Brandjacking is the unauthorized use of a company’s identity to deceive others or acquire its brand equity. It involves assuming a brand's online presence, including logos and names, for malicious, political, or financial reasons. For marketers, brandjacking is a significant threat because it exploits your hard-earned reputation to bypass customer skepticism and security filters.
What is brandjacking?
The term combines "branding" and "hijacking." It refers to an individual or group taking possession of an entity's identity to siphon its reputation. [The term appeared in Business Week in 2007] (Wikipedia) and was coined by the firm MarkMonitor.
Unlike simple trademark violations, brandjacking is often indirect. A brandjacker might use a politician's or celebrity's name to damage their reputation rather than steal money directly. However, for businesses, this often translates to lost sales and reduced share prices.
Why brandjacking matters
Brandjacking is more than a PR headache; it is a cybersecurity and SEO risk. It creates several specific operational dangers:
- Bypasses traditional security: Because attackers operate outside your network on social media or spoofed domains, internal firewalls cannot stop them.
- Erodes customer trust: Customers who fall for a brandjacking scam often associate the frustration or financial loss with the legitimate brand.
- SEO impact: Sophisticated brandjacking can result in spoofed websites appearing higher in search results than the authentic site.
- Financial destruction: A single incident can cause immediate market damage. [Eli Lilly lost billions in market value after a fake "free insulin" tweet] (Mailchimp) was posted by a verfied impersonator.
- Operational costs: Teams must spend significant resources on incident response, legal fees, and expensive advertising to reclaim their brand's search position.
How brandjacking works
Attackers typically follow a three-phase process to hijack a brand's identity.
- Reconnaissance: Attackers research the brand’s digital footprint. They look for abandoned subdomains, social media handles that haven't been claimed, and common domain misspellings.
- Asset Creation: The attacker builds "shadow" assets. This includes registering "typosquatting" domains (like "amazom.com") or creating social profiles using stolen logos and brand colors.
- Distribution: The assets are used to launch campaigns. This might involve sending phishing emails to your customers or bidding on your brand keywords in search engines to redirect traffic to a fake store.
Types of brandjacking
- Cybersquatting: Registering domain names related to a brand in bad faith to profit from its reputation or prevent the brand from using them.
- Typosquatting: Creating websites with slightly misspelled versions of popular domains to capture traffic from users who make typing errors.
- Social Media Impersonation: Creating fake accounts to mislead followers or post damaging content. [A fake BP PR account gained twice as many followers as the official profile] (HubSpot) during the 2010 oil spill crisis.
- Affiliate Brand Bidding: Marketers bid on a brand’s keywords to appear as a competitor and redirect potential customers.
- Counterfeit Product Promotion: Selling fake goods using a brand's name. [The global counterfeit industry is worth over $1.2 trillion] (Litton Legal).
- Subdomain Takeover: Gaining control of legitimate but abandoned subdomains, such as "old-portal.example.com."
Best practices
Managing your brand identity requires proactive monitoring and technical safeguards.
- Register variations early: Purchase common misspellings and various domain extensions (.net, .org, .biz) and redirect them to your main site.
- Claim social handles: Even if you do not plan to use a platform, register your brand name on all major social networks to prevent others from taking them.
- Implement email authentication: Use DMARC, DKIM, and SPF records. These technical controls prevent attackers from sending emails that appear to originate from your domain.
- Monitor search results: Regularly check for unauthorized ads bidding on your brand terms and spoofed sites appearing in the SERPs.
- Use automated tools: Deploy monitoring services that alert you to new domain registrations or social media mentions containing your brand name.
- Register your trademark: Formal registration provides a legal basis for "cease and desist" letters and helps with domain disputes through regulatory bodies like auDA.
Common mistakes
Mistake: Ignoring unauthorized parody accounts. Fix: Monitor these accounts closely. While some are harmless, they can quickly mislead customers or be sold to malicious actors.
Mistake: Attempting to censor critics too aggressively. Fix: Be aware of the "Streisand Effect." Nestlé’s attempt to remove a critical Greenpeace video resulted in the video being moved to Vimeo and receiving even more attention via Twitter.
Mistake: Treating brandjacking as purely a marketing problem. Fix: Integrate brand protection into your cybersecurity risk assessment. External brand assets are part of your attack surface.
Mistake: Waiting for a total takedown before warning customers. Fix: Use alerts on your own site to warn customers about known spoofing attempts while you work with registrars to remove the fake content.
Examples
Eli Lilly: A fake account with a paid "verified" checkmark tweeted that insulin would be free. This led to a massive stock price drop and forced the company to issue a public apology.
Mattel: Activists used brandjacking to protest the company’s supply chain. Greenpeace used Barbie and Ken dolls in videos and stunts, including a fake Twitter feud. [Half a million people sent protest emails to Mattel] (Wikipedia), eventually forcing a change in corporate policy.
College Prowler: The company created hundreds of Facebook groups pretending to be for official first-year college students. The goal was to collect personal data from students who believed the groups were sanctioned by their universities.
Nestle: Greenpeace parodied Nestlé's "Take a Break" KitKat ads to protest palm oil use. When Nestlé tried to remove the video, protesters used the brand’s own font and colors on physical signs at headquarters to further the campaign.
FAQ
How does brandjacking differ from phishing?
Phishing is a specific tactic used to steal credentials or data, often via email. Brandjacking is a broader strategy that involves stealing an entire brand identity. Phishing is frequently an outcome or a phase of a brandjacking attack, but brandjacking can also include parody, political protesting, and selling counterfeit goods.
How can I detect if my brand is being jacked?
Monitor for spikes in social media mentions from unverified accounts and look for unusual domain registrations that include your brand name. Watch for customer complaints regarding communications you didn't send. You can also set up Google Alerts for "[Your Brand] + scam" to see what users are saying.
Can I stop a brandjacker legally?
Yes, if you have registered trademarks and logos. You can issue cease and desist letters or file disputes with domain registrars. However, legal action can be slow and expensive, especially if the attackers operate in a different country, so technical prevention is often more effective.
What should I do if I find a spoofed version of my website?
First, document the site for legal evidence. Then, contact the domain registrar and the hosting provider to request a takedown for trademark infringement or phishing. Simultaneously, notify your customers via your official channels that a fake site exists to prevent further data theft.
Does brandjacking affect SEO?
Yes. If an attacker creates a spoofed site that is technically well-optimized, it can outrank your legitimate pages for certain terms. Furthermore, malicious search ads appearing for your brand terms can siphon away high-intent traffic and increase your own CPC (cost-per-click) advertising costs.
