Turning the tables on the tiger


    Mastering the challenges of online criminality for online retail brands

    Due to recent world events, brand owners are increasingly turning to the online channel to maintain and build brands and their businesses. Mid-way through 2020, JCPenney, the US retail veteran, filed for Chapter 11 (bankruptcy). Its bricks-and-mortar future was secured, at least for now, by Simon Property Group and Brookfield Property Partners, which bought the 118 year old chain. Interestingly, Simon Property Group is the largest shopping mall operator in the USA and was already landlord to 160 JCPenney stores located in its malls. It is not hard to imagine the negative effect on footfall in its malls should JCPenney have been forced to close its doors.

    More recently, in the United Kingdom, major bricks-and-mortar retail brands, such as Debenhams and Topshop have been purchased by online retailers including Boohoo and ASOS. The new owners are bringing down the shutters on these giants of the high street and relocating their brands exclusively online.

    Does an end to the high street mean an end to store crime?

    Physical retail brands have to cope daily with an array of criminal acts against them ranging from shop-lifting, vandalism and employee abuse. In the UK alone, external theft from retail outlets is estimated to cost retailers nearly $2.5bn with over half-a-million thefts reported. This equates to approximately 0.5% of total UK retail sales revenues.

    “While petty crime, such as shoplifting, may be eliminated by removing goods from the high street to an online environment, this presents a much more serious and damaging opportunity for organised crime.”

    However, despite UK online retail sales tripling over the past 3 years, it is wrong to think that moving a brand entirely online will bring about the end of revenue and reputation sapping criminal activities. While petty and opportunistic crime, such as shoplifting, may be eliminated by removing goods from the high street to a warehouse, this opens up a much more serious and damaging opportunity for organised crime.

    Out of the frying pan into the fire

    In BrandShelter’s experience, moving a brand online at best only swaps one type of criminality for another.

    In terms of physical theft of goods, distribution channels are now aggregated and stock is concentrated in fewer warehoused locations but with much more complex end-consumer distribution networks making it an even more attractive target for organised crime rather than petty criminals in-store. This, at least, is something most retailers understand and can address.

    When moving a brand online, a whole host of different criminal activities are faced by brand owners that the majority are ill-prepared to deal with. Fortunately, Debenhams and Topshop have been acquired by major online brands, which are experienced dealing with online criminality. These brands have already invested a great deal of money and resources in developing online brand protection programmes. They already operate a robust internet infrastructure to minimise losses from attacks such as Distributed Denial of Service, which would take the website offline.

    Who loses out online?

    When a crime, such as shoplifting, is perpetrated in a bricks-and-mortar store, typically it is the brand owner that suffers direct revenue loss, not the consumer. Of course, in the end, consumers end up paying a bit more for products in order to offset the brand owner’s losses through theft.

    Online, however, this situation is usually reversed.

    Online shoppers face sophisticated and well-funded criminals that are determined to use another’s brand reputation to make money by any means possible. Therefore, the criminals take direct payment from consumers who, if they are lucky, never receive the goods they have purchased and, if they are unlucky, receive shoddy and often dangerous counterfeit products, made by child labour in dangerous sweat shops.

    “Online shoppers face sophisticated and well-funded criminals that are determined to use another’s brand reputation to make money by any means possible”

    Therefore, unlike with in-store shoplifting, the consumer is directly and immediately out-of-pocket. But so is the retailer, as it has missed out on revenue it would otherwise have received. It’s doubly damaging for the online retailer since it may also suffer from reputational damage. This is because often the consumer is completely unaware that they have been duped and blame poor quality and missing shipments on the unsuspecting retailer.

    Protecting a brand online is a costly but necessary business. While in-store shoplifting accounts for 0.5% of revenues, one study put the cost of online fraud at 7.6% of an online retailer’s revenues due to the wide range of potential attacks against the brand.

    What about the little guy?

    One of the advantages of doing business online, is that, with a little creativity and a great web-designer, the little guy (mom and pop store) can successfully go head-to-head with the large brands. Unfortunately, cyber-criminals know this. They also know that these smaller brands are less well prepared and much less well funded to be able to counter the types of criminality listed above. This makes them an even more attractive target to the criminals than the big brands.

    Often smaller brands are not even aware that criminals are targeting them because they have little or no visibility on online activities outside of their own website. It is only when their brand has been suffering reduced traffic and revenues from month-on-month that these smaller online retailers cotton on to the fact that they have become prey to sophisticated online criminals.

    “Often smaller brands are unaware that criminals are targeting them because they have little or no visibility on online activities outside of their own website.“

    Even if they suspect they are being targeted, the majority do not have the experience or in-house resources to deal with the problem. Many admit to feeling lost and helpless in the face of a well-coordinated and well-funded criminal attack, which may well destroy their revenues and reputation.

    What is in the cybercriminals’ tool bag?

    The relatively high costs of online brand protection are incurred by the retailer having to counter a wide range of attacks on their brand including:

    • Domain fraud

    • Domain Hijacking

    • DDoS Attacks

    • Traffic diversion

    • Copy-cat sites

    • Fake offers of sale on Social Media

    • Phishing attacks via email

    • Fraudulent apps on mobile app stores

    • Payment fraud

    • Fake reviews

    • Hoax web stores on marketplace sites

    • Counterfeit product lines

    How to take on the cyber-tiger and win

    While it is tempting to try to take down the criminal and win a moral victory, simple practicality suggests smaller brands should simply attempt to push the criminal off of their brand and claim a commercial victory.

    You don’t need to run faster than the tiger

    With thousands of brands online acting as a potential target for criminality, it is sufficient to make your brand a more difficult target such that the criminals switch their focus to an easier target.

    The following anecdote makes a practical point:

    Two men are walking through a forest. Suddenly they see a tiger in the distance, walking towards them with an intent look on its face. One of the men takes some running shoes from his bag, and starts putting them on.

    “What are you doing?” asks the other man. “Do you think you will run faster than the tiger with those?”

    "I don’t have to run faster than the tiger,” he says. “I just have to run faster than you.”

    Always keep your eyes on the tiger

    In rural India it is common practice for people to wear a painted facemask on the back of their head in the belief that it will protect them from a Tiger attack. The theory goes that, since a tiger is an ambush predator, if it believes its victim is aware of it then it will look for a less vigilant and therefore easier victim. By wearing a mask with eyes on the back of their head it tricks the tiger into believing that it has been spotted.

    For online brands, implementing low cost domain monitoring will actually spot potential online criminal activity before it becomes a real problem. Before launching a look-alike website, or an email phishing attack, criminals need to register a domain name which is confusingly similar to the brand that is being targeted. Spotting these registrations as soon as they happen and blocking, suspending or recovering the domain is usually enough to deter the criminals from persistent attacks.

    Domain monitoring typically costs a few thousand dollars a year and can save brand owners many times that in lost revenues.

    To find out more about preventing attacks on your brand download our whitepaper and for practical advice on enforcement please contact