1. Create your own social media presence before someone else does
Companies should have an official presence on major social media sites, even if they don’t use them often, says John LaCour, CEO of PhishLabs. “If customers go looking for [your page] and can’t find one, they may find the bad guys instead,” he says. Many social media sites offer icons or flags that identify legitimate sites, he adds. Companies should also communicate with customers that their official sites will only be used for announcing new products and services, for example, so customers will look more suspiciously at alleged brand sites that offer free perks or customer service action.
2. Establish governance
Companies need to have a governance program in place and staff responsible for social media accounts and communication as part of the company’s main infrastructure, Redmond says.
Business units often create their own legitimate domains, but the security team might not know about them. “They don’t do it through the right channels,” Gordon says. “That needs to be monitored with processes in place.”
3. Conduct a social media brand inventory
A simple search of a company’s name on popular social media sites can begin to uncover any nefarious social media accounts or at least reveal how the company is being represented, fraud experts say. During a recent audit of its social media presence, a major consulting firm was shocked to discover that hundreds of accounts were impersonating its brand or were using its name in some unwanted way on sites like Facebook, Twitter, LinkedIn, Google+ and Instagram, Gordon says.
Some accounts might be legitimate while others may reference a company’s name simply to draw traffic to their site. But a few could be truly criminal and are attempting to use fake accounts for phishing scams or to sell knock-off merchandise, she adds.
4. Identify fraudulent accounts and act quickly
At PayPal, security teams focus on identifying fraudulent sites and then reacting quickly, usually with the help of its worldwide customer base.
“The fastest way we identify [fraud] is being notified by our customer base,” including merchants and consumers, Adams says. “We are often notified much more quickly by customers than we are by the industry organizations that identify potential fraud and kick out threat alerts.”
PayPal’s investigative team reviews the fraud tips as they are received and identifies whether they are malicious or benign. Next they reach out to social media platform operators and their security departments to alert them.
5. Know where and how to report brand fraud
When customers suspect a fake company account on social media, they need to know who to report the fraud to, Redmond says. Develop a response plan that includes the documentation that should be collected and who should be contacted at the company and the social media site.
Sign up for CIO Asia eNewsletters.