As recently as 2015, prominent luxury brands such as Fendi and Louis Vuitton were only starting to test out ecommerce. They embodied a larger hesitancy in the luxury segment to embrace digital transactions. The cold feet were understandable: Luxe brands feared that selling online would mean a loss of prestige. Many were afraid shoppers would be reluctant to hit the purchase button and part with very large sums.
Recent studies show that those fears were unfounded. McKinsey data predicts that digital sales of women’s luxury fashion will reach 17 percent of the total market by 2018, topping $12 billion in sales. A study from Walker Sands in 2016 found that 27 percent of shoppers purchased a luxury item online in the past year and that digital sales of luxury goods would hit $80 billion by 2025.
So, the following bit of news might ruin the party for luxury brands, but a report issued last week has uncovered still another reason why luxury brands might want to watch their step in the world of online commerce—spoofing.
Spoofing is just a technical term for the sort of fraud that’s long been the bane of many a luxury brand. It refers to the practice of using variants of a brand’s name to set up a series of URLs that lure unsuspecting shoppers to sites that steal traffic or money or both. Scam artists will often set up these fraudulent sites in connection with phishing schemes designed to relieve shoppers of their personal and banking information. The shady industry is worth an estimated $460 billion annually, dwarfing the $264 billion eMarketer estimated as the value of the personal luxury goods market online in 2016.
Spoofing is not new, but the report issued Thursday by cybersecurity research firms DomainTools and Farsight Security shows that the problem is more widespread than many realize. Using the names of eight leading luxury brands—Chanel, Gucci, Cartier, Prada, Givenchy, Hermès, Burberry and Louis Vuitton—the firm uncovered no fewer than 538 registered domains that use some form of those brand names and are highly likely to be fraudulent.
At a quick glance, the URLs look legit, but a closer inspection shows something off about each of them, ranging from a misspelling to an extra letter or word tacked on: Hermes-bag.us, for example, or Givvenchy.com or Chamel.us.
Tim Helming, DomainTools’ director of product management, said that even though he suspected there would be many dubious domains for these luxury brands, the number he found was still surprisingly large.
“We knew there would be a lot,” he said. “It turned out to be big. In fact, this isn’t even the whole picture, though it’s a big chunk of it.”
Helming’s team used a proprietary technology called PhishEye, which takes an established brand name and, using an algorithm, spits out a string of linguistic mutations that cybersquatters might use to register fraudulent URLs. The tool then scans the company’s database to produce a list of actual sites bearing those suspect names—among them a variant of Prada.com called “Ptada.com” and an irregularity of Gucci called “Gwcci.”
The reasons for opening these dummy sites vary as widely as the names of the sites themselves.
“They can be used to lure or try to get someone to give up information,” Helming said. “A lot of time, they’re click fraud—they’re trying to steal pay-per-click advertising [revenue.] Some of it is credit-card harvesting, and some are just selling knockoffs.” Knockoff merchandise that, he added, often doesn’t even get shipped to the unsuspecting customer.
Cybersquatting has a history that goes back to the early days of ecommerce. But back then, the practice more commonly involved web cowboys registering a slew of company names before the companies did and then selling them for usurious amounts. Hertz, Avon and Panasonic fell pray to these mavericks in the early days. (The Anticybersquatting Consumer Protection Act of 1999 made the practice illegal.)
In one of the more notorious examples, a New Jersey asbestos remover named Dan Parisi bought the rights to Madonna.com in 1998 and then opened it as a porn site. (Think that’s bad? He did the same thing with WhiteHouse.com.) Madonna’s attorneys came after him, and the diva took her name over in 2000.
These days, with most every corporate entity having long ago wizened to the necessity of owning a domain that bears its name, cybersquatters have moved over to the technique of registering sites that deviate ever so slightly from the official ones, betting on careless consumers mistaking the ersatz site for the real thing.
And indeed, we seem to be entering the era of Cybersquatting 2.0. Earlier this year, the World Intellectual Property Organization, or WIPO, reported that cybersquatting disputes grew 16 percent over 2016, with the body having mediated 3,036 cases, 895 of which were in the U.S. Of the 3,036 cases on WIPO’s list, 188 of them (9 percent) were in the fashion category. Hugo Boss alone filed 42 domain name disputes in 2016.
“The continuing growth in cybersquatting cases worldwide shows the need for continued vigilance by trademark owners and consumers alike,” WIPO director general Francis Gurry said in a statement.
Why the increase? WIPO cited the growth of generic top-level domain names, the part of a web address that comes after the dot. With a wide range of new domain extensions now available—including .store, .clothing and .shop—brands have many new ways to distinguish themselves online, and cybersquatters have as many new ways to create ersatz sites that appear just legit enough to be the real thing.
According to Helming, the problem also stems from the rather loose standards of the domain registrars, who don’t much care who’s buying the name so long as they pay for it.
“They don’t check that you’re part of [a luxury brand like] Cartier,” he said, nor do they apparently look very hard at the people doing the registering. “Darth Vader and Han Solo all own domains,” he said. “They will [also] offer you the ability to register it privately. That means no information about you appears. So when you look up the ownership records, it’s opaque who the owner is.”
All of which leaves the brands being spoofed in a difficult spot, since resolving domain name disputes is a lengthy bureaucratic process.
“You can get the infringing domain shut down, but it takes multiple efforts,” said Helming, pointing out that the stereotypical offender—say, some tech-savvy teenager sitting in a former Eastern bloc country—doesn’t have to supply any proof of affiliation to a brand before registering some address that spoofs the brand’s site, but “there is a burden of proof on the brand holder” to demonstrate the offense. Brands seeking redress have to follow the Uniform Domain-Name Dispute Resolution Policy set up by the Internet Corporation for Assigned Names and Numbers.
“These are well-established procedures,” Helming said, “but it takes time.”
Meanwhile, Helming suggests that brands can prevent at least some grief by coming up with their own permutations on their name and registering those domains themselves before spoofers can get to them—not that that practice doesn’t involve its own time and trouble. Ultimately, cybersquatting is just another complication of doing business in the 21st century.
“Everything that happens in the world,” Helming said, “has some online component related to it.” And that, of course, includes crime.