Tony Kirsch is the commercial director and cofounder of the Brand Safety Alliance (a GoDaddy Registry Initiative).

getty
Imagine, for a moment, a boutique pet supply brand. It sells leashes, collars and pet wipes, among other items, online. Since its launch three years ago, it’s cultivated a moderate but loyal customer base.
One day, a bad actor creates a lookalike domain that looks virtually identical to the company’s, but with one small change that only the most attentive would see—for example, a different web extension to the company's legitimate site or something more sinister, such as a hyphen or a different character or letter that looks confusingly similar. Customers, new and old, end up on that lookalike website. Many place orders. They wait for a week or two, and the orders never arrive in the mail. Worse, suspicious charges start popping up on their credit cards. Several call the company in a panic. By the time the company’s leaders find out they’ve been subject to domain abuse, it’s too late. They’ve lost the trust of those customers.
This is a scenario that may not make the news because of the size of the company, but one I’ve observed happen to many SMBs.
These days, it’s not just large companies that have to worry about brand protection and domain abuse (which is a form of cyberattack). SMBs are increasingly at risk. Consider a 2024 study, commissioned by ConnectWise and carried out by Vanson Bourne, that examined cyberattacks as a whole. It found that “94% of SMBs have experienced at least one cyberattack, a dramatic rise from 64% in 2019.”
Meanwhile, in my experience, many SMBs lack the necessary monitoring and legal structures to proactively identify potential domain attacks and react quickly if they do occur. When leaders of SMBs take longer to detect and respond to domain abuse, malicious actors can inflict more damage—damage that can have long-lasting consequences, such as financial and reputational setbacks.
Who Domain Abuse And Other Attacks Have Historically Targeted—And Why That’s Changed
Historically, it made sense for bad actors to focus on larger corporations for domain abuse and other attacks because of the potential for significant returns. There was simply more money to be made from targeting large, visible brands, considering the effort that went into designing and orchestrating attacks.
But modern AI-led attack methods, such as automation, templated campaigns and low-cost bulk domain registrations, have lowered the barrier to entry for threat actors, enabling them to operate at a massive scale and target a broader pool of organizations than before.
Moreover, according to research conducted by Microsoft Security in 2024, “Remote work, personal device use, and a lack of employee security training are escalating cybersecurity vulnerabilities for SMBs.” On top of that, as I mentioned earlier, I’ve found that many SMBs don’t have the necessary resources in place to identify and combat attacks. An SMB such as a small e-commerce company or accounting firm may not have the same expertise, budget or infrastructure as a Fortune 500 to quickly detect and respond to domain abuse threats.
Together, the combination of modern attack methods, SMB’s cybersecurity vulnerabilities and SMB’s lack of necessary resources creates the perfect storm for malicious actors to launch domain attacks, such as generating convincing lookalike sites, phishing content and hacks at a scale that was previously difficult to achieve.
What’s At Stake If SMBs Don’t Strategically Navigate Brand Protection
If SMB leaders don’t strategically navigate brand protection, they put their businesses at risk in several big ways.
For one, due to their size, SMBs are arguably better able to cultivate closer relationships with their customers than larger corporations, meaning the reputation damage that occurs after a domain attack can be more severe.
Think about this way: If your TV manufacturer’s website was hacked, it probably wouldn’t stop you from purchasing another TV from them. But if your local CPA firm’s website was hacked, you might feel more hesitant to do business with them. A damaged reputation could lead to customers parting ways with SMBs, as noted in VikingCloud’s “2025 SMB Threat Landscape Report.”
That’s not the only way SMBs can lose money in light of an attack—the VikingCloud report also explained that they could face legal costs and regulatory fines, and that “operational disruptions” can cause “lost sales.”
Moreover, IBM’s 2025 “Cost of a Data Breach Report” found that worldwide, the average cost of a data breach was $4.44 million. But for many SMBs, far less than that amount could cause them to close their doors. The VikingCloud report uncovered that by only suffering $50,000 “in financial impact from a cyberattack,” 55% “of SMBs would go out of business.” Those reports weren't focused on domain abuse specifically, but in my experience, the financial stakes they describe can similarly apply.
Why A Proactive, Scalable Approach To Brand Protection Is Vital
Reactive approaches, such as legal action after a domain attack has occurred and reporting phishing sites, can only do so much to mitigate damages. If, for instance, hundreds of customers have already lost money from a fraudulent site impersonating a brand, the company pulling the fraudulent site down doesn’t fix the resulting reputational damage, financial strain and potential legal consequences.
Traditional approaches, such as manual domain monitoring and manual takedown requests, can be difficult to scale. For instance, manual domain monitoring requires someone on the team to constantly watch out for newly registered domains that resemble the brand’s—a time-consuming process that can be challenging for stakeholders to manage. Defensive registration, the practice of buying domains that resemble a brand before bad actors can, can be tough to scale, especially if a brand has various product names, sub-brands and subsidiaries (when you multiply them, there are too many combinations to register, pay for and renew individually annually).
A proactive, scalable approach to brand protection is vital. Instead of SMB leaders enforcing their rights after abuse happens, they should focus on reducing their exposure before abuse occurs through scalable, accessible, affordable approaches that block malicious actors. Some examples of proactive, scalable strategies include leveraging automated early detection systems and, an emerging practice that my organization focuses on, domain blocking. Domain blocking excludes names that are similar to a brand at the domain registry level so that they can’t be registered in the first place, closing off that avenue for malicious actors.
Domain attacks against SMBs don’t always make the news. But domain attacks can devastate SMBs nonetheless. Of course, there is no way to reduce the risk of domain attacks to zero. But there is a way to minimize the risk. By embracing a proactive, scalable approach to brand protection, leaders of SMBs can safeguard the futures of their companies.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

2 hours ago
5













English (US)