Brand impersonation monitoring
If you're a brand owner, attackers are cloning your website to harvest credentials and payment data from your own customers. PhishFence finds the clones, scores their visual similarity to the real thing, and surfaces the ones impersonating you on an hourly monitoring cadence.
The attacker pattern
An attacker downloads your website (trivially easy with browser dev tools or a tool like wget --mirror) and re-hosts it on a lookalike domain such as example-login.com or example-support.com. The clone is pixel-perfect: your logo, your color scheme, your copy, even your live chat widget. The only change is the form submit action, which now points to the attacker's collector.
Traffic gets driven via phishing email, paid search ads on your brand name, SMS, or social-media DMs. Customers who land believe they're on the real site. They sign in, enter payment details, or chase a fake support flow. By the time you notice, hundreds of credentials may already be in the attacker's database.
That's the website half. The other half is email impersonation: an attacker sends mail that appears to come from your domain (or a lookalike of it) without bothering to host a cloned site at all. A fake invoice from billing@example.com, a phony account-update notice, a vendor-fraud request to redirect ACH details. Defending the brand means defending both channels: lookalike domains (this page) and the email envelope (covered by the Email Security product).
The other half: email impersonation
Lookalike sites need traffic to monetize. Email is one of the main ways attackers send it, and the email channel works as its own attack even when no cloned site exists. The attacker forges your envelope sender (or spoofs a lookalike domain), drops the message into your customer's inbox, and asks for a wire transfer or a password reset. SPF, DKIM, and DMARC are the protocols that let receivers reject those messages, but only if your records are configured correctly and you watch the reports.
PhishFence Email Security ingests your DMARC aggregate reports daily, enriches every sending IP with PTR + ASN + ESP attribution so you can tell Google Workspace from a Russian hosting provider at a glance, and pings you the moment a new sender shows up. The enforcement wizard then walks you from p=none to p=reject at the pace your real traffic can support, so attackers can't spoof your domain at scale.
Coverage map. Brand Protection (this page) finds the lookalike sites and the typosquat domains. Email Security finds the spoofed senders and the unaligned mail. They're sold separately, so buy one, both, or neither based on what your threat model needs. See pricing for both or read the email trust & compliance use case for the email-first attack pattern.
How PhishFence detects the website half
-
1
Lookalike domain discovery
Same nine-pattern variant engine as the typosquatting use case. The candidate set is identical; what differs is what we do with it.
-
2
Screenshot capture for every live candidate
For each candidate with a responding HTTPS server, PhishFence renders the page in a headless browser and stores the screenshot. The render captures the rendered DOM, not just the source, so client-side cloning is just as visible.
-
3
Perceptual-hash visual similarity
Each screenshot is hashed with a perceptual algorithm (pHash) and compared against your monitored-domain baseline. A near-zero hamming distance is a near-perfect clone; small distances reflect minor cosmetic changes to a clone, not unrelated sites.
-
4
Content classification
A classifier scans the captured page for high-signal content: login forms, payment forms, brand-name strings, support-flow language. A page that scores high on both visual similarity and content classification is almost certainly impersonating you.
-
5
Combined signal elevation
Combined scoring elevates the few real clones above the broader pool of registered-but-parked lookalikes so your dashboard isn't drowned in noise.
What it looks like in PhishFence
Sign in to your account
Enter your credentials to continue
Password
Forgot your password?
Captured 18m ago · click to enlarge in the live dashboard
94%
97%
81%
92%
99%
88%
71%
94%
- Password input field detected in form
- Form action posts to non-brand domain (collect.tk)
- Brand name found in <title> tag
- Brand logo image pHash distance under threshold
- Credit-card input field detected (autocomplete=cc-number)
Common pitfalls to avoid
-
Trusting URL alone. A defender who only checks domain names misses the page-content half of the signal. The danger here is not the URL but the rendered page; you have to actually look at what's being served.
-
Cloaking-aware attackers. Sophisticated clones serve a benign page to security scanners and the real phishing payload only to traffic arriving with the expected Referer header (paid ad / phishing email). Test with realistic referrers when validating an alert.
-
Re-baselining too late. If you redesign your real site without re-capturing your reference baseline, every screenshot diff suddenly scores high, including the legitimate one. PhishFence ships a one-click Recapture baseline button on the domain health page (Pro+) so you can add it to your launch checklist alongside the cache flush.
-
Forgetting the marketing-page surface. Clones often target your highest-conversion product page (a checkout, a sign-in flow) rather than your apex. PhishFence Pro auto-discovers your high-value paths (login, checkout, account) and baselines each one separately, so a cloned
/loginat attacker.com scores against the real/logininstead of your homepage. Pro tracks 5 paths per domain, Business tracks 20.
Which PhishFence tier?
Pro at $99/month is the floor: screenshot capture and visual similarity scoring are Pro-tier features. Business at $499/month (100 domains) fits brands with multiple monitored domains, sub-brands, or product names that warrant separate lookalike sets and reference baselines.