AI's Dual Role in SMB Brand Spoofing

Artificial intelligence (AI) is simultaneously making it easier for adversaries to pull off brand spoofing and easier for organizations to block spoofing and other threats. Both usages have significant implications for small to midsize businesses (SMBs).

Brand impersonation is typically associated with major brand names that are widely recognizable, but any brand, large or small, can be targeted. In fact, it's arguably easier and potentially more effective for adversaries to impersonate a small local credit union than a large entity like Bank of America. That's becoming even more likely with AI making it easier to collect and generate fake content.

However, AI is not just a tool in the attacker arsenal. Security architects are fighting back by designing security tools that use AI to detect and block impersonation attacks. This gives organizations, especially SMBs with limited budgets and resources, a boost in their abilities to fight back.

Impersonating SMBs Online

According to data provided to Dark Reading by Check Point Software, businesses with 100 or fewer employees have faced an average of 255 cyberattacks per week this year. Among them, brand spoofing is one of the most pernicious. That spoofing campaign against Bank of America won't even dent the banking giant's bottom line, but the same attack against a tiny credit union could cause serious and lasting damage.

"There's the potential degradation of trust and reputation, as consumers may feel the brand isn't reliable or safe," explains Jeremy Fuchs, Harmony Email analyst at Check Point. "There's also the potential loss of funds. Take a small clothing company. If someone wants to buy a T-shirt but instead 'buys it' from a spoof, the business is losing out on money. Finally, when a brand is spoofed, it can lead to email providers, like Google or Yahoo, blocking legitimate messages, such as for email marketing."

This is especially worrisome because a smaller brand — whether it's a local bank, doctor, law firm, or anything else — is actually easier for hackers to spoof than a larger one, Fuchs explains. Not only do they lack time, money, and personnel to invest in cybersecurity, but oftentimes "small businesses just aren't expecting it," he says. Both small businesses and customers assume that the target is going to be on the larger organization's back. Customers, if they're aware of the threat at all, may assume they are safer because they are using a smaller bank.  

Historically, SMBs have had one thing going for them: Phishing campaigns took time and effort to craft so, from an attacker's perspective, it might have felt like a bigger bang for their buck to target larger organizations with wider audiences. This is no longer the case, however, thanks to generative AI. Hackers can now use chatbots to whip up convincing emails mimicking any business in minutes flat.

Preventing Brand Spoofing

While attackers were able to quickly start using AI to improve the quality and efficiency of impersonation attacks, it's taking a little longer for security engineers to harness the same technology for their defenses.

Imagine, for example, that you want to use AI to detect spoofing attacks against Microsoft. You'd need to train an algorithm to distinguish legitimate and fake URLs, iconography, content, and other elements associated not just with the company as a whole, but also all of its various products, subsidiaries, the public figures behind them, and so on. It would be an involved project, even though Microsoft would be considered an easy one due to the amount of training data and content available.

"The real challenge is how to identify small businesses," explains Dan Karpati, Check Point's vice president of AI technologies. "Everyone's familiar with the big ones — the top sites in the US and other major countries — but how do we know about a store in a small village in Spain or Lisbon?"

Microsoft researchers made early inroads into the problem back in 2021, training a neural network on 1,000 brand impersonation attacks and generating mathematical representations of brand identities based on nearest neighbor classifications.

The system Karpati designed works in a similar fashion, first by automatically gathering data from a URL and the content of a legitimate Web page.

"It can be the URL, favicon, [data] inside of the HTML, copyrights, links in the sites, pictures — a lot of features," he explains. "Each time that we collect telemetry about a site, we open a new cluster. And if you mark it as benign, OK, now we have some sense of how benign looks for this brand. [Then], every time that we observe new access to a site, we extract its features and we ask — automatically — 'Is this access with these features that we extracted from the browser or on the network aligned with what we recorded about the cluster?'"

In other words, with a model for what a brand's domain structure, iconography, and content should look like, new sites that pop up with largely similar but slightly different features can be flagged as spoofs.

Because the system is cloud-based and AI-driven, it can apply this same process across just about any company with an online presence. According to Check Point, this system protects thousands of organizations in hundreds of countries every month.

Non-AI Ways to Fight Back

Besides AI, there are other solutions companies can implement to make the job of impersonating them more difficult and less profitable for hackers.

For example, there's Domain-based Message Authentication, Reporting & Conformance (DMARC), the email verification protocol often required of larger organizations but which smaller ones tend to overlook. Ironically, it's far easier for a small business to be DMARC-compliant than a larger one.

"You have to be able to track all your domains, and for some companies that have hundreds, it can be difficult. If you have one domain, it takes like 20 minutes," Fuchs points out. "DMARC can be a huge undertaking depending on how many domains you have, but it is a worthwhile project. It's a huge step in making sure that when somebody gets an email from you, it's coming from you or not from somebody who appears just like you."

And simply communicating with customers and vendors always helps, whether it be through helpful cyber hygiene tips and resources, or regular notices: "We'll never ask you for this code," "We'll never send you an email like this," and the like.

"Having both of those measures, and having that kind of open and honest culture — like, 'This is a problem, we're trying to fix it, here's how we're doing it, and here's how you can help us' — makes you a candidate for better outcomes," Fuchs says.