Brand impersonation: a defender's guide
A brand-impersonation site borrows your name, look and search position to convert your own customers into someone else's victims. Here is how the playbook works, how to spot it early, and what you can actually do about it.
The anatomy of an impersonation
Most impersonations follow the same recipe. A disposable domain carries the brand name — a typosquat, an added word like "official", "login" or "2026", or an alternate TLD. The page copies the brand's name, logo and tone, and is fronted by a CDN to hide where it is really hosted. From there it does one of a few things:
- Captures search traffic and redirects it to an unlicensed operator.
- Presents a fake login to harvest credentials and one-time codes.
- Runs a fake deposit / payment flow to intercept money directly.
Frequently the same operator stands up dozens of these at once and uses cloaking so they rank in search while passing a casual look.
How to spot it early
The earlier an impersonation is caught, the fewer people it reaches. Practical signals to watch:
- New look-alike domains — monitor for registrations containing your brand, common misspellings and brand-plus-keyword combinations.
- Certificate transparency — TLS certificates are logged publicly; brand-adjacent hostnames show up there as they are provisioned.
- Search drift — watch your brand queries for results you don't control creeping up the page.
- Customer reports — give users an easy way to report a suspicious "official" site.
Your takedown options
An impersonation usually touches several providers, and each is a separate lever. The strongest approach is to pull all of them at once rather than wait on any single one:
- Registrar — request suspension of the domain for impersonation and AUP breach; ask them to preserve registrant records.
- Hosting provider — request removal at the origin; if a legitimate site was compromised to host the content, notify the owner.
- CDN / network — route to trust & safety, request origin disclosure and a phishing interstitial.
- Browser blocklists & search — get the URL blocklisted for fast user protection and reported for impersonation / cloaking so it loses its ranking.
Every notice needs the same backbone: the abusive URL, the impersonated brand, the responsible infrastructure, and a one-line way to reproduce the abuse. See our evidence standard.
Why it keeps coming back
Taking one domain down is rarely the end. Operators re-register disposable look-alikes and re-host the same kit within hours. Treat impersonation as a recurring campaign: keep monitoring for the next batch, track the infrastructure patterns, and re-file fast. Persistence on the defender's side is what makes the operation uneconomic.
Related: Search-engine cloaking, explained · How to report phishing