| TL;DR Three distinct attacks now corrupt what AI answers say about your brand: impersonation (lookalike domains, fake profiles, cloned support channels), synthetic media (deepfaked founders, voice-cloned approvals, fabricated testimonials) and fake citations (models inventing sources and quotes attributed to you, or adversaries planting fabricated “sources” that models then repeat as fact). All three target the same thing — the entity the systems hold for your brand — and the damage is instant and invisible, stated as fact in a one-shot answer with no search results page to inspect. This guide gives UK brand owners a threat map, a Monday-morning monitoring net, response playbooks for each attack class, a pre-emptive hardening checklist, and the specific UK reporting and legal levers (Online Safety Act, ICO, Action Fraud, UK IPO, Nominet, Companies House) that actually move the needle. |
For most of the search era, an attack on your brand left fingerprints you could see. A scraped page appeared in the index; a fake review sat on a profile you could open; a typosquatting domain showed up in a backlink report. You could point at the thing and dispute it. That visibility is precisely what large language models have removed. When ChatGPT, Gemini, Perplexity or Google’s AI surfaces describe your company, they compress everything they have read into a single confident paragraph — and they do not show their working. If that paragraph contains an impersonator’s phone number, a fabricated statistic, or a quote your founder never gave, the user has no SERP to scroll, no second result to compare, and no obvious reason to doubt it.
That is the shift this article addresses. The job is no longer only to defend your website or your link profile; it is to defend the entity — the machine-readable representation of your brand that search engines and language models assemble from the whole web and then speak from. We have argued elsewhere that the metric that now matters is entity authority rather than domain rating, and that classic dashboards quietly stopped describing reality. Brand-safety in AI answers is the defensive face of that same coin: if entity authority is what you build, entity integrity is what you protect.
1. The three-headed threat — and a map to keep them straight
The single most common mistake UK teams make here is treating “brand impersonation in AI” as one problem with one fix. It is three problems with three mechanisms, three detection signals and three owners. Conflating them is how you end up spending a fortnight on a trademark complaint when the actual issue was a hallucinated source that a content update would have corrected in days. It is also how the wrong person ends up holding the incident: legal chasing a model defect, or a content editor chasing a criminal impersonation that belongs with fraud reporting and platform security. Start by naming the categories precisely, because the name dictates the owner, and the owner dictates the speed.
Impersonation
Someone pretends to be you. In practice this spans typosquatted and lookalike domains (the classic .uk registered against your .co.uk, or a hyphenated near-match), cloned websites that copy your branding wholesale, fake social and “support” accounts, fraudulent marketplace and directory listings, and — increasingly — chatbots and agents that claim to act on your behalf. The AI-era twist is that an answer engine or agentic browser may surface, link or transact with an impersonator’s property as though it were the genuine article, because the impersonator engineered exactly the structured, crawlable signals the system trusts.
Deepfakes and synthetic media
AI-generated video, audio or imagery of your founders, executives or brand — a fabricated “investment opportunity” fronted by a cloned CEO, a voice-cloned approval used to authorise a payment (the modern face of business email compromise), a synthetic testimonial, or manipulated footage designed to embarrass. These rarely live on your own estate; they spread on social platforms and ad networks, and they can then feed the corroboration layer models read. The UK’s National Cyber Security Centre has repeatedly flagged AI-enabled impersonation and voice cloning as a fast-rising fraud vector, and the realistic posture is to assume capability is now cheap and accessible rather than exotic.
Fake citations
Two flavours that look identical to the victim but need opposite fixes. The first is hallucination: the model invents a source, statistic, quote or URL and attributes it to you — a study “by” your company that does not exist, a fabricated figure presented as your data, a citation to a page you never published. The second is planted misinformation: an adversary seeds fabricated “sources” — fake press, manufactured reviews, doctored claims — that models ingest and then repeat as established fact. The first is a model defect you correct by strengthening the authoritative record; the second is an attack you fight at the source, the same way you would fight the content-layer tactics covered in our guide to detecting and defending against negative SEO.
The map below is the deliverable to pin above your desk. It is deliberately built so that the first column tells you which of the three you are looking at, and the rest of the row tells you who owns it and what to do first.
| Attack class | What it looks like | Primary detection signal | First action / owner |
| Impersonation — domains | Lookalike / typosquat domains, cloned sites | Domain-registration & certificate-transparency monitoring; brand-name alerts | Evidence capture → registrar/host abuse report → Nominet DRS or UDRP (SEO/Legal) |
| Impersonation — profiles | Fake social, support, marketplace or directory accounts | Social listening on brand + misspellings; marketplace sweeps | Platform impersonation report via verified route (Brand/Social) |
| Synthetic media | Deepfaked exec video/audio, fake endorsements, voice-clone vishing | Reverse image/video monitoring; reports from staff, press, customers | Preserve evidence → platform takedown → NCSC/Action Fraud → public statement (Comms/Security) |
| Fake citation — hallucination | Invented stats, quotes or URLs attributed to you in AI answers | Scheduled prompt-library testing across engines | Strengthen canonical fact source → platform feedback (SEO/Content) |
| Fake citation — planted | Fabricated press/reviews seeded to mislead models | Brand monitoring + AI-answer monitoring divergence | Remove at source → outweigh with corroboration (PR/SEO) |
Keep this taxonomy in front of every incident. The detection net in Section 3 and the response playbooks in Section 4 are organised around exactly these five rows.
2. Why the entity — not the website — is the real target
To defend the right thing, you have to understand what these three attacks have in common. They do not, fundamentally, attack your pages. They attack the node that search engines and language models hold for your brand: the resolved entity in Google’s Knowledge Graph, the representation baked into a model’s training, and the freshly retrieved corpus an engine assembles when someone asks about you. That node is built from everything the web says — not only from what you publish — which is exactly why an outsider can poison it.
Three properties of the entity layer make it uniquely vulnerable. First, attribution collapses: a model speaks in one voice, so an impersonator’s claim and your own copy arrive at the user with identical authority. Second, corroboration is mechanical: models weight things many independent sources appear to agree on, so a handful of planted “sources” can manufacture false consensus — the same dynamic that makes genuine listicle and round-up placements so powerful, working in reverse. Third, the failure is silent: there is no ranking drop to alert you, no manual action, no email. The first you hear of it is a customer who tried the wrong number or an investor asking about a scheme you never ran.
This is why the defensive playbook borrows so heavily from entity SEO. The work that makes your brand legible to machines — a clean, unambiguous entity with consistent naming, a strong sameAs graph of verified profiles, and a documented canonical record — is the same work that makes impersonation easy to expose and fabrication easy to refute. A brand the systems already resolve cleanly is one a model is less likely to confuse with a lookalike in the first place, a point we made about purchase journeys in how AI engines decide which brands to recommend. Recognition is not just a visibility asset; it is a security asset.
| The asymmetry that should shape your budget Leverage is highest before the false signal is absorbed, not after. Once a fabricated claim has propagated across enough sources to enter a model’s retrieved corpus — or worse, its training data — you are no longer correcting a page; you are arguing with a prior. That asymmetry argues for building entity integrity early and monitoring continuously, even when nothing is wrong, precisely so you can act inside the window where a fix is cheap. |
An anonymised composite: how the three attacks chain together
Consider a mid-size UK financial-education brand — anonymised here, but assembled from a pattern that recurs. It began with a single lookalike domain, a hyphenated near-match of the real .co.uk, registered quietly and left dormant. Nothing alerted the team, because the site held no content and ranked for nothing. Six weeks later the same registrant published a near-perfect clone of the brand’s homepage, complete with logo, copy and a “support” chat widget. Within days, a deepfaked video of the founder — lifted from a genuine conference talk and re-voiced — began circulating in paid social ads, promising guaranteed returns and linking to the clone. Customers who searched the brand name in an AI assistant started receiving answers that, on some runs, surfaced the clone’s contact details as though they were official.
The team’s first instinct was to treat it as one emergency and reach for a solicitor. The faster resolution came from running the threat map. The dormant domain was an impersonation-domain problem solved through a registrar abuse report and, when that stalled, a Nominet dispute backed by the brand’s registered trademark. The deepfake ads were a synthetic-media problem routed through platform takedowns under their impersonation policies, an Action Fraud report for the investment scam, and a dated disavowal published on the brand’s entity home. The AI answers surfacing the wrong contact details were a fake-citation problem fixed not by arguing with the model but by publishing an unambiguous “official channels” page, marking it up cleanly, and reporting the specific wrong answer through each engine’s feedback route.
Two lessons sit inside that composite. First, the attacks chained — the domain enabled the clone, the clone gave the deepfake somewhere to point, and the whole cluster polluted what the AI assistants retrieved — so partial responses left the chain intact. Second, the single thing that would have compressed the entire episode was monitoring the certificate-transparency feed, which would have caught the dormant domain at registration, weeks before any content went live and long before a customer was ever harmed. The brands that handle these incidents calmly are the ones watching the earliest signal, not the loudest one.
3. The detection net: a Monday-morning monitoring system
You cannot defend an entity you are not watching, and the silent-failure problem means you cannot wait for symptoms. The good news is that a credible monitoring net is mostly assembled from tools you either already have or can stand up cheaply; the discipline is in running it on a fixed cadence rather than reactively. The net has five strands.
Strand 1 — Name and lookalike surveillance
Set standing alerts on your brand name, your founders’ names, your product names and the obvious misspellings and hyphenations. This is the cheapest strand and catches scraped content, impersonation sites and reputation campaigns within hours, as we noted in the monitoring section of the negative SEO defence guide. Pair free alerting with a periodic manual sweep of the marketplaces and directories relevant to your sector, because automated alerts routinely miss listings inside walled platforms.
Strand 2 — Domain and certificate monitoring
Lookalike domains are the connective tissue of impersonation and many deepfake scams, because the fraud needs a plausible landing page. Watch for newly registered domains that resemble yours, and — the move most UK teams miss — watch certificate-transparency logs, which publish a near-real-time feed of new TLS certificates and therefore surface lookalike domains the moment they are stood up, often before any content is live. For the structural reason this matters, recall that search systems treat subdomains and URL variants as separate entities entirely; an impersonator exploits exactly that machine literalism.
Strand 3 — Visual and synthetic-media monitoring
Run periodic reverse-image and reverse-video checks on your founders’ headshots, your logo and your most recognisable brand assets, and make it trivially easy for staff, customers and journalists to report suspected fakes to one named inbox. Most deepfakes are surfaced by a human who senses something is off long before any tool flags it, so the reporting route is as important as the technology.
Strand 4 — Scheduled AI-answer testing
This is the strand unique to 2026 and the one almost no UK brand runs systematically. Build a fixed library of 15–30 prompts a real person would ask about you — “is [brand] legitimate”, “what is [brand]’s refund policy”, “who founded [brand]”, “[brand] statistics 2026”, “[brand] support number” — and run them on a schedule across ChatGPT, Gemini, Perplexity and Google’s AI surfaces. Log three things every time: was a claim about you fabricated, was a source invented, and was an impersonator surfaced. Because AI answers are non-deterministic, treat a single odd answer as noise and a fabrication that recurs across several runs and days as actionable — the same three-day discipline we set out for diagnosing why a brand stops getting cited.
Strand 5 — Review and server-log watch
Monitor your review profiles for the signature of a coordinated campaign — a spike in one-star reviews inside a short window with no operational change behind it — and review server logs for unusual crawl patterns and suspicious user-agents that betray scraping or cloning. Both feed the corroboration layer models read, so both belong in the net.
Assemble those strands into a fixed weekly and monthly rhythm. The checklist below is the operational deliverable — a programme you can hand to one owner and run from this week.
| The brand-entity monitoring checklist (run weekly unless noted) 1. Brand + founder + product name alerts reviewed; misspellings included. 2. Certificate-transparency and new-domain feed scanned for lookalikes; log every match with a screenshot and WHOIS snapshot. 3. Reverse-image/video sweep of founder headshots, logo and key assets (fortnightly acceptable for smaller teams). 4. Fixed AI-prompt library run across four engines; fabrications, invented sources and surfaced impersonators logged with the date and a screenshot. 5. Review profiles checked for one-star spikes without operational cause. 6. Server logs scanned for scraper user-agents and clone-pattern crawling. 7. Monthly: marketplace and directory sweep for fraudulent listings; reconcile the impersonation register and close resolved items. |
4. Response playbooks: what to do the moment you confirm an attack
Detection without a rehearsed response wastes the window where action is cheap. Each playbook below assumes you have already captured evidence — dated screenshots, URLs, WHOIS records, archived copies — because every takedown and legal route depends on a clean evidence trail, and platforms routinely reject reports that lack it. Capture first, act second, always.
Playbook A — Impersonation (domains and cloned sites)
- Document and archive. Screenshot the impersonating property, save the full URL, capture WHOIS/registrant data and store an archived copy with a timestamp.
- Hit the host and registrar. File an abuse report with the hosting provider and registrar; phishing and brand-impersonation clones are usually a clear terms-of-service breach and this is frequently the fastest route to removal.
- Use the dispute system that fits the TLD. For .uk domains, Nominet’s Dispute Resolution Service offers a structured, relatively low-cost route where you hold rights in the name; for generic TLDs, the UDRP is the equivalent. Both reward documented prior rights, which is why the trademark groundwork in Section 5 matters.
- Escalate to trademark and fraud reporting. If you hold a registered trademark, the UK Intellectual Property Office route strengthens enforcement; report financial fraud to Action Fraud and, for live phishing, use the NCSC’s reporting service.
Playbook B — Impersonation (fake profiles and support accounts)
Every major platform now offers an impersonation-specific report, and verified or official accounts are processed faster. The practical levers: report through the platform’s dedicated impersonation flow rather than generic “spam”; claim and verify your own official presence on every platform that offers it (an unclaimed profile is an open door); and publish, on your own site, a definitive list of your genuine channels so customers — and the models reading your site — have an authoritative reference to check against. That published list is also a quiet entity signal: it tells the systems which accounts are really yours.
Playbook C — Synthetic media (deepfakes and voice clones)
- Preserve and assess. Archive the media and the posting account before reporting (content often vanishes once reported). Decide quickly whether this is reputational, fraud-enabling, or both — the routing differs.
- Report to the platform under its synthetic-media and impersonation policies. Under the UK’s Online Safety Act, in-scope platforms carry duties around illegal content including fraud, and Ofcom oversees enforcement — cite the relevant policy explicitly in your report.
- Report the fraud and cyber dimension. Use Action Fraud for financial-scam deepfakes and the NCSC for the cyber-incident dimension; if the deepfake misuses personal data of an identifiable individual, the ICO route may also apply.
- Control the narrative on your entity home. Publish a clear, dated statement on your canonical brand page disavowing the content and listing your genuine channels. This is the corrective source models can later retrieve — silence leaves the fake as the only signal.
- Take legal advice on defamation and IP. Where a deepfake is defamatory or misuses your IP, a solicitor’s letter and formal action may be warranted. This article is not legal advice; treat the legal route as a parallel track, not a substitute for fast platform action.
Playbook D — Fake citations (hallucinations)
When a model invents a statistic, quote or URL attributed to you, the instinct to “demand a correction” mostly fails, because there is no editor to email and the output is regenerated fresh each time. The durable fix is to make the truth the easiest thing for the model to retrieve. Publish an unambiguous, well-structured canonical page stating the real figure, the real policy or the real history, mark it up clearly, and ensure it is crawlable. Strengthen the corroboration around it so independent sources agree. Use each engine’s feedback mechanism to flag the specific fabrication. This is the same logic as our AI citation recovery playbook: diagnose whether the problem is a model defect or a missing authoritative source, then feed the gap rather than shouting into it.
Playbook E — Fake citations (planted misinformation)
Planted misinformation is an attack, not a defect, so fight it at the source. Pursue removal of the fabricated press, reviews or claims through the host platform’s abuse and defamation routes, and where the planted material breaches advertising rules — a fake “endorsement” ad, say — the Advertising Standards Authority route applies. In parallel, outweigh the false consensus with genuine corroboration: authoritative coverage, accurate third-party references and a strong sameAs graph all dilute the planted signal’s share of what models read. You are doing entity SEO under fire — the offensive and defensive toolkits are the same.
Five mistakes that turn a manageable incident into a crisis
- Treating all three attacks as one. The most expensive error: routing a hallucinated citation to a trademark lawyer, or a planted-misinformation campaign to an engine’s feedback box. Classify against the threat map first, every time.
- Reporting before capturing evidence. Content disappears the moment it is reported. Without a dated, archived record, your dispute, takedown and fraud report all weaken — and you lose the ability to prove a pattern.
- Acting on a single AI answer. Answers are non-deterministic; one odd response is noise. Chasing it wastes effort and can mean missing the recurring fabrication that actually matters.
- Leaving official surfaces unclaimed. An unclaimed Knowledge Panel, social profile or marketplace listing is the cheapest thing an impersonator can occupy. Claiming them is both prevention and faster recourse.
- Going silent during a deepfake. If you publish nothing, the fake is the only signal the web — and the models — can read. A dated disavowal on your entity home is the corrective source they retrieve later.
5. Pre-emptive hardening: make your entity hard to fake
Everything above is reactive. The higher-leverage work is making impersonation and fabrication structurally harder before any attack lands. Five measures do most of the work, and a brand that has done them resolves so cleanly that fakes stand out by contrast.
Build and own an entity home
Designate one canonical page — typically an “About” or company page — as the authoritative record of who you are: legal name, founding facts, leadership, official channels and verified contact details. Mark it up with Organization structured data, following Google’s organisation markup guidance, and populate the sameAs property with the URLs of every verified profile you control. This single page becomes the reference both humans and models check a suspect claim against — and the more cleanly it resolves, the less room a lookalike has to occupy your name.
Consistency is a security control
Inconsistent naming, addresses and details across the web fragment your entity and create the ambiguity impersonators exploit. Standardise your name, registered address and contact details everywhere they appear, and reconcile them against your Companies House record. The same consistency that consolidates entity authority also denies an attacker the gaps they need to insert a near-match.
Claim every verifiable surface
Pursue a Google Knowledge Panel and, once you hold one, verify it so you can flag inaccuracies through the official channel. Claim and verify your profiles on every platform that supports verification. An unclaimed Knowledge Panel or social profile is the single easiest thing for an impersonator to exploit, because they fill the vacuum you left.
Register defensively
Register the obvious lookalike domains yourself — common misspellings, the alternate TLDs around your primary (.uk against .co.uk and vice versa), hyphenated variants. It is far cheaper to own them pre-emptively than to recover them through a dispute after a phishing clone has already harmed customers. Extend the same thinking to founder name handles on major platforms.
Provenance for your own media
As synthetic media spreads, the ability to prove a piece of content genuinely came from you becomes a defensive asset. Adopting content-provenance standards — the C2PA “content credentials” approach — for your official video and imagery gives you a verifiable signal of authenticity, which both shortens disputes and gives journalists and platforms a fast way to confirm what is real when a fake circulates.
| How hardening feeds visibility None of this is purely defensive. A clean entity home, consistent naming, a verified Knowledge Panel and a rich sameAs graph are the same signals that earn you citations and recommendations in the first place — the link between entity strength and AI visibility we documented in what the AI Overviews data actually shows. You are buying security and visibility with one budget. |
6. The UK reporting and legal levers that actually work
UK brands have a more developed set of levers than most teams realise, and knowing which body owns which problem saves weeks. None of the below is legal advice — take advice on anything contentious — but this is the routing map.
| Body / instrument | Use it for | Practical note |
| Action Fraud | Financial fraud: phishing clones, deepfake investment scams, payment fraud | The UK’s central fraud-reporting point; report even when recovery is unlikely, as it feeds intelligence. |
| NCSC | Cyber incidents: live phishing sites, malicious lookalike infrastructure | Offers a suspicious-content reporting service and guidance on AI-enabled impersonation. |
| ICO | Misuse of personal data, including deepfakes of identifiable people | Relevant where personal data of staff or customers is processed unlawfully. |
| UK IPO / trademark | Brand-name and logo misuse; underpins domain disputes | A registered mark materially strengthens Nominet DRS and UDRP cases. |
| Nominet DRS | Abusive .uk domain registrations | Structured, lower-cost alternative to litigation for .uk lookalikes. |
| Companies House | Fraudulent or confusingly similar company registrations | Report misuse of your name; reforms have tightened identity requirements. |
| ASA | Misleading ads using your brand or fake endorsements | Applies to advertising claims, including deepfake-fronted promotions. |
| Online Safety Act / Ofcom | Illegal content (incl. fraud) on in-scope platforms | Cite specific platform duties in takedown requests; Ofcom oversees enforcement. |
The pattern to internalise: report to the body that owns the harm and pursue the platform takedown in parallel, because regulators move on systemic patterns while platforms move on individual content. Running both tracks at once is how you compress the window in which a fake is doing damage.
7. Measuring entity integrity over time
Brand-safety work fails quietly when it is run as a series of one-off fire drills with no trend behind them. Convert the monitoring net into a small, honest scorecard you review monthly, so you can tell your board whether the picture is improving and so you catch slow erosion before it becomes a crisis.
- Fabrication rate. Across your fixed prompt library, the share of runs that contain an invented source, statistic or quote about you. The single most direct read on citation integrity; track the trend, not any one run.
- Impersonation register. Count of live lookalike domains and fake profiles at month-end, plus median time from detection to takedown. Falling counts and shrinking takedown times are the headline numbers.
- Entity-resolution health. Whether your Knowledge Panel is present, accurate and claimed, and whether your name resolves cleanly without confusion — the recognition checks from our entity authority scorecard.
- Channel-truth coverage. Whether your published list of official channels and your sameAs graph are complete and current, so the authoritative reference is never out of date.
Run the same instrument every month and the value is the trajectory, not any single figure. A fabrication rate trending towards zero, an impersonation register that empties faster than it fills, and a clean, claimed entity together describe a brand whose integrity is under control — which, in an answer-engine world, is fast becoming as load-bearing as the rankings themselves.
Frequently asked questions
How is “brand impersonation in AI” different from old-fashioned impersonation?
The mechanism is similar; the visibility is not. A traditional fake left an artefact you could point at and dispute. An AI answer compresses everything into one confident paragraph with no visible sources, so an impersonator’s details or a fabricated claim reach the user with the same authority as your own — and with no obvious prompt to doubt them. The defence therefore shifts from policing pages to protecting the entity the systems speak from.
Can I force ChatGPT or Gemini to stop saying something false about my brand?
Not directly, and chasing a “correction” usually fails because output is regenerated each time. The reliable route is to make the truth the easiest thing to retrieve — a clear, marked-up canonical source, strong corroboration around it, and the engine’s own feedback mechanism for the specific fabrication. Diagnose first whether you are dealing with a hallucination or planted misinformation, because the fixes diverge.
We’re a small UK business — what is the minimum viable version of this?
Three things this week: set brand and founder name alerts including misspellings; run a 15-prompt AI-answer test across the major engines and log anything fabricated; and build a proper entity home with organisation markup and a published list of your official channels. That trio covers detection and the most important hardening at near-zero cost.
Is deepfake protection really a link builder’s job?
The takedown and legal routes are not, but the entity hardening that makes deepfakes easy to disprove — a verified channel list, a strong sameAs graph, content provenance and a clean Knowledge Panel — sits squarely in the entity-SEO and digital-PR remit. As with AI recommendations generally, the brand-safety toolkit turns out to be the entity-authority toolkit pointed at a defensive target.
How often should we run the AI-answer prompt library?
Weekly for the core library if you are an at-risk or high-profile brand, monthly as a baseline otherwise, and immediately after any incident or major model update. Because answers are non-deterministic, never act on a single odd response — require a fabrication to recur across several runs and days before treating it as real.
Does the Online Safety Act actually help with deepfakes of my brand?
Indirectly but meaningfully. The Act places duties on in-scope platforms around illegal content, including fraud, and Ofcom oversees enforcement — so citing the relevant platform duty explicitly in a takedown request carries more weight than a generic complaint. It does not give you a direct button to delete a fake, and it is aimed at platforms rather than individual brands, so treat it as one lever among several: pair the platform route with Action Fraud or NCSC reporting for the fraud dimension, the ICO route where personal data is misused, and a dated public disavowal on your own entity home. The Act sharpens the platform conversation; it does not replace the parallel tracks.
