Brandjacking on Social Media and Beyond

Greg Mancusi-Ungaro


December 2, 2014

RM_1214_ff.brandriskRecruit employees on LinkedIn. Respond to customer queries on Twitter. Promote marketing initiatives on Facebook. These are tactics that brands execute day in and day out. We have become desensitized to the constant noise about promoting business with social media, and it has started to fade into the background. What's more, having a social media strategy is not a new idea, or even considered an advantage anymore—it is expected.

How brands should leverage social media is yesterday's conversation. Today, they need to be asking how to manage the risks. Social media is helping organizations extend their reach more than ever before, but these platforms have their limitations. As new channels emerge, so do new risks, and they often impact brand reputation.

Social Media: Riddled With Risk

We are already aware of some of the more obvious reputational risks presented by social media-for one, it has created new arenas for angry consumers and employees to voice their frustrations. It has also opened up greater potential for brands to inadvertently post confidential, personal or inappropriate information, as when U.S. Airways accidentally tweeted a pornographic image earlier this year in a cringe-worthy moment that immediately drew worldwide ridicule.

Social media platforms are also a new attack vector through which sophisticated hackers are wreaking havoc under trusted brand names. Pinterest users, for example, recently fell victim to scams that drew them to a third-party site selling counterfeit products. Fake social media profiles have even been used in international cyberespionage campaigns, where hackers impersonate the accounts of journalists or defense contractors, and distribute malware-ridden links to their targets.

When impersonators target well-known brands on social media, it not only puts customer information at risk, but also tarnishes the brand's reputation. One of the most infamous examples of Twitter "brandjacking" was the creation of @BPGlobalPR in 2010, intended to satirize and criticize BP's Gulf of Mexico oil spill. The account picked up speed among Twitter users at an astonishing rate and amassed more than 131,000 followers, while the official BP account (@BP_America) has just 97,000.

Brand Monitoring on Social Media

As these examples illustrate, close brand monitoring on social media is crucial. The good news is that most well-established brands are already taking the initiative, bringing in dedicated social media teams whose primary responsibility is to keep watch over these channels. But there is a common perception that, since Twitter is one of the top social media platforms, monitoring it means you are covered.

According to a study by social media analytics firm Simply Measured, 98% of top brands are active on Twitter, and 60% of these brands have followings of 100,000 or more, so exclusive focus on this channel seems logical in theory. But does it work in practice?

Research from BrandProtect discovered that it does not. In a quarterly analysis of business risk factors stemming from social media, the internet threat management company found that Twitter makes up only 34% of social media threats, dropping to 26% for significant risks that could cause substantial damage to brand reputation and require the full attention of security, compliance, risk management and legal teams. The other 66% to 73% of online brand risks originate from other sources.

Clearly, the Twitter-only monitoring mentality is a dangerous one—like locking the back door, but leaving the side door, front windows and garage wide open. Threats originate from everywhere, and if organizations want to reduce their risk profile, they must actively monitor all online channels, not just social media.

Beyond Social Media

Extending your monitoring to other social media platforms is a must, but simply adding Facebook, LinkedIn and Pinterest to the list of channels to oversee is still not enough. Think of all the other ways you engage with a brand outside of social media, like going directly to their website or using a mobile application. These are just two other channels that are primed for criminal exploit, as scammers can create new websites or apps that replicate the look and feel of legitimate ones. Much like the fake social media accounts, these channels may conceal malware.

And, with the increasingly sophisticated nature of cybercriminals today, all of these threats are likely interconnected with a fake website being supported by a fraudulent mobile app and a fake Twitter account, too. Just because one channel is covered does not mean cybercriminals are not targeting another with the same malicious intent.

Fraudulent mobile apps are particularly troublesome for the banking industry, which has shifted to online and mobile environments in recent years. Mobile banking presents greater potential for fraudulent criminal activity that puts customers' financial information in jeopardy, and puts the institution's reputation at risk. This is why groups like the Federal Financial Institution Examinations Council (FFIEC) have issued notices providing guidance on social media risk monitoring within financial institutions.

Multi-Channel Monitoring

The FFIEC's guidelines present a key takeaway that all brands should adopt when it comes to risk monitoring: "[Manage] risks associated with all types of consumer and customer communications, no matter the medium...[including] comments made by social media users, spoofs of institution communications, and activities in which fraudsters masquerade as the institution."

By taking a holistic, multi-channel approach to monitoring that spans every mode of communication between a brand and its audience, companies can ensure they are detecting and containing business risks before they lead to damage.

There are several options to choose from when building a multi-channel threat-monitoring practice. The ideal platform should deliver anti-phishing protection, mobile app monitoring and validation, domain inspection and social media monitoring that extends far beyond the publicly available feeds on Twitter and Facebook. This solution needs not just breadth and depth, but also an intuitive, workflow-based process for incident data capture and historical record keeping. Such a service should be able to create reports that keep the executive suite informed, and should be able to easily generate the documentation to satisfy a compliance audit.

The most important thing a company can do is begin taking steps to protect the brand, reputation and customers from brandjacking. Improving customer perceptions is one of the reasons businesses use social media. Criminals are taking advantage of the higher priority most companies are giving to online presence and perception. Incidents where trusted brands are stolen and used as bait are on the rise. Thus, concern over what you post is simply not enough. It is equally important to take a step back to really listen to what is out there in order to hear what is being said about, and done to, your brand.
Greg Mancusi-Ungaro is the chief marketing officer at BrandProtect.