How a .brand can help secure your social links
By Corey Grant,
Senior Advisor – Professional Services, Neustar
In a recent blog, Tony Kirsch wrote about the emergence of short links through the growth of social media, and particularly how this has become an antiquated approach with new tools available for greater customization and branding of the social link experience.
As mentioned in that article, in order to make their social links a little more recognizable to consumers, most organizations try to find a short domain ‘hack’ that looks something like their brand. For example, Virgin uses virg.in and Best Buy uses bby.me. These links look far better than using someone else’s generic link (such as bit.ly, po.st or ow.ly), but they are still imperfect digital representations of the brand.
People now apply less scrutiny to links in social media than in other areas of digital. We’re all familiar with the risks of clicking on spam pop-up ads promising miracle weight loss results, and phishing emails from Nigerian princes begging for help moving money around. And for the most part, people are becoming more cautious of these malicious attempts.
But in social media, when domain ‘hacks’ are commonplace and a link appears to come from a brand you follow and trust, how are consumers to know when it’s legitimate? If you saw a link that said www.a.ll.st/ would you click on it or type it in? Maybe not. After all, it looks a little suspicious. Yet this is the official link shortener used by insurance company Allstate. In social media, URLs are not expected to look like traditional URLs – they’re in a class of their own.
Breaching social media security: a case study
During our recent webinar, we discussed how simple it is for bad actors to impersonate a big brand in social media by using these domain representations for malicious purposes.
Here’s an example of what we mean.
Firstly, we showed how you could hypothetically create a Twitter account using a similar name to a big brand, along with their logo.
Secondly, we purchased an example domain name that could be crafted to look similar to the original brand. In this example, we chose lmart.me for a cost of USD$7.99. This quickly and easily becomes wa.lmart.me, which looks entirely convincing given what consumers have been conditioned to accept.
Finally, we created a hypothetical tweet that looks like something the actual brand would post. This can include popular hashtags (in this case #holiday and #toys) to broaden the audience. Then the link is simply pointed to a malicious site designed to capture data that separates people from their money – using the chosen URL shortener.
That’s it. It’s scarily simple and frankly, I’m surprised it doesn’t happen more often.
Security breaches and consumer trust
It’s an unfortunate reality that we live in an age where impersonation and data theft are commonplace. The recent Equifax data breach was a major headline in 2017, and rightly so, but for those who work in cyber security it was neither new nor surprising.
In 2016, reported losses included over 1.8 billion records obtained through a variety of nefarious purposes, such as malware, ransomware, phishing, and keyloggers. These are terms that far too many of us are now familiar with.
And in February this year, AdWeek reported that counterfeit goods are “a $460 billion industry”, largely due to malicious actors online. The report, from the International Trademark Association, found that “the internet makes it easy to hide” and in fact named Facebook as one of the top 10 sites for the buying and selling of counterfeit products.
The sheer volume of bad actors trying to make a buck from companies and their customers means that creativity isn’t in short supply. If you thought the exercise of training employees against clicking on dangerous email attachments was hard, consider what it would take to educate the general public not to click on an impersonator’s Tweet.
A .brand new approach to secure links
So how does a .brand help make social links safer for your organization? To start with, it adds unprecedented control. Nobody can register a .brand domain except the organization that controls that .brand. This means that if you are using your .brand in social media, users can trust that the link really is from you – and it cannot be replicated by an external player. On top of that, organizations with a .brand will find themselves with a massive advantage over their competitors without their own branded extension.
Simple implementation is another benefit. Most organizations already use one of the many free or low-cost short link providers which enable the use of branded domains, such as Bitly or Rebrandly. Once you’ve registered a domain and set it up in your chosen platform, the new .brand link can be used in every social media post moving forward. This process is exactly the same as using any other custom URL shortener – no special set up required.
Those lucky enough to have a .brand can now drastically reduce the risk of malicious impersonation on social media by taking the simple step of using their .brand for their short links. Given recent feedback from our clients, and the rise in registrations of short .brand domain names, such as “go” and “on”, it seems there are more .brand URL shorteners on the horizon. We can’t wait to see this become the standard in social links – and to help put the bad guys out of business.
GoDaddy acquired Neustar's registry business as of August 3, 2020.