Congratulations on Your New Business – We Need to Talk

With the passing of the one-year anniversary of the entire world beginning to primarily do business online, many of us in the Internet Infrastructure community have had a wish granted:

that businesses big and small would take their cue from big brands and set up shop online. The wish wasn’t just that businesses of all sizes would get online en masse, but that they would do so by using their own secure websites as the platform. It wouldn’t hurt if they had a great, niche-specific domain name, either. The pandemic is an awful way to get a wish, of any sort, but here we are. And now that we’ve gotten what we want, as a community, we need to do some maintenance.

As we all know too well, doing business online comes with its own set of security issues, but our customers may not really understand what that means in a practical way. Most owners of brick-and-mortar stores pretty much know and can prepare for what can go wrong. Even if you are a brand-new startup, there is a lot of anecdotal knowledge floating around about how to handle your affairs. But for a lot of businesses coming online for the first time, while dealing with all the stress that the last year could throw at them, the breadth and depth of security issues are the last thing they need to be navigating alone.

BrandShelter’s Head of Marketing, Andy Churley, has written a whitepaper outlining the unique challenges that brands have faced in this year of living totally online. All of the advice he has given to large brands applies to businesses of all sizes and is readily shareable with clients and customers. The bottom line is that, regardless of what a business owner has prepared themselves for in terms of risk in the material world, everything is completely different for their online incarnation.

Churley says: “One of the advantages of doing business online is that, with a little creativity and a great web-designer, the little guy (mom-and-pop store) can successfully go head-to-head with the large brands. Unfortunately, cyber-criminals know this too. They also know that these smaller brands are less well-prepared and much less well-funded to counter certain types of criminality. This makes them an even more attractive target to the criminals than the big brands.”

Some of the malicious activities that a small business newly online needs to be aware of are:

• Domain hijacking
• DDoS attacks
• Traffic diversion
• Copy-cat sites
• Fake offers of sale on social media
• Phishing attacks via email
• Fraudulent apps on mobile app stores.
• Payment fraud
• Fake reviews
• Hoax web stores on marketplace sites
• Counterfeit product lines

Churley continues: “Often smaller brands are not even aware that criminals are targeting them, because they have little or no visibility on online activities outside of their own website. It is only when their brand has been suffering reduced traffic and revenues month-on-month that these smaller online retailers cotton on to the fact that they have become prey to sophisticated online criminals. Even if they suspect they are being targeted, the majority do not have the experience or in-house resources to deal with the problem. Many admit to feeling lost and helpless in the face of a well-coordinated and well-funded criminal attack, which may well destroy their revenues and reputation.”

One of the challenges that online retailers face is that there is still very much a cognitive break between the idea of consequences in the physical world and the idea that what happens on the Internet isn’t quite real. Churley explains that this results in online crime being seen in a way as “victimless”.

He says: “Two main themes emerge when talking to the corporate/business victims of cybercrime:

When a shopper visits a mall, they visit retail outlets that spend millions on location, building, fixtures and fittings as well as staff and stock. This capital outlay at the very least should reassure the shopper that they are shopping in a legitimate establishment owned and operated by a trusted brand and selling legitimate branded goods. The cost to criminals faking bricks-and-mortar establishments, and the ease with which they are identified and shut down, is part of the reason that there have been so few cases of it happening – with a few notable exceptions. Online, however, it is a completely different matter. Online criminals can rapidly and cheaply create an online webstore that mimics a well-known brand and offers counterfeit goods or captures payment cards and other personal details. If discovered, the cost of setting up another similar site is minimal.

The amount of footfall in a bricks-and-mortar store normally equates to revenues. Fewer in-store visitors mean fewer sales and less revenue. Online, web visitors may intend to shop in a particular webstore but may get diverted to a completely different shop due to misleading adverts, confusingly similar web addresses, or fake online offers of sale on social media. There are many web visitors who end up shopping on fake websites honestly believing that they are shopping at a legitimate store, and ending up out-of-pocket and disappointed with the brand when the products they receive are substandard.”

Fortunately for our users and clients, there are many ways to make themselves less attractive to criminals. Churley advises that: “For online brands and businesses, implementing low-cost domain monitoring will actually spot potential online criminal activity before it becomes a real problem. Before launching a look-alike website, or an email phishing attack, criminals need to register a domain name which is confusingly similar to the brand that is being targeted. Spotting these registrations as soon as they happen and blocking, suspending, or recovering the domain is usually enough to deter the criminals from persistent attacks. Domain monitoring typically costs a few thousand dollars a year and can save brand and business owners many times that in lost revenues.”

If your clients or customers find themselves in this situation, there are many options for recourse:

File a Uniform Domain-name Dispute Resolution Policy (UDRP); a legal recourse method for contesting legitimacy and recovering a domain name. It is a highly effective mechanism, but a slow and costly one.

Typical cost: $$$

In many cases, a domain name will be registered with the intention of using it to perpetrate a crime against a brand owner. With so many potential targets available to the criminal, it is not unusual for the domain to expire before the criminal has gotten around to exploiting it. Sometimes a wait-and-see approach is the best and cheapest option. However, it is essential to continue to monitor the domain for potential activity until the domain has expired.

Typical cost: $

Also called a back-order, a snap-back is an automated mechanism where a domain name is monitored until it expires. As soon as it expires, the snap-back mechanism triggers and automatically registers the domain name on behalf of the brand owner.

Typical cost: $

If the brand owner believes that a domain name (and more importantly, the website that uses the domain name) is infringing on its intellectual property rights, it can issue a cease-and-desist notice to the domain owner. This is normally done by its in-house counsel, IP law firm, or via a specialist brand protection provider, such as BrandShelter. The notice will detail the ways in which the brand owner considers that its brand is being infringed illegally and outline the action that it requires the domain owner to take and the date by which it requires action to be taken. In some cases, it will also outline the intended actions should the domain owner not comply.

Typical cost: $$

The Digital Millennium Copyright Act is a special standard type of cease-and-desist notice. It tells a company, webhost, search engine, or Internet service provider that they are hosting or linking to material that infringes on a copyright. The party that receives the notice should take down the infringing material as soon as possible. If the site owner doesn’t comply, the ISP can forcibly remove the content on behalf of the brand owner.

Typical cost: $$

 Website hosting providers provide shared disk space on which a user can create and host a website. When a brand-owner identifies an infringing domain name or website, contacting the hosting provider with a DMCA or other cease-and-desist notice can permit the hosting provider to suspend or close the web-hosting account, rendering the website unreachable. This measure can yield rapid results. However, it is usually short-lived, since the website owner can simply move their website to another hosting provider at minimal cost. Despite this, moving the website from place to place will cost the cybercriminal time and money, which may be sufficient to stop their activities against the brand owner.

Typical cost: $$

By engaging with the domain registrar through which the cybercriminal has registered the infringing domain, a business owner may persuade the registrar to suspend the domain name or the account that it belongs to. Suspending the domain name will stop the domain name from resolving to the website and even if the cybercriminal moves their website to a different hosting provider, the domain remains unreachable. Registrar domain suspension is best handled by an IP law firm or specialist brand protection provider such as BrandShelter as direct communications with known individuals in each registrar can improve the chance of achieving a successful suspension.

Typical cost: $$$

While not a domain name dispute, brand owners often find counterfeit products offered for sale on marketplace sites such as eBay or Alibaba. Most reputable marketplace sites have their own anti-abuse programs such as eBay VeRO program. These programs allow legitimate trademark owners to request delisting of fraudulent or illegal adverts. Due to the number of infringing listings that are normally discovered, it is more cost effective for a brand owner to work with a specialist brand protection provider such as BrandShelter in an ongoing program of discovery and takedown. Takedowns are usually rapid and protect consumers immediately. Counterfeiters and cybercriminals will normally continue to attempt to sell infringing products on these platforms unless it proves too costly for them, at which time, they will target a different brand.

Typical cost: $

If a brand owner can prove fraud, then a payment gateway will automatically suspend a merchant account. Almost all payment gateways have well established mechanisms in place to assess and suspend accounts that perpetrate fraud. These mechanisms are rapid and well-practiced and, like most anti-fraud mechanisms, require submission of proof by the brand owner. Due to the number of payment providers and complexity of the process, it is normal for brand owners to use a specialist brand protection company, such as BrandShelter.

Typical cost: $$$

Not to be confused with the UDRP, the URS process is a dispute policy that allows a brand owner to file a complaint and obtain a temporary domain name suspension. While the domain name ownership is not transferred, the domain is suspended until it is due to expire. Cybercriminals will give up on a domain name that they continue to own but cannot use. The typical time to conclude a URS case is around three weeks.

Typical cost: $$$$

Many top-level domains offer a formal abuse mechanism known as a Uniform Domain-name Dispute Resolution Policy (UDRP) with the domain registry to recover a domain name that has been registered fraudulently. If the UDRP case is won by the brand owner, the domain name is transferred into the brand owner’s portfolio, ensuring it doesn’t not return to the available domain pool unless released by the brand owner. A UDRP case typically takes from 6 - 12 weeks and throughout the case the domain name will continue to resolve. While it is perfectly possible for in-house counsel to file a UDRP, it is more normal for a brand protection specialist, such as BrandShelter, to undertake this on behalf of the trademark owner in order to maximize the chance of a successful outcome, reduce costs, and speed up the process.

Typical cost: $$$$$

If it is deemed important to recover the domain name into the brand owner’s portfolio, one option is anonymous acquisition. Typically, a domain registrar or brand protection specialist will engage in a dialogue with the domain owner and negotiate a price to purchase the domain, without disclosing the identity of the potential buyer. Once negotiations are complete, monies are deposited in escrow until the domain is transferred to the registrar, whereby it is transferred to the seller.

Typical cost: $$$$$

Each enforcement mechanism listed above has its merits and frailties. And a variety of factors from the size of the business, budget, and general level of patience may dictate what a business/ brand owner feels is right for them. However, providing all the information that your clients and customers need to defend themselves in this rapidly changing landscape can help them to respond to these incidents if and when they happen, recover quickly, and get back to what they do best.

Churley concludes: “It is clear that cybercrime is an increasing issue for all online business owners and their customers. The rate that businesses are moving online has increased dramatically due to the ongoing pandemic. Cyber-criminals are specifically targeting brands that are moving their operations online. Most businesses are unprepared for the wide range of sophisticated online criminality that will be launched against them. Large and small business owners may find out that it costs their customers money and affects brand owners’ revenues and reputation. Even when a business owner becomes aware of the threat against their brand, usually they have no idea how to tackle cybercrime, adding to the feeling of helplessness.”

“Gaining early visibility of threats is always the first step in protecting businesses online. By undertaking a one-time domain environment audit, or implementing a highly cost-effective domain monitoring service, brand owners can quickly identify and deal with threats online before they cause any financial or reputational damage. At the same time, they will provide effective protection to the business’s customers as well.”

Kelly Hardy is Head of Registry Policy at CentralNic Group PLC. Kelly helps both ccTLD and gTLD registry partners with policy issues including launch processes, rights protection, eligibility, dispute resolution and more. The former domain consultant is specialized in International Business Development, Channel Management, Policy and Marketing/PR strategy and is an expert in ICANN policy and New gTLDs.