Monitor for impersonation accounts on top platforms
Demonstrate that the organization actively monitors major online platforms for impersonation accounts and takes documented action to remove or flag fraudulent profiles mimicking organizational brands, executives, or official channels.
Description
What this control does
This control establishes a systematic process to identify and address fraudulent social media and online platform accounts that impersonate the organization, its brands, executives, or official representatives. Monitoring spans major platforms including Facebook, Twitter/X, LinkedIn, Instagram, TikTok, and relevant industry-specific forums or marketplaces. The control aims to detect phishing campaigns, fraudulent communications, brand abuse, and social engineering attacks that leverage perceived organizational legitimacy to target customers, partners, employees, or the public.
Control objective
What auditing this proves
Demonstrate that the organization actively monitors major online platforms for impersonation accounts and takes documented action to remove or flag fraudulent profiles mimicking organizational brands, executives, or official channels.
Associated risks
Risks this control addresses
- Attackers create fake executive or brand accounts to conduct spear-phishing or business email compromise attacks against employees, partners, or customers
- Fraudulent accounts solicit funds, credentials, or sensitive information from customers or the public under the guise of official organizational communications
- Impersonation accounts spread misinformation or damaging content that erodes brand trust and customer confidence
- Threat actors use fake organizational profiles to gain access to restricted groups, forums, or networks for reconnaissance or supply chain attacks
- Fake customer support accounts harvest customer credentials, financial data, or personally identifiable information through fraudulent assistance requests
- Undetected impersonation accounts persist for extended periods, amplifying damage and complicating incident response and public messaging
- Regulatory or contractual obligations related to brand protection and customer safety are not met, resulting in compliance violations or litigation
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's impersonation monitoring policy, procedures, or playbook that defines scope, frequency, platforms monitored, and escalation paths.
- Request the list of official organizational accounts, verified profiles, executive social media handles, and registered brand assets used as baseline for comparison.
- Examine documented monitoring schedules or subscription evidence for brand monitoring services, social media monitoring tools, or manual search protocols covering the past 12 months.
- Select a sample of three calendar months and review monitoring logs, search results, or platform reports that document impersonation detection activities.
- Trace at least three identified impersonation incidents from detection through reporting, platform takedown requests, or law enforcement escalation, verifying documentation at each stage.
- Verify that monitoring covers the organization's top five platforms by audience reach or business criticality, including both consumer and professional networks.
- Interview the responsible team or individual to assess knowledge of platform-specific reporting mechanisms, trademark enforcement tools, and verification badge processes.
- Confirm that monitoring results are reported to relevant stakeholders such as legal, communications, executive leadership, or cybersecurity incident response teams with documented evidence of escalation.
Where this control is tested