Do you have a process to detect and report active phishing pages impersonating your brand?
Demonstrate that the organization operates a documented and effective process for detecting, investigating, and reporting phishing pages that impersonate its brand, with evidence of active monitoring and takedown activity.
Description
What this control does
This control establishes a continuous monitoring capability to detect fraudulent websites, phishing pages, and domains that impersonate the organization's brand, trademarks, or digital properties. The process typically involves automated monitoring services, threat intelligence feeds, domain monitoring tools, and manual investigation to identify active phishing campaigns targeting customers, employees, or partners. Upon detection, the organization follows defined procedures to report malicious sites to hosting providers, domain registrars, browser vendors, and law enforcement to achieve rapid takedown and minimize customer impact.
Control objective
What auditing this proves
Demonstrate that the organization operates a documented and effective process for detecting, investigating, and reporting phishing pages that impersonate its brand, with evidence of active monitoring and takedown activity.
Associated risks
Risks this control addresses
- Customers or partners compromise credentials or payment information on undetected phishing sites impersonating the organization
- Brand reputation damage from prolonged exposure of fraudulent sites claiming to represent the organization
- Delayed or no takedown of phishing infrastructure due to lack of detection or reporting procedures
- Financial fraud or account takeover attacks succeed because phishing pages remain active and unmitigated
- Regulatory penalties or litigation arising from failure to protect customers from known brand impersonation threats
- Loss of customer trust and business impact when victims associate successful phishing attacks with the legitimate brand
- Threat actors establish persistent phishing infrastructure due to absence of monitoring and enforcement actions
Testing procedure
How an auditor verifies this control
- Review the documented process for brand impersonation detection including monitoring scope, tools used, detection frequency, and responsible roles.
- Identify and inventory all monitoring tools, services, or threat intelligence feeds subscribed to for phishing and domain monitoring (e.g., domain registrar alerts, brand protection services, threat feeds).
- Examine configuration of monitoring tools to verify coverage includes the organization's registered trademarks, brand names, executive names, domain variations, and key product names.
- Select a sample of detected phishing incidents from the past 12 months and trace each through the detection-to-takedown lifecycle.
- Verify evidence that detected phishing pages were reported to appropriate parties (hosting providers, registrars, Anti-Phishing Working Group, browser vendors) with timestamps and case identifiers.
- Review metrics or dashboards showing detection counts, mean time to detect, mean time to takedown, and trending data over the review period.
- Interview personnel responsible for monitoring and reporting to confirm understanding of escalation procedures and communication with legal, customer support, and security operations teams.
- Test a live sample by submitting a known lookalike domain or suspicious URL to the monitoring process and observe detection, triage, and reporting workflow.