This article explains phishing attacks through the specific lens of those which target your customers, including:
Most phishing attacks will follow one of two strategies:
The strategy used depends on the nature of the threat actors carrying out the attack, their motives, and their objectives.
While the first strategy falls under the primary remit of your security team and is often well understood, less is known and practiced with regards to the second. Phishing attacks that target your customers are more nebulous. Not only can they be much harder to detect, classify, and remediate, addressing them requires a more diverse stakeholder mix (beyond the security team alone).
Phishing attacks that target your customers—be they buyers or users—can have far-reaching consequences. While the victims themselves often come to harm, sometimes financially, the organizations that are impersonated can suffer too. This may be a damaged reputation, surplus security remediation and customer service costs, compensation payouts and fines, or a mix of these effects.
Thankfully, there are now a range of phishing detection and disruption solutions to help you protect your customers and brand.
Phishing attacks that target your customers use a mix of techniques to impersonate your organization and deceive individuals into providing sensitive information, such as passwords, payment card numbers, and other personally identifiable information (PII). These threats utilize lure messages—communications used to drive engagement—and may take place across a range of channels including email, phone calls (vishing), text messages (smishing), and social media. More novel means are also used, such as QR codes (quishing) and online forum comments.
Many of these threat actors rely on phishing kits to build their campaigns. These kits come developed by more technically capable criminals and contain everything needed to set up suitable phishing attack infrastructure, including the functionality required to mimic websites and apps and exfiltrate user data. In essence, they’re a do-it-yourself (DIY) starter kit for anyone who wants to get started in cybercrime, regardless of their technical capability. Phishing kits lower the barrier to entry and enable threat actors to cause harm faster and more effectively than they would otherwise.
Phishing attacks use content that mirrors the brand style and user interface(s) from known and trusted organizations. High-value targets like banks, service providers, and even government agencies experience increased risk, along with popular and highly visible brands.
Typically, the kill chain for these types of phishing attacks follows this flow:
The direct victims–your customers–are not the only ones impacted by this type of external phishing attack. Organizations are affected by these threats in a number of ways.
Trust is a key pillar for businesses, especially those that handle sensitive information, such as banks, e-commerce platforms, and online service providers. When customers fall victim to phishing attacks that misuse your brand, their trust can erode quickly; if they believe that interacting with your organization online puts them at risk, they are likely to look for alternatives where trust has a higher guarantee.
According to Security Magazine, 75% of US consumers will sever ties with a brand in the aftermath of any cybersecurity issue, with 44% attributing cyber incidents to an organization’s lack of adequate security controls.
Threat actors often use your organization’s brand assets and digital content to dupe your customers. Over time, consistent brand impersonation can tarnish your organization’s reputation. Negative press or social media backlash may paint your organization as either complicit in the attacks or ineffective in protecting customers. In all cases, brand protection solutions are required.
If a customer falls victim to a phishing attack that uses your branding, the financial consequences can extend beyond the individual. Victims may file complaints, pursue legal action, or demand compensation for incurred losses.
To maintain trust and provide the highest levels of service, most US financial institutions (though not yet required by regulation) reimburse customers who have lost money to fraud and scams. In the UK, regulations this year from the Payment Systems Regulator (PSR) require 50% of the sum lost to be covered by the sending institution and 50% by the receiving institution. Additional regulations will likely follow in other countries around the globe, increasing the financial responsibility of financial institutions.
In some sectors, regulators may impose fines if an organization is found to lack adequate protections and response mechanisms. For industries that handle sensitive data, such as healthcare and finance, regulatory scrutiny is particularly intense.
Widespread phishing attacks of this nature may increase pressure on your customer service teams as victims flood your support channels with complaints, questions, and requests for help. This can divert resources away from regular customer service operations, increasing operational costs and reducing the standard of your customer care.
Phishing disruption that focuses on your customers’ safety is essential to the long-term protection and longevity of your brand. As customers increasingly ask for more and for better, and as competition increases, this could make all the difference to your organization’s operational resilience.
While there are many anti-phishing and anti-brand-abuse solutions available, like those provided by Netcraft, it’s also beneficial to recognize what blockers may exist within your organization. Doing so puts you in a much stronger position to identify and deploy the best solution, most effectively.
Enterprise cybersecurity threats that target employees and internal systems (i.e., attacks on the company, not externally) attract more attention and investment because of their immediate, tangible effects on business continuity. The impact of customer-facing phishing attacks is perceived as indirect, leading to less urgency and smaller budgets.
There’s limited guidance on how to integrate customer phishing protection into the overall cybersecurity strategy. Often, customer-facing phishing attacks are treated as a marketing or legal concern, thus failing to gain cross-functional support. Lack of collaboration between IT, security, legal, and marketing teams can leave organizations particularly vulnerable to cyber security threats and reputational damage.
Generally, the problem space surrounding customer-facing phishing attacks is poorly understood. This is exacerbated two-fold by a lack of convincing ROI data (i.e., the tangible benefits of investing in remediation) and a growing confusion caused by unclear or misleading product messaging. For all organizations—even those aware of the need for action, these factors complicate any efforts to tackle the threat.
By acknowledging these barriers and opening up discussions, you’re better positioned to tackle the threat with the following recommendations.
A mix of tactics can help you prevent customer-facing phishing attacks.
The initial step to prevent phishing attacks targeting your customers is to recognize that action requires influence and buy-in from stakeholders across IT security, marketing, public relations, legal, and the C-suite. Bringing these individuals and teams together to build a collective strategy is essential to the continued success of any proactive measures.
An informed customer base is the first line of defense against phishing. By educating your customers on the threat and helping them recognize malicious indicators, you can lower the risk of threat actors achieving their objectives. Customer awareness activities include:
Ensuring that your own websites demonstrate the hallmarks of legitimate content can set the standard for what customers should expect when interacting with your brand. Actions include:
Since some phishing attacks occur on social media platforms, it’s important to monitor mentions of your brand across these channels. Some organizations use social media monitoring tools to track conversations and flag any potential phishing scams distributed through these platforms. Timely intervention can prevent customers from falling victim.
Threat actors may register domain names identical or similar to legitimate examples. This is known as cybersquatting and is a common tactic used to dupe victims into interacting with content.
Registering variations of your domain name and key brand-related URLs through a cybersquatting protection service can help prevent them being acquired and used in phishing attacks.
Organizations like Netcraft specialize in detecting and preventing phishing attacks targeting your customers. Netcraft offers the industry’s fastest detection and takedown times, ensuring that phishing attacks mimicking your brand are identified and removed quickly, decreasing the risk of harm to your customers and your brand reputation.
We’ve been delivering phishing disruption for over 10 years and have the strong partner relationships needed to ensure hosting providers act swiftly. Over time, with continued optimization, it’s possible to lower the rate of phishing attacks impersonating your brand as threat actors turn their attention towards low-hanging fruit—those organizations who fail to take proactive action.
Preventing phishing attacks that target your customers requires a combination of internal collaboration, customer education, and security controls. Organizations that take proactive steps to detect and prevent phishing can not only protect their customers but also safeguard their own reputation and bottom line.
By implementing a comprehensive anti-phishing strategy and working with a strong anti-phishing partner, you can make you and your customers the least attractive target by raising the cost of attack for threat actors.
To find out more about how to prevent phishing attacks, read our guide here.
Click to Open Code Editor