From Fake Domains to Deepfake Scams: One Target, Two Tools

From Fake Domains to Deepfake Scams: One Target, Two Tools

If you want to see how a brand attack actually starts, don't look for a hacked server. Look for a domain that was registered yesterday, sitting quietly, waiting for someone to build a phishing page on top of it.

That's usually step one. Step two is a fake login page. Step three, increasingly, is a video of your CEO that never happened.

Deepfake fraud attempts have surged 2,137% in the last three years, and by 2024 a new deepfake attack was being attempted every five minutes. In 2026, deepfakes now account for 11% of all global fraudulent activity, and 62% of organizations reported experiencing a deepfake attack involving social engineering in the 12 months prior to mid-2025. These aren't fringe numbers anymore. They describe a threat that has moved from novelty to infrastructure.

What ties a fake domain to a deepfake video is not the technology. It's the target. Both attack the same thing: the trust people place in your brand's name, your executives' faces, and your company's digital footprint. A lookalike domain and a cloned voice are two tools serving one goal — convincing someone that they are dealing with you, when they are not.

Most brand protection programs were built for the first tool and are still catching up to the second. Domain monitoring, trademark watch lists, and takedown workflows were designed around an era of typo-squatted URLs and copy-pasted logos. They are not built to catch a synthetic voice on a phone call, or a fabricated video ad running on social media that never even uses your brand name. Closing that gap is where threat intelligence stops being a nice-to-have and becomes the thing standing between your brand and the next impersonation headline.

This post walks through how brand impersonation has evolved from fake domains to deepfakes, why the old playbook is falling behind, and what a threat-intelligence-driven brand protection program actually looks like in practice.


Your Brand, Through the Attacker's Eyes

Your Brand, Through the Attacker's Eyes

Every brand has an inside view of its own footprint. It's the list of registered domains, the official social accounts, the approved marketing assets, and the executives' verified profiles. This is the view that tells you what you meant to put out into the world.

The outside view is what everyone else sees — customers, partners, and attackers alike. It includes the lookalike domain registered last week with your logo copy-pasted onto a fake login page. The Instagram account impersonating your support team. The paid ad running on Facebook featuring a synthetic video of your CEO endorsing an investment scheme you've never heard of. The counterfeit listing on a marketplace using your product photos.

These two views rarely match, and the gap between them is growing faster than most security teams can track manually. More than 326,000 brand impersonation attempts were detected across 6,279 brands in a single year, according to 2025 detection data — and that's just the phishing and impersonation sites that got caught. Fraud and spoofing losses reported to the FBI's IC3 reached $215.8 million in 2025 alone.

Threat intelligence is what closes this gap. Done properly, it tells you the moment a domain that looks like yours gets registered, the moment a fake profile using your brand name goes live, the moment a scam ad featuring your executive's face starts running, and the moment your brand gets mentioned on a dark web forum as a target. Without that outside view, you're defending the brand you think you have, while attackers are actively building campaigns around the brand everyone else actually sees.


The Impersonation Playbook

The Impersonation Playbook

Before going further, a shared vocabulary helps. Brand impersonation doesn't come in one shape — it comes in a handful of recurring patterns, and most successful attacks combine more than one at once.

Domain squatting and lookalike domains. Typo-variants, homoglyphs, and copycat subdomains registered to host phishing pages or redirect traffic. This remains the most common entry point: 46% of fraud takedowns involve a .com domain, and 75% of the top extensions used in fraud are generic top-level domains like .com, .net, and .org — the exact extensions your legitimate brand also relies on.

Social media impersonation. Fake accounts posing as the brand, its executives, or its support team, often used to run scams directly in customers' DMs or reply to complaints before the real support team can.

Phishing and smishing campaigns. Emails, SMS messages, and voice calls that harvest credentials or payment data by mimicking trusted brand communications. Over 82% of phishing emails in the first half of 2026 showed signs of AI involvement, making them harder to distinguish from legitimate messages than ever before.

Scam ads and fake app listings. Paid placements and app store listings that imitate the brand to drive traffic toward fraudulent destinations — increasingly built around synthetic video or audio rather than static images.

Counterfeit product listings. Fake goods sold under the brand's name and imagery on marketplaces the brand doesn't control, a problem estimated at $467 billion in global trade.

Fake reviews and coordinated bot activity. Review fraud that distorts buyer trust at scale, often run by networks rather than individuals.

Deepfake impersonation. The newest and fastest-growing category: cloned executive voices used in vishing calls, fabricated videos of spokespeople endorsing products or schemes that don't exist, and synthetic personas used to socially engineer employees or customers. Unlike the categories above, a deepfake often carries no brand name, no logo, and no domain at all — it borrows a face or a voice instead of a mark, which is exactly what makes it invisible to traditional monitoring.

Here's the useful observation once this list is in front of you: the first six categories can mostly be caught by watching domains, marketplaces, and text-based mentions. The seventh cannot. A brand protection program built only around trademark and keyword monitoring will catch most of the first six and almost none of the last one — and the last one is the category growing fastest.


Anatomy of an Impersonation Campaign

Anatomy of an Impersonation Campaign

A real brand attack rarely looks like a single dramatic event. It looks like patient infrastructure-building, and it almost always starts outside anything your security team monitors.

Stage one is reconnaissance. The attacker studies your brand the way a forger studies a signature — pulling executive photos and video clips from earnings calls, interviews, and social media, scraping your logo and color scheme from your website, and checking which domains related to your brand are still unregistered. Voice cloning needs as little as 20 to 30 seconds of audio, and a convincing 60-second deepfake video can now be produced in under 25 minutes at essentially no cost. At this stage nothing has touched your systems and nothing shows up in your logs, because the attacker is building assets, not attacking yet.

Stage two is infrastructure setup. A lookalike domain gets registered. A fake social profile goes live, often copying real posts to look established. A scam ad gets submitted to an ad network, sometimes running for days before anyone flags it. This is where a fabricated video of a well-known financial commentator and a public figure endorsing a fake investment scheme was pushed through paid Facebook advertising in a real campaign that ran until public reporting connected the losses back to it. Isolated, each piece looks like a minor policy violation. Together, they are one operation wearing several masks.

Stage three is the approach. This is where the fraud actually happens — a phishing page harvesting credentials, a cloned voice on a call asking someone to move money, a synthetic video used to socially engineer an employee into resetting access. A finance director joining a call with what looks and sounds exactly like her CFO and colleagues, discussing a deal the board reportedly approved, is a real pattern being reported now, and the deception can hold for days because every person on the call is synthetic.

Stage four is scale and repetition. Once a channel works, attackers don't stop at one victim. The same cloned voice gets reused across multiple targets. The same fake domain gets linked from multiple phishing messages. The same synthetic video gets re-uploaded across platforms faster than takedown requests can keep up.

The pattern across all four stages is the same one that shows up in API attacks and network intrusions: the earliest, cheapest stage to stop an attack is reconnaissance and infrastructure setup, long before stage three ever reaches a customer or employee. The only way to catch it that early is to be watching the same sources attackers are building on — domain registries, ad networks, social platforms, and dark web forums — continuously, not after a customer reports a loss.


Why Deepfakes Break the Old Playbook

Why Deepfakes Break the Old Playbook

Everything covered so far — domains, phishing pages, fake profiles, counterfeit listings — shares one property: they all leave a text-based artifact. A domain string. A brand name in a post. A logo file. Traditional brand monitoring was built around exactly this: scan for keyword matches, logo hashes, and registered trademark strings, then flag whatever matches.

Deepfakes don't play by that rule. A cloned voice on a phone call carries no domain. A fabricated video of a spokesperson doesn't need to mention the brand name at all — it can run as a scam ad on social media, reach a wide audience through paid placement, and never once trip a keyword filter, because the giveaway isn't a string of text. It's a face and a voice.

This creates four gaps that open at once for organizations still running an old-model brand protection stack:

Technical controls log the call, but never verify the caller. Video and voice conferencing tools confirm that a call happened. They have no way of confirming that the person speaking is actually who they appear to be.

Brand monitoring misses synthetic likenesses entirely. Keyword and logo-hash scanning looks for registered assets being copied. A generated face or a cloned voice isn't a copy of anything on file — it's a new artifact that was never registered anywhere, so there's nothing for the scanner to match against.

Email security stops at the inbox. Secure email gateways inspect attachments, links, and headers. Deepfake fraud increasingly happens on video calls, voice channels, and messaging apps — none of which an email gateway ever touches.

Isolated alerts hide the campaign. A deepfake video ad, a spoofed social profile, and a cloned-voice call hitting the same brand in the same week are usually one operation, not three unrelated incidents. Treating them separately means the connection — and the chance to take down the whole campaign at once — gets missed.

The uncomfortable part is that detection tools chasing the newest generative models will always be one step behind, because the models keep improving faster than detectors can be retrained on them. That's why the more durable defense isn't a better detector — it's shrinking the raw material attackers need in the first place: limiting how much unscripted footage and audio of executives sits publicly exposed, and building a verification step into sensitive workflows — a call-back, a code word, a second channel — so no single convincing fake is ever enough on its own to move money or access.


How Threat Intelligence Powers Real Brand Defense

How Threat Intelligence Powers Real Brand Defense

Buying a threat intelligence feed and actually using threat intelligence are two different things. A feed sitting in a dashboard nobody opens is a line item on an invoice. It only matters once it reaches the places that make decisions. For brand protection, those places are roughly five:

Domain and infrastructure discovery. Continuous scanning of newly registered domains, certificate transparency logs, and typo-variant patterns catches lookalike domains and phishing infrastructure the moment it's built — before it's linked from a single phishing message.

Social and marketplace monitoring. Automated detection across social platforms, ad networks, and marketplaces flags fake profiles, scam ads, and counterfeit listings using the brand's name, logo, or executive likeness, often before they gain meaningful reach.

Deepfake and synthetic media detection. Purpose-built monitoring for cloned voices, fabricated video, and executive impersonation — watching for the raw material (leaked footage, voice samples, PII) attackers harvest from earnings calls, interviews, and social profiles, not just the finished fake.

Campaign correlation. Individual alerts mean little on their own. A spoofed domain, a fake profile, a scam ad, and a cloned-voice call hitting the same brand in the same week are stitched together into a single view, turning a pile of disconnected tickets into one attacker infrastructure to dismantle.

Takedown and enforcement. Detection without enforcement is just awareness. Effective programs execute takedowns across registrars, hosting providers, social platforms, ad networks, messaging providers, and telcos — all at once, so an attacker can't simply keep the WhatsApp or SMS leg of a campaign alive after the domain comes down.

Vendors in this space split along these five jobs, and rarely cover all of them equally well. The right stack depends on where the biggest exposure actually sits — a company selling physical goods weighs counterfeit monitoring differently than a fintech worried about executive voice cloning.


Two Surfaces, One Stack

Two Surfaces, One Stack

No single tool covers brand impersonation from every angle — domains, social platforms, marketplaces, and now synthetic media each demand a different kind of monitoring. Broadly, the market splits into platforms built around domain and phishing detection, ones built around counterfeit and marketplace enforcement, and a newer wave built specifically around deepfake and executive impersonation.

Cypho sits in this last, more complete category — combining external attack surface management, threat intelligence, data leak monitoring, and digital brand protection in one platform. Continuous scanning identifies impersonating domains, fake social profiles, and exposed brand assets, while dark web and data leak monitoring flags leaked executive credentials, PII, and brand mentions in underground forums, correlating them into actionable alerts instead of raw noise. For teams that want domain monitoring, credential exposure, and brand context covered without stitching together several vendors, it fits neatly.

The point isn't which platform is "best" — it's that whatever stack a team runs needs to cover both the old attack surface (domains, phishing pages, fake accounts) and the new one (synthetic voice and video), with signals reaching a team that can actually act on them.


A Realistic Checklist for Brand Defense

A Realistic Checklist for Brand Defense

No list replaces judgment, but if you want a starting point, this is the short version:

  • Monitor newly registered domains and certificate transparency logs continuously for lookalike and typo-variant patterns targeting your brand.
  • Track social platforms, ad networks, and marketplaces for fake profiles, scam ads, and counterfeit listings using your name, logo, or executive likeness.
  • Limit how much unscripted footage and clean audio of executives sits publicly exposed — it's the raw material every deepfake needs.
  • Build a verification step — a call-back, a code word, a second channel — into any workflow where a call or video alone could authorize money movement or access changes.
  • Correlate alerts across channels instead of treating each one as an isolated incident; a domain, a fake profile, and a scam ad hitting you in the same week are usually one campaign.
  • Make sure detection ends in enforcement — takedowns that reach registrars, hosts, social platforms, ad networks, and telcos together, not just one channel at a time.
  • Train employees specifically on deepfake and voice-cloning scenarios, not just generic phishing awareness — regulators are increasingly expecting this directly.
  • Monitor dark web forums and underground channels for early mentions of your brand or executives as a target, not just for leaked data after the fact.
  • Revisit the checklist whenever intelligence indicates a new campaign pattern is targeting your sector — this threat model moves faster than annual reviews.

Closing the Gap

Closing the Gap

API security or brand protection, the pattern is the same: the organizations that get hit hardest are rarely the ones missing some exotic defense. They're the ones who didn't know how much of their attack surface sat outside their own walls — the domain nobody registered in time, the executive video clip sitting publicly available, the fake profile that ran for weeks before anyone noticed.

Fake domains and deepfakes aren't two separate threats requiring two separate strategies. They're two stages of the same problem: attackers borrowing your brand's trust to convince someone you are who you're not. The tools have changed — a typo-squatted URL and a cloned executive voice look nothing alike — but the target hasn't. It's still the confidence your customers, partners, and employees place in your name and your face.

Closing that gap means watching the same sources attackers watch, correlating what looks like scattered noise into one campaign, and making sure detection ends in an actual takedown — not a dashboard alert nobody opens. Brands that build this as a continuous practice catch impersonation in its early, cheap-to-stop stages. Brands that don't find out about it from a customer, a headline, or a wire transfer that already left the building.


Related reading from Cypho:


References:

Experience Next Generation Threat Intelligence

Minimize complexity and maintain secure posture with real-time monitoring and actionable insights

Get a Demo