Would you count "brand impersonation attacks" as a security incident in your reporting?

As per the subject line... curious to hear if there's practitioners out there that consider things like brand spoofing / impersonation as a security incident in the stats you report.

A broader question even: how does one distinguish a security incident **vs** others getting scammed because of hackers impersonating your company's brand **vs** vendor software update that causes a data exposure.

attacks brand brand impersonation cybersecurity impersonation impersonation attacks incident question report reporting security security incident spoofing stats things