Fortgale Brand & Social Intelligence
CTI · capability 07 · Brand & Social Intelligence

The brand is attacked where the SOC doesn't look.

Domain spoofing, fake LinkedIn profiles of executives, phishing kits with customer logos, fake mobile apps, CEO/CFO deepfakes, brand mentions on criminal channels. These are threats that hit the brand before the systems · outside the SOC perimeter. Fortgale detects them and coordinates take-down with registrars, social platforms and mobile stores.

Request a brand scan Explore the 5 categories ↓
24-72hAverage take-down
15 minImminent alert
5Categories monitored
Standards · framework
ICANN URS
WIPO UDRP
Anti-Phishing WG
Image hash
Discipline · take-down
Registrar coord.
Cloudflare abuse
Social platforms
Mobile stores
The problem

Three threats outside the SOC perimeter.

The SOC monitors endpoints, network, identity. But the brand is attacked outside that perimeter: on registrars, on social platforms, in app stores, on AI-generated channels. To the SOC they are invisible · to marketing and legal they are problems without tools.

01

Outside the IT perimeter

External domains, fake social profiles, app stores, deepfake video: none of them produce logs in the customer's systems. The SOC does not see them.

02

Marketing/Legal without tooling

Marketing and legal teams see the problems when customers complain. Without proactive monitoring they are reacting, not defending.

03

Speed of response

A phishing kit carrying the brand logo can live for days before take-down. Every hour adds victims and reputational damage.

The distinction that changes everything

Generic brand protection vs operational intelligence.

Traditional brand protection is passive (search alerts, mention monitoring). Fortgale Brand Intelligence is operational: detection, validation, take-down.

Generic brand protection
  • Google Alert on brand keywords
  • Mention monitoring without validation
  • No take-down (just reporting)
  • Domain coverage only
  • Output: raw list of mentions
Insufficient
Fortgale Brand Intelligence
  • Multi-channel: domains, social, app stores, deepfake
  • AI + analyst validation (no false positives)
  • Coordinated take-down with registrars, CDNs, social platforms
  • Coverage extends to typosquatting + IDN homograph
  • Output: qualified alert + take-down report
Operational · take-down driven
The method · 4 steps

From brand mapping to completed take-down.

Four documented phases · from the inventory of brand assets to the coordinated removal of the threat.

  1. 01
    From baseline to baseline-aware

    Brand asset mapping

    Mapping of brand assets: logo (every variant, colour/white/black, with and without wordmark), executive list (with official photos), brand vocabulary (taglines, slogans, products, certifications), canonical domains. The baseline against which every detection is compared.

    Logo variantsExecutive photosBrand vocabularyCanonical domains
  2. 02
    From source to source, continuously

    Continuous multi-channel surveillance

    Continuous monitoring of registrar feeds (newly registered domains), social platforms (LinkedIn, Telegram, X, Meta, TikTok), app stores (Google Play, Apple App Store), dark web channels, paste sites, AI-generated content sources.

    Registrar feedSocial crawlingApp store monitoringDark web
  3. 03
    From signal to confirmed threat

    Threat validation with AI + analyst

    Image similarity (logo matching via perceptual hash + AI), content analysis (brand vocabulary, context), intent inference (configured phishing kit, redirect chain, payload, MX configured, freshly issued certificate). AI for triage, analyst for the decision.

    Image similarity AIContent analysisIntent inferenceAnalyst review
  4. 04
    From evidence to removal

    Coordinated take-down

    Structured workflow: notice to the registrar with evidence pack, escalation to CDN (Cloudflare abuse) and hoster, take-down on social platforms (Meta/LinkedIn/Telegram/X), mobile stores (Google Play / Apple App Review), ICANN URS for severe cases.

    Registrar notifyCDN escalationSocial take-downICANN URS
Monitoring categories

Five categories of brand threat.

The five families of brand-related threats Fortgale monitors continuously · from traditional typosquatting to AI-generated deepfake.

Category 01

Domain & TLD monitoring

Look-alike · typosquatting · IDN homograph · newly registered

Continuous monitoring of domains that can be used for brand phishing: typosquatting, IDN homograph (visually identical Cyrillic/Greek characters), different TLDs, prefix/suffix variation. Alerts on registration, MX configuration, certificate issuance.

  • Typosquatting Domains with small variations (e.g. fortgale → forgtale, fotrgale, fortgalle). Monitoring across all common and country-specific TLDs.
  • IDN homograph attack Domains using visually identical Unicode characters (e.g. Cyrillic 'а' instead of Latin 'a'). Detection via Punycode resolution.
  • Newly registered domain Real-time detection at registration · immediate alert if MX or certificate are configured within the next 24h.
  • Brand-protection portfolio Tracking of domains owned for brand-protection · if one expires or is renewed in an anomalous way, the security team is alerted.
  • Sub-domain takeover Detection of dangling sub-domains (orphan CNAME pointing to a decommissioned service, possible takeover).
Category 02

Executive Impersonation

LinkedIn · Telegram · X · WhatsApp · social engineering setup

Tracking of fake profiles impersonating customer executives for social engineering, BEC, fraud. Fake LinkedIn CFO/CEO sending connection requests, Telegram fake support, X fake brand accounts.

  • LinkedIn fake profile Profiles using the real name and photo of an executive to gather connections and stage BEC. Detection via image similarity + cross-check with official profiles.
  • Telegram impersonation Fake brand support channels or executive impersonation on Telegram (channels, groups, DMs).
  • X / Twitter fake account Accounts that mimic the official brand for scams (crypto, fraudulent customer support, fake announcements).
  • WhatsApp Business spoofing Spoofing of the brand's WhatsApp Business for fraud — a fast-growing vector across 2024-2026.
  • Pre-BEC social engineering Detection of patterns preparing Business Email Compromise: anomalous LinkedIn connections, DMs from a fake CEO to the CFO, info gathering.
Category 03

Phishing kits with brand abuse

Kits configured with logos · landing pages · campaigns

Modern phishing kits (Tycoon 2FA, EvilProxy, Mamba 2FA, W3LL) are configured with real logos and branding to maximise conversion rate. Detection of landing pages carrying the customer's logo.

  • Landing page with brand logo Continuous crawling for landing pages that use the customer's logo · matching via perceptual hash + AI image similarity.
  • Kit family identification Identification of the kit in use (Tycoon, EvilProxy, Mamba, W3LL) via fingerprinting of the landing structure.
  • Campaign attribution Correlation with active campaigns and with the kit seller (often identifiable on Telegram channels).
  • EU-targeted brand Detection of kits configured with logos of European banks (e.g. BNP, Santander, Deutsche Bank), national tax authorities, social-security agencies, e-government portals, EU consumer brands.
  • Pre-launch detection Detection during setup (domain registered, certificate issued, kit deployed) BEFORE the campaign goes live.
Category 04

Fake apps & counterfeit

Play Store · App Store · e-commerce clones · crypto scam

Detection of mobile apps and e-commerce sites that mimic the customer's brand for phishing, malware, fraud. Coverage of official stores (Google Play, Apple App Store) and alternative stores (APK mirrors).

  • Fake mobile app Apps on Google Play / Apple App Store that mimic the official app for credential theft or malware (banking trojan).
  • E-commerce clones Sites that clone the design of the customer's e-commerce for scam (products never delivered, card fraud).
  • Crypto pump-and-dump using brand Crypto tokens that use the customer's brand for pump-and-dump scams (announcing a non-existent partnership).
  • Counterfeit listing For product brands: detection of listings on marketplaces (Amazon, Ebay, AliExpress) with counterfeiting (logo abuse, fake products).
  • Fake Telegram bot Telegram bots impersonating customer support or a trading bot of the brand for phishing.
Category 05

Deepfake & AI-generated content

Video · audio · image · CEO/CFO impersonation

The fastest-growing vector across 2024-2026: deepfake video (CEO announcing a non-existent partnership), voice cloning (calls from a fake CFO to the treasurer for wire transfer), fake AI-generated identity for scams.

  • CEO/CFO deepfake video Detection on YouTube, TikTok and Telegram of videos that use an executive's face for scams (crypto, partnership, urgent transfer).
  • Voice cloning for BEC Detection of voice cloning campaigns for Business Email Compromise: calls to the CFO from fake 'CEOs', vishing.
  • AI-generated fake identity LinkedIn / X profiles with AI-generated identities (StyleGAN photos) used for social engineering and impersonation.
  • Synthetic media detection Detection of AI-generated images and videos (StyleGAN, DALL-E, Midjourney) used for fraud · technical markers + analyst review.
  • AI-generated phishing copy Detection of phishing campaigns with AI-generated copy (LLM-written) · linguistically more credible than traditional phishing.
Among the most tracked

Seven brand threats · recurring patterns.

A selection of the most relevant brand threat patterns across 2024-2026 · from traditional typosquatting to fast-growing AI deepfake.

Domain · ongoing top vector

Domain look-alike & typosquatting

Newly registered · IDN homograph · TLD variation
Type
Domain spoofing · phishing infrastructure
Coverage
Registrar feed · MX · certificate · landing detection

The most widespread phishing vector: domains varying by one letter, different TLDs, Unicode homographs. Real-time detection at registration · alert if MX is configured or a certificate is issued within 24h.

Real-time detectionPre-launch alertMulti-TLDTop tracked
Tracking · Top Request take-down →
LinkedIn impersonation · 2024-active

LinkedIn executive impersonation

Fake CFO/CEO profile · social engineering setup
Type
Social platform impersonation
Coverage
Image similarity · cross-check official profiles

Fake LinkedIn profiles impersonating executives to stage BEC: connection requests, info gathering, DMs to the CFO from a fake 'CEO'. Tracking via image similarity across the customer's executive portfolio.

LinkedInPre-BECImage similarityCross-check
Tracking · Top Request take-down →
Telegram impersonation · ongoing

Telegram fake support channels

Fake brand support · fraudulent customer service
Type
Telegram channel impersonation
Coverage
Brand keyword · logo abuse · scam intent

Telegram is the preferred channel for fraudulent customer service (crypto, fintech, retail). Channels using brand logo and name to divert real customers into scams.

TelegramCustomer service scamBrand abuse
Tracking · Active Request take-down →
WhatsApp Business · 2024-active

WhatsApp Business spoofing

Fake WA Business brand · BEC + consumer scam
Type
Messaging platform spoofing
Coverage
Display name · profile photo · verified badge

WhatsApp Business spoofing is growing rapidly across 2024-2026. Detection of WA Business profiles with brand photo and name used for consumer fraud and BEC against suppliers.

WhatsApp BusinessSpoofingFast-growing
Tracking · Active Request take-down →
Mobile app store · ongoing

Fake mobile app store

Google Play · Apple App Store · APK mirror
Type
App store impersonation
Coverage
Brand name · logo · fake publisher

Detection of fake apps that mimic the customer's official app: same name, similar logo, fake publisher. Often vehicles for banking trojans or credential theft.

Mobile appBanking trojan vectorMulti-store
Tracking · Active Request take-down →
Crypto scam · 2024-active

Crypto pump-and-dump using brand

Fake partnership announcement · token scam
Type
Crypto fraud · brand abuse
Coverage
Token name · social mention · announcement tracking

Crypto tokens that use the customer's brand for pump-and-dump scams: non-existent partnership announcements, fake roadmaps. Detection on X, Telegram, crypto Discord.

Crypto scamPump-and-dumpFake partnership
Tracking · Active Request take-down →
Deepfake · 2024-active · fast-growing

CEO/CFO deepfake video

Synthetic media · video voice impersonation
Type
AI-generated content for BEC and scam
Coverage
Multimodal AI detection + analyst review

The fastest-growing vector across 2024-2026. Detection of deepfake video (YouTube, TikTok, Telegram) and voice cloning (telephone BEC) that use the face and voice of executives for fraud.

AI generatedDeepfakeBEC evolutionFast-growing 2025-26
Tracking · Active Request take-down →
Severity · methodology

Priority based on intent.

Not every look-alike domain is the same. Priority comes from intent: domain with MX configured + certificate + landing page with logo = imminent. Parked domain = info.

Imminent

Immediate take-down

Active phishing infrastructure: kit deployed, certificate issued, MX configured, landing page with customer logo. Immediate alert + take-down launched.

High

Webhook alert

Confirmed intent (kit setup in progress, fake profile active, deepfake published) but not yet active phishing. Webhook alert within 15 min.

Medium

Weekly digest

Look-alike without payload, fake profile not yet active, mention not operational. Included in weekly digest.

Info

Dashboard only

Informational mention, expired brand-protection registration, parked domain. Available on the dashboard, does not generate an alert.

The output

How brand monitoring is delivered.

Four channels for four audiences: marketing, legal, security, executive. Each one receives what is useful · no generic alerts.

01

Brand dashboard

Web console with a real-time view of every detected threat: look-alike domains, fake profiles, phishing kits, deepfakes. Filtering by category, severity, take-down status.

02

Real-time alerts

Immediate push for imminent threats (active phishing infrastructure) via webhook, email, SMS. 15-minute SLA.

03

Monthly take-down report

Monthly report for legal and marketing: completed take-downs, average times, escalations, estimated avoided costs. Audit-committee ready.

04

Executive impersonation alert

Dedicated alert for fake profiles impersonating customer executives · direct escalation to the security team + HR for coaching of the executives involved.

Technical honesty

When Brand Intelligence is not needed.

If the brand is not visible online (B2B niche only, no e-commerce, no consumer-facing app), executives have no public profile, and the organisation is not in a counterfeit-target sector · brand monitoring produces little value.

Brand Intelligence is critical when: the brand is recognisable to consumers (finance, retail, luxury, private healthcare), e-commerce is live, executives have public profiles and media exposure, a mobile app is distributed, and the organisation sits in BEC or impersonation target sectors.

Not sure? Let's talk. If it is not for you, the team will say so.

Integration

Brand intel as peripheral shield.

Brand monitoring works in synergy with phishing protection, dark web monitoring and advisory · a defence extended to the brand, not just to IT.

Phishing protection

Phishing kit detection

When a phishing kit carrying the brand logo is detected, preventive blocking is triggered · before the email campaigns go out.

Discover phishing protection →
Dark web · capability 05

Brand mentions on the dark web

Brand mentions on criminal channels (ransom announcements, fake support, crypto scam) are captured by dark web monitoring and correlated.

Discover Dark Web →
IR · BEC defence

Pre-BEC alert for IR

Fake LinkedIn profiles requesting connections from executives = BEC pre-warning. The IR team is activated preventively.

Contact IR →
CTI · sister capability

The other 6 CTI capabilities

Threat Actor Profiling · TI Feed · Advisory · Executive Briefing · Deep & Dark Web · ASM. Brand Intelligence is capability 07 of 7.

See all →
To bring to the board

Three slides · brand as an asset to protect.

The board discusses brand value in terms of reputation and P&L. Brand Intelligence produces data the CISO can take to the board in business language.

01 · Brand exposure

How many look-alike domains registered in the last 12 months · how many fake executive profiles · how many phishing kits found with the brand logo.

02 · The action

How many take-downs completed · average time (24-72h domain, 12-48h social) · estimated avoided cost per successful take-down.

03 · The AI trend

Growth of deepfake/voice cloning · how many cases detected year over year · coaching recommendations for public-facing executives.

The "3 board slides" pack is included in Brand Intelligence reporting · available on request.

FAQ

Frequently asked questions on Brand & Social Intelligence.

What does Brand & Social Intelligence mean?

Monitoring of the non-IT attack surface: domain spoofing, executive impersonation on LinkedIn/Telegram, phishing kits with customer logos, fake mobile apps, CEO/CFO deepfakes, brand mentions on criminal channels. These are threats that hit the brand before the systems · the SOC often does not see them because they live outside the perimeter.

How does the take-down of look-alike domains work?

A structured workflow: 1) threat validation (configured phishing kit? customer logo? redirect pattern?), 2) notice to the registrar (GoDaddy, Namecheap, Namesilo, Reg.ru) with an evidence pack, 3) if no response, escalation to the CDN (Cloudflare abuse) and hoster, 4) in severe cases, ICANN URS (Uniform Rapid Suspension) for fast take-down. Typical time: 24-72 hours.

Which social platforms are monitored?

LinkedIn (executive impersonation, fake company pages), Telegram (fake support channels, fake brand channels, fake job offers), Meta (Facebook + Instagram fake pages and ads), X/Twitter (fake brand accounts), TikTok (deepfake video), YouTube (CEO deepfake video, phishing tutorials). Coverage also extends to WhatsApp Business spoofing and Threads.

Do you also find CEO deepfake videos?

Yes. Detection of deepfake video (CEO/CFO impersonation for BEC), audio (voice cloning for phone scams), image (fake identity for scam). Coverage of videos uploaded to YouTube/TikTok/Telegram and of audio on scam channels. Detection uses multimodal AI plus manual analyst review.

How fast can a take-down be executed?

Look-alike domains via registrar: typically 24-72 hours. Social platforms (LinkedIn, Meta, X): 12-48 hours. Mobile app stores: 5-15 days. For emergencies (active phishing infrastructure already hitting customers), escalation to Cloudflare abuse for temporary blocking within 1-4 hours.

When does Brand Intelligence NOT make sense?

If the brand is not visible online (B2B niche, no e-commerce, no consumer-facing app), executives have no public profile, and the organisation is not in a counterfeit-target sector (luxury, retail, finance, private healthcare). In these cases brand monitoring produces little value. Where the brand is recognisable and the executives have public profiles, monitoring is one of the most effective defence levers against BEC and social engineering.

Start with brand monitoring

What is circulating about your brand right now?

Request a free 30-day scan · 5 domains, 10 executives, brand keywords, app stores, deepfake sources. The team returns a report with real detected events · no commitment.

Response time: < 1 business day.