5 Signs Your Brand Is Being Targeted by Phishing Attacks

Here's an uncomfortable truth: someone might be using your brand to scam people right now, and you'd have no idea.

Brand-targeted phishing — where attackers impersonate a legitimate business to deceive its customers — is one of the fastest-growing cybersecurity threats facing small and medium-sized businesses. And unlike a data breach or ransomware attack that hits your systems, brand phishing often happens entirely outside your infrastructure. The fraudulent emails, fake websites, and spoofed social accounts all exist on someone else's servers, targeting your customers while you remain blissfully unaware.

The good news? Brand phishing campaigns leave fingerprints. If you know what to look for, you can catch impersonation early — often before significant damage is done. Here are five warning signs that your brand is being targeted, and what to do when you spot them.

Sign 1: Customers Are Asking About Emails You Never Sent

This is often the first — and most telling — indicator.

It starts with a trickle. A customer replies to what they think is your email, asking about a promotion you never ran. Someone calls your support line to confirm a password reset they didn't request. A long-time client forwards you a suspicious-looking invoice with your logo on it.

These aren't random events. When customers contact you about communications you didn't send, it almost always means one of two things:

1. Your email domain is being spoofed — Someone is sending emails that appear to come from your exact domain (e.g., billing@yourbrand.com), exploiting weak or missing email authentication.
2. A lookalike domain is in play — Someone has registered a domain similar to yours (e.g., yourbrand-billing.com or yourbr4nd.com) and is sending emails from it.

What to Do

• Take every report seriously. Ask customers to forward the suspicious email with full headers. The headers contain routing information that reveals the true sender.
• Check your DMARC reports. If you have DMARC configured (and you should — see below), your aggregate reports will show authentication failures that indicate spoofing attempts.
• Search for recently registered lookalike domains. Use a domain monitoring tool or manually check WHOIS databases for variations of your brand name.

If you don't have DMARC set up yet: This is your wake-up call. DMARC, combined with SPF and DKIM, is the single most effective defence against email domain spoofing. At a p=reject policy, it instructs receiving email servers to block messages that fail authentication — essentially shutting down direct domain spoofing.

Sign 2: Unusual Spikes in Customer Support Tickets

Brand phishing campaigns don't affect one customer at a time. They're launched in waves — hundreds or thousands of phishing emails sent in a single blast, or a fake website that captures traffic over days or weeks.

The support ticket pattern is distinctive:

• Volume spike: A noticeable increase in tickets over a short period, often with a cluster of similar complaints
• Unfamiliar issues: Customers reporting problems with transactions, account changes, or communications that don't correspond to anything in your systems
• Emotional escalation: Higher-than-normal levels of frustration, fear, or anger — customers who believe they've been scammed aren't just annoyed, they're distressed
• Geographic clustering: If the phishing campaign targets a specific region (common with localised attacks), you may see tickets concentrated from one area

What to Do

• Create a tagging system for support tickets that might be phishing-related. This helps you track volume and identify patterns.
• Develop a standard response template that acknowledges the customer's concern, confirms it wasn't from your business, and provides guidance on protecting themselves (changing passwords, monitoring bank statements, etc.).
• Escalate internally immediately. A spike in phishing-related support tickets means there's an active campaign running. The sooner you investigate, the sooner you can initiate a takedown.
• Document everything. Screenshots, forwarded emails, customer reports, and timestamps all become evidence if you need to file abuse reports or pursue legal action.

Sign 3: Your DMARC Reports Show Authentication Failures

If DMARC is the smoke detector of email security, authentication failures in your DMARC reports are the smoke.

DMARC generates two types of reports:

• Aggregate reports (RUA): Daily XML summaries showing all authentication results for emails claiming to be from your domain. These reveal the volume and sources of spoofing attempts.
• Forensic reports (RUF): Detailed reports on individual authentication failures, including message headers and sometimes content (though many providers limit these for privacy reasons).

Here's what to look for in your aggregate reports:

• Emails failing both SPF and DKIM from IP addresses you don't recognise — This is a strong indicator of active spoofing
• High volumes of failures from specific regions or ISPs — Suggests a coordinated phishing campaign
• Increasing failure rates over time — A campaign that's scaling up
• Emails passing SPF but failing DKIM (or vice versa) from unknown sources — Could indicate partial spoofing or misconfiguration, but worth investigating

What to Do

• Review your DMARC reports weekly at minimum. Use a DMARC analysis tool to make the XML reports human-readable — raw DMARC data is notoriously hard to interpret.
• Ensure your DMARC policy is set to p=reject (or at least p=quarantine). A p=none policy monitors but doesn't protect — it's like having a security camera but no locks on the doors.
• Investigate unknown senders. Cross-reference unfamiliar IP addresses against known email services and hosting providers. This can reveal where the phishing emails are being sent from.
• Use the data for takedowns. DMARC reports provide concrete evidence of spoofing that you can include in abuse reports to hosting providers and registrars.

Sign 4: You Discover Lookalike Domains Registered to Unknown Parties

This is the most direct evidence of brand targeting — and it often goes unnoticed until the damage is done.

Lookalike domains come in several flavours:

• Typosquats: yourbarnd.com, yourbrand.co (when you own .com), your-brand.com
• Homoglyphs: yоurbrand.com (where the "о" is a Cyrillic character), yourbranḍ.com (with a dot below the "d")
• Combosquats: yourbrand-login.com, yourbrand-secure.com, yourbrandsupport.com
• Subdomain abuse: yourbrand.malicious-host.com — technically a subdomain of someone else's domain, but visually misleading, especially on mobile

The danger escalates based on what the domain is being used for:

• Parked or for sale: Low immediate risk, but a domain that exists today can become a phishing site tomorrow
• Redirecting to a competitor: Annoying and potentially trademark infringement, but not a direct phishing threat
• Hosting a website that mimics yours: High risk — this is likely an active phishing or fraud operation
• Configured with MX records (email): Very high risk — the domain is set up to send and receive email, a strong indicator of phishing or business email compromise

What to Do

• Run a domain similarity scan using brand monitoring tools. Look beyond obvious misspellings — modern attacks use increasingly subtle variations.
• Check what the domain resolves to. Use tools like dig, nslookup, or online DNS lookup services to see if the domain has A records (website), MX records (email), or nameserver configurations.
• Screenshot everything. If the domain hosts a website mimicking yours, capture evidence before filing takedown requests. Attackers frequently take sites down and move to new domains when they detect investigation.
• File abuse reports with the domain registrar and hosting provider. Include your trademark documentation, screenshots of the infringing content, and evidence that the domain is being used for phishing.

Sign 5: Your Brand Appears in Phishing Databases and Threat Intelligence Feeds

Security researchers, anti-phishing organisations, and threat intelligence platforms maintain databases of known phishing campaigns. If your brand shows up in these databases, it means your brand has already been weaponised — and the security community has noticed.

Key sources to check:

• PhishTank (phishtank.org) — A collaborative clearinghouse for phishing data. Search for your domain name to see if any reported phishing URLs reference your brand.
• Google Safe Browsing (transparencyreport.google.com) — Check whether any domains associated with your brand have been flagged as dangerous.
• URLhaus (urlhaus.abuse.ch) — A project tracking malicious URLs, including those used in phishing campaigns.
• APWG (Anti-Phishing Working Group) — Publishes reports on phishing trends by industry and brand.
• Social media monitoring — Search platforms for your brand name alongside terms like "scam," "fake," "phishing," or "fraud."

What to Do

• Set up alerts. Google Alerts for your brand name combined with terms like "scam" or "phishing" can provide early warning (though they're not comprehensive).
• Monitor proactively, not reactively. By the time your brand appears in a phishing database, a campaign is already underway. The goal is to catch it as early as possible to limit exposure.
• Notify your customers if you discover an active campaign. Transparency builds trust — customers appreciate being warned, and it reduces the likelihood they'll fall victim.
• Report and contribute. When you discover phishing activity, report it to the relevant databases. This helps protect other potential victims and strengthens the collective defence.

Connecting the Dots: From Detection to Defence

Each of these five signs is valuable individually. Together, they paint a comprehensive picture of your brand's threat landscape. The pattern typically looks like this:

1. Lookalike domains get registered (Sign 4)
2. Phishing emails start going out (Signs 1 and 3)
3. Customers get scammed (Sign 2)
4. The campaign gets reported (Sign 5)

The earlier you detect the chain, the less damage gets done. Catching a lookalike domain at registration — before it's used for phishing — is infinitely better than discovering an active campaign through customer complaints.

But here's the challenge: monitoring all five of these signals manually is time-consuming, technically demanding, and easy to let slide when you're busy running a business. That's why automation matters.

From Awareness to Action

Knowing the signs is the first step. Acting on them is what actually protects your brand and your customers.

DoppelDown automates the detection side of this equation. We continuously monitor for lookalike domains, analyse new registrations for phishing risk, and alert you the moment something suspicious appears — so you can act before your customers are targeted, not after.

No more manually searching WHOIS databases. No more waiting for customer complaints to discover a problem. No more hoping someone else catches the threat first.

Start monitoring your brand with DoppelDown and find out if any of these warning signs are already flashing for your business.