Contents

1. How to Prevent Phishing Attacks
2. How do these phishing attacks work?
3. What’s the impact of these phishing attacks?
4. Loss of Customer Trust
5. Brand Reputation Damage
6. Financial and Legal Ramifications
7. Increased Customer Service Burden
8. Why are so few organizations responding to these phishing attacks?
9. How to prevent phishing attacks targeting your customers
10. Create a cross-departmental task force
11. Educate your customers
12. Regularly update and secure your website
13. Monitor your social media
14. Detect cybersquatting
15. Work with an anti-phishing and brand protection partner
16. What next?

Overview

This article explains phishing attacks through the specific lens of those which target your customers, including:

• How phishing attacks work
• How they exploit your customers and users, your brand, and your intellectual property (e.g., your website or app)
• What impact they can have
• Why so little is often done to counter them
• How to prevent them

Customer-Facing Phishing Attacks

Most phishing attacks will follow one of two strategies:

• Targeting employees with the goal of exfiltrating data from within your organization or gaining a foothold from which to cause further damage
• Targeting your organization’s customers and users with the goal of exfiltrating their personal data or causing them harm via malware deployment and other tactics

The strategy used depends on the nature of the threat actors carrying out the attack, their motives, and their objectives.

While the first strategy falls under the primary remit of your security team and is often well understood, less is known and practiced with regards to the second. Phishing attacks that target your customers are more nebulous. Not only can they be much harder to detect, classify, and remediate, addressing them requires a more diverse stakeholder mix (beyond the security team alone).

Phishing attacks that target your customers—be they buyers or users—can have far-reaching consequences. While the victims themselves often come to harm, sometimes financially, the organizations that are impersonated can suffer too. This may be a damaged reputation, surplus security remediation and customer service costs, compensation payouts and fines, or a mix of these effects.

Thankfully, there are now a range of phishing detection and disruption solutions to help you protect your customers and brand.

How Do Phishing Attacks Work?

Phishing attacks that target your customers use a mix of techniques to impersonate your organization and deceive individuals into providing sensitive information, such as passwords, payment card numbers, and other personally identifiable information (PII). These threats utilize lure messages—communications used to drive engagement—and may take place across a range of channels including email, phone calls (vishing), text messages (smishing), and social media. More novel means are also used, such as QR codes (quishing) and online forum comments. 

Many of these threat actors rely on phishing kits to build their campaigns. These kits come developed by more technically capable criminals and contain everything needed to set up suitable phishing attack infrastructure, including the functionality required to mimic websites and apps and exfiltrate user data. In essence, they’re a do-it-yourself (DIY) starter kit for anyone who wants to get started in cybercrime, regardless of their technical capability. Phishing kits lower the barrier to entry and enable threat actors to cause harm faster and more effectively than they would otherwise.

Phishing attacks use content that mirrors the brand style and user interface(s) from known and trusted organizations. High-value targets like banks, service providers, and even government agencies experience increased risk, along with popular and highly visible brands.

Typically, the kill chain for these types of phishing attacks follows this flow:

1. The threat actor deploys lure messages to draw their victims to a phishing website.
2. Victims visit the website and provide their personal information or credentials.
3. The threat actor harvests and exfiltrates victim data and stores it ready to either:
   1. Sell the stolen credentials on the dark web and develop the capital to invest in more sophisticated attacks.
   2. Use the stolen credentials to exfiltrate the victim’s finances.

What’s the Impact of These Phishing Attacks?

The direct victims–your customers–are not the only ones impacted by this type of external phishing attack. Organizations are affected by these threats in a number of ways.

Loss of Customer Trust

Trust is a key pillar for businesses, especially those that handle sensitive information, such as banks, e-commerce platforms, and online service providers. When customers fall victim to phishing attacks that misuse your brand, their trust can erode quickly; if they believe that interacting with your organization online puts them at risk, they are likely to look for alternatives where trust has a higher guarantee. 

According to Security Magazine, 75% of US consumers will sever ties with a brand in the aftermath of any cybersecurity issue, with 44% attributing cyber incidents to an organization’s lack of adequate security controls.

Brand Reputation Damage

Threat actors often use your organization’s brand assets and digital content to dupe your customers. Over time, consistent brand impersonation can tarnish your organization’s reputation. Negative press or social media backlash may paint your organization as either complicit in the attacks or ineffective in protecting customers. In all cases, brand protection solutions are required.

Financial and Legal Ramifications

If a customer falls victim to a phishing attack that uses your branding, the financial consequences can extend beyond the individual. Victims may file complaints, pursue legal action, or demand compensation for incurred losses. 

To maintain trust and provide the highest levels of service, most US financial institutions (though not yet required by regulation) reimburse customers who have lost money to fraud and scams. In the UK, regulations this year from the Payment Systems Regulator (PSR) require 50% of the sum lost to be covered by the sending institution and 50% by the receiving institution. Additional regulations will likely follow in other countries around the globe, increasing the financial responsibility of financial institutions. 

In some sectors, regulators may impose fines if an organization is found to lack adequate protections and response mechanisms. For industries that handle sensitive data, such as healthcare and finance, regulatory scrutiny is particularly intense.

Increased Customer Service Burden

Widespread phishing attacks of this nature may increase pressure on your customer service teams as victims flood your support channels with complaints, questions, and requests for help. This can divert resources away from regular customer service operations, increasing operational costs and reducing the standard of your customer care.

Why Do Organizations Struggle When Responding to External Phishing Threats?

Phishing disruption that focuses on your customers’ safety is essential to the long-term protection and longevity of your brand. As customers increasingly ask for more and for better, and as competition increases, this could make all the difference to your organization’s operational resilience. 

While there are many anti-phishing and anti-brand-abuse solutions available, like those provided by Netcraft, it’s also beneficial to recognize what blockers may exist within your organization. Doing so puts you in a much stronger position to identify and deploy the best solution, most effectively. 

Heavy Focus on Enterprise Cyber Threats

Enterprise cybersecurity threats that target employees and internal systems (i.e., attacks on the company, not externally) attract more attention and investment because of their immediate, tangible effects on business continuity. The impact of customer-facing phishing attacks is perceived as indirect, leading to less urgency and smaller budgets.

Lack of Integration with Existing Cybersecurity Strategies

There’s limited guidance on how to integrate customer phishing protection into the overall cybersecurity strategy. Often, customer-facing phishing attacks are treated as a marketing or legal concern, thus failing to gain cross-functional support. Lack of collaboration between IT, security, legal, and marketing teams can leave organizations particularly vulnerable to cyber security threats and reputational damage.

Limited Data and Confusion Around Solutions

Generally, the problem space surrounding customer-facing phishing attacks is poorly understood. This is exacerbated two-fold by a lack of convincing ROI data (i.e., the tangible benefits of investing in remediation) and a growing confusion caused by unclear or misleading product messaging. For all organizations—even those aware of the need for action, these factors complicate any efforts to tackle the threat.

By acknowledging these barriers and opening up discussions, you’re better positioned to tackle the threat with the following recommendations.

How to Prevent and Respond to Customer-Facing Phishing Attacks

A mix of tactics can help you prevent customer-facing phishing attacks.

Create a Cross-Departmental Task Force

The initial step to prevent phishing attacks targeting your customers is to recognize that action requires influence and buy-in from stakeholders across IT security, marketing, public relations, legal, and the C-suite. Bringing these individuals and teams together to build a collective strategy is essential to the continued success of any proactive measures.

Educate Your Customers

An informed customer base is the first line of defense against phishing. By educating your customers on the threat and helping them recognize malicious indicators, you can lower the risk of threat actors achieving their objectives. Customer awareness activities include:

• Direct communications, including emails, newsletters, and in-app notifications showing examples of real phishing attempts and providing step-by-step tips to differentiate between legitimate and fraudulent content.
• A dedicated page on your website containing information like the above, as well as how customers can report phishing attempts.
• Automated support that requires limited resources, such as website chatbots, can be used to provide real-time advice if they suspect they are being targeted.

Regularly Update and Secure Your Website

Ensuring that your own websites demonstrate the hallmarks of legitimate content can set the standard for what customers should expect when interacting with your brand. Actions include:

• SSL/TLS Certificates: Make sure your website has up-to-date SSL/TLS certificates to ensure secure communication between customers and your servers. A visible padlock in the browser’s address bar provides customers with assurance that they are on the legitimate website.
• Custom Domain Name Extensions: Consider using advanced domain extensions that are harder for criminals to spoof. For instance, if your website uses “.com,” attackers might create a phishing site with a similar domain, such as “.net” or “.co.”. Novel extensions can help make your domain less vulnerable to mimicry.

Monitor Social Media Platforms

Since some phishing attacks occur on social media platforms, it’s important to monitor mentions of your brand across these channels. Some organizations use social media monitoring tools to track conversations and flag any potential phishing scams distributed through these platforms. Timely intervention can prevent customers from falling victim.

Target Cybersquatting

Threat actors may register domain names identical or similar to legitimate examples. This is known as cybersquatting and is a common tactic used to dupe victims into interacting with content.

Registering variations of your domain name and key brand-related URLs through a cybersquatting protection service can help prevent them being acquired and used in phishing attacks. 

Work with an Anti-Phishing and Brand Protection Partner

Organizations like Netcraft specialize in detecting and preventing phishing attacks targeting your customers. Netcraft offers the industry’s fastest detection and takedown times, ensuring that phishing attacks mimicking your brand are identified and removed quickly, decreasing the risk of harm to your customers and your brand reputation. 

We’ve been delivering phishing disruption for over 10 years and have the strong partner relationships needed to ensure hosting providers act swiftly. Over time, with continued optimization, it’s possible to lower the rate of phishing attacks impersonating your brand as threat actors turn their attention towards low-hanging fruit—those organizations who fail to take proactive action.

What Next?

Preventing phishing attacks that target your customers requires a combination of internal collaboration, customer education, and security controls. Organizations that take proactive steps to detect and prevent phishing can not only protect their customers but also safeguard their own reputation and bottom line. 

By implementing a comprehensive anti-phishing strategy and working with a strong anti-phishing partner, you can make you and your customers the least attractive target by raising the cost of attack for threat actors.

To find out more about how to prevent phishing attacks, read our guide here.