces certificates issued for brand-adjacent domains that permutation lists alone might miss. Registered domains are enriched with DNS, HTTP banner, RDAP, and screenshot data, providing the multi-signal view that effective brand impersonation detection requires.