Security Topic
Scam Watch
Pattern tracking for impersonation campaigns and fake-access narratives.
Threat Focus
Method v1.2 ยท Reviewed 2026-02-10
Track recurrent impersonation narratives, fake access pages, and cloned brand-support messages.
Operating context: This track is optimized for early detection and public warning before impersonation campaigns scale.
Active Signal Matrix
| Signal | Severity | Detection Source |
|---|---|---|
| Brand-like domains with typo variants | high | Domain watchlist and lexical similarity checks |
| Unverified support handles asking for off-platform payment | critical | Community reports and manual moderation |
| Copy-pasted brand pages with altered destination links | high | Visual diffing and route inspection |
| Urgency-driven messages around access loss or account freeze | medium | Message pattern classifier |
| Sudden spike in clone pages using shared hosting blocks | high | Infrastructure fingerprint clustering |
Triage Workflow
- 1 Capture initial report with URL, screenshot, and timestamp.
- 2 Run domain and certificate checks to classify likelihood.
- 3 Cross-match with existing scam signatures and known clusters.
- 4 Mark confidence and assign response owner.
- 5 Publish warning note if confidence passes threshold.
Verification Checklist
Domain registration timestamp and registrar pattern
TLS certificate issuer and validity path
Similarity score against official brand routes
Presence of off-platform payment requests
Archived evidence package for traceability
Response Playbook
Flag incident in watch channel and notify monitoring owner.
Add domain and content fingerprints to blocklist.
Push user-facing warning with safe-access guidance.
Escalate takedown requests to host/registrar when applicable.
Re-check after takedown window to confirm suppression.
Response SLA
Acknowledgment< 30 minutes
Triage< 2 hours
Containment< 6 hours
Public Notice< 4 hours for high-confidence cases
Common Mistakes
Publishing warnings without evidence bundle references.
Delaying notice until legal paperwork is complete.
Treating cloned social profiles as low-impact noise.