Luxury Brands Just Got One More Reason to Hate the Internet: Spoofing

New study reveals it's a bigger problem than many believed

Animation: Yuliya Kim

As recently as 2015, prominent luxury brands such as Fendi and Louis Vuitton were only starting to test out ecommerce. They embodied a larger hesitancy in the luxury segment to embrace digital transactions. The cold feet were understandable: Luxe brands feared that selling online would mean a loss of prestige. Many were afraid shoppers would be reluctant to hit the purchase button and part with very large sums.

Recent studies show that those fears were unfounded. McKinsey data predicts that digital sales of women’s luxury fashion will reach 17 percent of the total market by 2018, topping $12 billion in sales. A study from Walker Sands in 2016 found that 27 percent of shoppers purchased a luxury item online in the past year and that digital sales of luxury goods would hit $80 billion by 2025.

So, the following bit of news might ruin the party for luxury brands, but a report issued last week has uncovered still another reason why luxury brands might want to watch their step in the world of online commerce—spoofing.

Spoofing is just a technical term for the sort of fraud that’s long been the bane of many a luxury brand. It refers to the practice of using variants of a brand’s name to set up a series of URLs that lure unsuspecting shoppers to sites that steal traffic or money or both. Scam artists will often set up these fraudulent sites in connection with phishing schemes designed to relieve shoppers of their personal and banking information. The shady industry is worth an estimated $460 billion annually, dwarfing the $264 billion eMarketer estimated as the value of the personal luxury goods market online in 2016.

Spoofing is not new, but the report issued Thursday by cybersecurity research firms DomainTools and Farsight Security shows that the problem is more widespread than many realize. Using the names of eight leading luxury brands—Chanel, Gucci, Cartier, Prada, Givenchy, Hermès, Burberry and Louis Vuitton—the firm uncovered no fewer than 538 registered domains that use some form of those brand names and are highly likely to be fraudulent.

Animation: Yuliya Kim

At a quick glance, the URLs look legit, but a closer inspection shows something off about each of them, ranging from a misspelling to an extra letter or word tacked on: Hermes-bag.us, for example, or Givvenchy.com or Chamel.us.

Tim Helming, DomainTools’ director of product management, said that even though he suspected there would be many dubious domains for these luxury brands, the number he found was still surprisingly large.

“We knew there would be a lot,” he said. “It turned out to be big. In fact, this isn’t even the whole picture, though it’s a big chunk of it.”

Helming’s team used a proprietary technology called PhishEye, which takes an established brand name and, using an algorithm, spits out a string of linguistic mutations that cybersquatters might use to register fraudulent URLs. The tool then scans the company’s database to produce a list of actual sites bearing those suspect names—among them a variant of Prada.com called “Ptada.com” and an irregularity of Gucci called “Gwcci.”

The reasons for opening these dummy sites vary as widely as the names of the sites themselves.

“They can be used to lure or try to get someone to give up information,” Helming said. “A lot of time, they’re click fraud—they’re trying to steal pay-per-click advertising [revenue.] Some of it is credit-card harvesting, and some are just selling knockoffs.” Knockoff merchandise that, he added, often doesn’t even get shipped to the unsuspecting customer.

Animation: Yuliya Kim

Cybersquatting has a history that goes back to the early days of ecommerce. But back then, the practice more commonly involved web cowboys registering a slew of company names before the companies did and then selling them for usurious amounts. Hertz, Avon and Panasonic fell pray to these mavericks in the early days. (The Anticybersquatting Consumer Protection Act of 1999 made the practice illegal.)