Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a brand is impersonated through email or fake domains?

Accountability should be shared between security, marketing, and the business owner of the communication channel. Security owns the technical controls, marketing owns campaign governance, and leadership owns the risk decision to send branded messages at scale. If one team controls delivery but another owns reputation, the governance model is incomplete.

Why This Matters for Security Teams

Brand impersonation through email or fake domains is not just a communications problem. It is a trust, fraud, and incident response issue that can expose customers, partners, and employees to credential theft, payment redirection, or malware delivery. Accountability matters because the team that approves a message is rarely the same team that can detect a lookalike domain, enforce domain protections, or coordinate takedown actions. NIST SP 800-53 Rev 5 Security and Privacy Controls provides a useful baseline for assigning control ownership across access, monitoring, and response activities.

Where organisations fail is in assuming that brand ownership equals security ownership. Marketing may control templates and sending cadence, while security controls SPF, DKIM, DMARC, mailbox protection, and domain monitoring. Leadership then owns the risk decision when campaigns expand into new channels or regions. Without explicit accountability, impersonation incidents often become a blame exercise after the fake domain is already live and the first phishing message has already reached targets. In practice, many security teams encounter this only after customers have been deceived, rather than through intentional cross-functional governance.

How It Works in Practice

Accountability works best when it is mapped to the full lifecycle of branded communications, from domain registration through message delivery and post-incident response. Security teams should own the defensive controls: approved domain inventory, DNS monitoring, email authentication, registrar lock settings, and detection for lookalike domains. Marketing should own the content and campaign approval process, including who can request new domains, who can send from them, and how third-party agencies are governed. Business leadership should approve the acceptable level of residual risk, especially where brand reach is tied to revenue or customer onboarding.

In mature environments, this is documented in a RACI or equivalent control ownership model. The practical questions are straightforward:

  • Who can register, delegate, or retire a branded domain?
  • Who approves external agencies, ESPs, and landing pages?
  • Who receives alerts when a lookalike domain is detected?
  • Who can trigger takedown, customer notice, or incident escalation?
  • Who signs off on exceptions when a campaign bypasses standard controls?

For email, the technical baseline should include SPF, DKIM, and DMARC enforcement, aligned to monitoring and response processes described in guidance from CISA guidance on avoiding social engineering and phishing attacks. For domains, ownership should include registrar protections, renewal governance, and continuous monitoring of similar registrations. For risk and control mapping, teams can use MITRE ATT&CK to structure detection and response around phishing and credential abuse paths. These controls tend to break down when marketing teams can register or launch domains outside the security review process because the monitoring and takedown path is no longer reliable.

Common Variations and Edge Cases

Tighter brand protection often increases process overhead, requiring organisations to balance campaign speed against approval rigor. That tradeoff becomes sharper when a business runs frequent launches, localised campaigns, or partner-led communications across many jurisdictions.

There is no universal standard for this yet, but current guidance suggests accountability should shift based on control point, not just title. If a third-party agency operates a campaign, the brand owner still retains governance responsibility, while the agency may hold operational accountability under contract. If an impersonation incident involves customer data, privacy and incident notification duties may also extend to legal, compliance, and regional leadership. Where fake domains are used for credential harvesting, the issue may overlap with identity compromise and session hijacking, which strengthens the case for centralised detection and escalation.

Teams should also treat executive or high-value impersonation differently from ordinary phishing. The risk is higher when the impersonated brand is tied to payments, onboarding, KYC, or customer support. In those cases, accountability should be preassigned for takedown requests, fraud review, and public communications. For organisations operating in regulated markets, mapping those responsibilities to incident response practices and privacy and trust governance helps prevent gaps between technical containment and business notification. The hardest edge case is when a subsidiary, franchisee, or partner launches branded communications without a shared control model, because no single owner sees the full impersonation risk until damage is already distributed across channels.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OC-1 Brand impersonation needs clear organisational accountability and mission context.
MITRE ATT&CK T1566 Phishing is the main abuse path for impersonated brands and fake domains.

Define who owns branded communication risk and map it into governance and risk registers.