For Cyber Monday: A Case Study In Brand Protection

November is the new Cyber Monday. People have stretched out their online holiday shopping, buying more over a longer period of time — especially to avoid this year’s supply chain shortages and delays. Unfortunately, ‘tis also a longer season for cybercriminals’ perennial favorites: fake websites and brand spoofing.

Eclipsing Last Year’s Sales Growth

2020 set the stage for this year. Spending on Cyber Monday, the biggest day for online shopping, rose 15% over 2019. Sales spiked 21% year over year during “Cyber Week” — the five days from Thanksgiving to Cyber Monday — and 32% over the whole holiday season, to reach nearly $200 billion.[1] Retailers started offering yuletide deals as early as mid-October.

Meanwhile, on the dark side, cybercriminals were tapping into the shopping spree. One of their main exploits involved cloning retailers’ websites with lookalike domain names and sending phishing emails. These kinds of ruses lure people to come and click on malware, reveal credit card numbers or buy knockoffs of a brand’s products.

In 2020, 42% of companies saw an increase in web domains that impersonated their brands, and 47% reported a rise in email spoofing for the year, according to Mimecast’s State of Brand Protection Report. Suffice it to say, finding and reporting spoofed websites can be costly and time-consuming.

This year, analysts are predicting another double-digit increase in holiday ecommerce.^[2] And on the bright side, many retailers are now better prepared to spot the spoofers and stamp out their scams.

In Mimecast’s State of Email Security 2021 report, 92% of companies were either using or planning to use a brand protection service this year. Brand protection services like Mimecast’s continually scan the web, detect scam sites and report them to blocklists and third-party registrars to block or disable (aka a “takedown”). The services may also include tools like web scrapers, which immediately recognize when a cybercriminal is trying to lift brand elements and other code from a company’s ecommerce site in order to create a fake site.

A Behind-the-Scenes Look at Brand Protection

Just in time for the holidays, Chief Information Security Officer Jim Taylor gave us a look inside brand protection at Steve Madden, a Mimecast customer that sells footwear, accessories and apparel worldwide under several brands on seven ecommerce sites.

This will be the first Cyber Monday that Taylor’s team is using a brand protection service. Like many companies, Steve Madden didn’t fully realize the number of sites spoofing its brands before starting to use the service in the middle of this year. Customers certainly couldn’t tell. “The sites look perfect; they look just like Steve Madden,” Taylor said.

When the retailer used to chase down fake websites itself, it detected and reported an average of two per month for takedown, Taylor said. Now with the brand protection service, that number is as much as five times higher in some months.

“The old way, we played defense only,” he said. A rogue site would come to the company’s attention in an ad-hoc way — for example, if a business partner happened to point it out.

“Now we’re playing offense,” Taylor said. For instance, “we now know right away if someone has scraped one of our sites,” he said. That’s when Taylor’s team analyzes the situation to confirm the cloning and see whether the counterfeit site is drawing traffic. “If so, we go ahead with the takedown,” he explained. The whole process can take as little as a day.

Reaping the Benefits of Brand Protection

Madden’s brand protection used to be a very slow, manual function handled by the legal department, which in turn would work with an external law firm. This year, Taylor expects the company to save about $200,000 on external legal fees alone. “And our own legal team is saving time because they’re out of the takedown business,” he said.

Other benefits are even more important, he said, though more difficult to quantify. Before implementing brand protection, “customer satisfaction was taking a big hit, obviously, and there was some reputational damage,” Taylor said. Sales were lost, too, especially when scam sites sold knockoffs.

Within Taylor’s department, the brand protection function now takes up only a small fraction of one staffer’s time, to handle such responsibilities as monitoring a portal for live attacks and initiating takedowns. The brand protection tool is integrated with other security tools, such as filters blocking any spoofed emails from coming into the company.

Senior management and the board have been kept in the loop about the increased vigilance and successful takedowns of scam sites. “They’re very pleased,” Taylor said.

Over time, the more sites Taylor’s team blocks, the fewer he expects will pop up, he said. “Once the word gets out that we’re aggressively taking down any fraudulent sites, the attackers will move on to another retailer that doesn’t have protection in place,” Taylor said.

Brand Protection in the Bigger Picture

Brand protection isn’t the only concern during the holidays — the sales period that can often make or break a retailer’s fiscal year. Taylor’s team takes additional measures, such as ensuring that there’s enough CPU to handle a surging volume of visitors on its website. In another step, he puts an informal freeze on any nonessential IT or cybersecurity changes from mid-October to mid-January to avoid disruptions. And he and his team are on high alert for other attacks, such as exploits that steal credit card information from shopping carts, or distributed denial of service (DDoS) attacks that could completely shut down any of Steve Madden’s ecommerce sites.

“We treat Black Friday/Cyber Monday with extra caution and care,” Taylor said. “But with cybersecurity and data privacy, it’s a 24/7 job, every day.”

Brand protection isn’t just about Steve Madden’s brand name or its bottom line either. “We want to protect the people visiting these fraudulent sites, whether they’re our customers or not,” Taylor said.

The Bottom Line

Call it Cyber Monday, Cyber Week or even Cyber Month. Online retailers are facing a longer, bigger holiday shopping season than ever this year, raising the bar on brand protection. Retailer Steve Madden has gotten in front of the issue and is already taking down scam websites using a brand protection service.

[1] “2020 Holiday Shopping Trends,” Adobe Digital Insights

[2] “Holiday Retail Sales Expected to Increase 7-9%; E-Commerce Holiday Sales Projected to Grow 11% to 15%,” Deloitte