Use case Brand owners · trust & safety · consumer brands

Brand impersonation monitoring

If you're a brand owner, attackers are cloning your website to harvest credentials and payment data from your own customers. PhishFence finds the clones, scores their visual similarity to the real thing, and surfaces the ones impersonating you in real time.

The attacker pattern

An attacker downloads your website — trivially easy with browser dev tools or a tool like wget --mirror — and re-hosts it on a lookalike domain such as [brand]-login.com or [brand]-support.com. The clone is pixel-perfect: your logo, your color scheme, your copy, even your live chat widget. The only change is the form submit action, which now points to the attacker's collector.

Traffic gets driven via phishing email, paid search ads on your brand name, SMS, or social-media DMs. Customers who land believe they're on the real site. They sign in, enter payment details, or chase a fake support flow. By the time you notice, hundreds of credentials may already be in the attacker's database.

The clone pipeline
[brand].com Real site Logo, copy, layout, forms scrape Pixel-perfect clone Identical UX Form action: attacker's collector host [brand]-login.com Lookalike domain Valid TLS, looks legit Customer credentials & payment data harvested Phishing email / brand-name search ads / SMS drive traffic

How PhishFence detects it

  1. 1

    Lookalike domain discovery

    Same nine-pattern variant engine as the typosquatting use case — the candidate set is identical; what differs is what we do with it.

  2. 2

    Screenshot capture for every live candidate

    For each candidate with a responding HTTPS server, PhishFence renders the page in a headless browser and stores the screenshot. The render captures the rendered DOM, not just the source, so client-side cloning is just as visible.

  3. 3

    Perceptual-hash visual similarity

    Each screenshot is hashed with a perceptual algorithm (pHash) and compared against your monitored-domain baseline. A near-zero hamming distance is a near-perfect clone; small distances reflect minor cosmetic changes to a clone, not unrelated sites.

  4. 4

    Content classification

    A classifier scans the captured page for high-signal content: login forms, payment forms, brand-name strings, support-flow language. A page that scores high on both visual similarity and content classification is almost certainly impersonating you.

  5. 5

    Combined signal elevation

    Combined scoring elevates the few real clones above the broader pool of registered-but-parked lookalikes so your dashboard isn't drowned in noise.

What it looks like in PhishFence

Screenshot: side-by-side alert
Real brand site (left) next to the captured clone (right)
Brand impersonation alerts show the captured clone next to your reference baseline so the visual evidence is obvious at a glance.
Screenshot: visual similarity breakdown
Hamming distance score plus image-region heatmap
The visual similarity score is explicit and explainable — a low hamming distance plus a high content classifier score means the page is almost certainly impersonating you.
Screenshot: content classifier flags
Login form / payment form / brand-name detection markers
Content classifier flags surface the specific markers that elevated the page above generic typosquat noise — useful when justifying the takedown to a registrar's abuse team.

Common pitfalls to avoid

  • Trusting URL alone. A defender who only checks domain names misses the page-content half of the signal. The danger here is not the URL but the rendered page; you have to actually look at what's being served.

  • Cloaking-aware attackers. Sophisticated clones serve a benign page to security scanners and the real phishing payload only to traffic arriving with the expected Referer header (paid ad / phishing email). Test with realistic referrers when validating an alert.

  • Re-baselining too late. If you redesign your real site without re-capturing your reference baseline, every screenshot diff suddenly scores high — including the legitimate one. Refresh the baseline as part of your launch checklist.

  • Forgetting the marketing-page surface. Clones often target your highest-conversion product page (a checkout, a sign-in flow) rather than your apex. Capture baselines for the pages attackers will actually want to copy, not just the homepage.

Which PhishFence tier?

Pro at $99/month is the floor — screenshot capture and visual similarity scoring are Pro-tier features. Business at $249/month (50 domains) fits brands with multiple monitored domains, sub-brands, or product names that warrant separate lookalike sets and reference baselines.