Our fight against fraud is just getting started
Let’s face facts: cybercrime is on the rise.
We at Namecheap have always taken fraud and other online abuse seriously, and over the years have invested significant time and money in our effort to fight against crime across the Internet. We haven’t always gotten it right, but we certainly were — and are — actively fighting to prevent abuse on our platform.
Even so, the sheer level of fraud that we (and the whole world) experienced during the emergence of the pandemic clearly showed us we weren’t prepared for what we were facing, and we needed to do more.
We realized early on that criminal activity was increasing during the COVID pandemic, but we, like many other organizations, were unprepared for the flood of reports that came in. In 2020 alone, Namecheap received 1.27 million abuse reports, representing an 85% increase in support tickets over the prior year. This huge increase caught us off-guard and led to huge backlogs in our ticketing system, overloading our teams and resulting in delays in our ability to investigate every ticket, before taking appropriate action.
Our backlog frustrated our customers and others who brought this fraud to our attention. The huge influx in reports forced us to rethink our entire reporting and investigation strategy and led us to partner with a security firm that shares our ideals and extend our work with law enforcement and cybercrime units in the US and UK even further than we had in the past.
Namecheap values customer privacy and due process
We believe that it’s critically important to first and foremost acknowledge our commitment to our customers’ privacy. Domain names are a gateway to the Internet. They serve as our customers’ online brand and address, and we are proud of our role as a global leader in the domain industry.
We are well known for our customer service and our commitment to the protection of online consumer privacy, free speech, and equal rights online. When it comes to reviewing reports of fraud, our team is careful and diligent. We approach the review process with neutrality and due process to ensure that all decisions are fair and in accordance with various laws.
We believe in working closely with law enforcement, including the FBI, the US Security and Exchange Commission, the UK’s National Cyber Security Center, and other entities that are fighting fraud and other abuse. This allows us to stay abreast of current regulations, learning more about bad actors, and fighting against abuse collectively. In the end, our goal is to ensure each decision is fair and determined by the proper forum, such as a court of law.
How the surge in fraud impacted Namecheap
At Namecheap, we have experienced a huge increase in reports of fraud and abuse. In addition to phishing scams, we have encountered an increase in impersonation and harassment claims, abuse of copyright (and fake Digital Millennium Copyright Act reports). As you can imagine, having to individually review over 1.2 million reports is time-consuming, and quickly overloaded our dedicated team that had been sufficient to cover our previous volume of abuse reports.
The growth in abuse created a backlog that we struggled to catch up with. We had to run multiple extra shifts per day, which required each team member to commit to multiple overtime shifts each month. On top of this, while our load increased, we also had moved everyone to remote working to keep them safe during the pandemic. This meant that despite our efforts, it was extremely difficult to recruit/hire and then train new team members, while facing into the global pandemic.
Making matters worse, many of the reports we receive come from automated bots which clogged up our fraud and abuse reporting system. We have also experienced a high volume of reports from large companies and social media platforms. In the latter case, the companies almost never present actionable evidence. They demand that we take action against websites and domain holders without due process and violate customer privacy by turning over customer information such as Whois data.
We would never take action on any of these reports without due process and verification. To do so would result in irresponsibly and unintentionally taking down legitimate websites, locking legitimate domains, and possibly shutting down businesses or harming critical infrastructure.
As an example, here’s what can happen when a registrar is irresponsible with their customers’ services.
We would also be silencing free speech, based purely on the word of the entity that filed the report or an unrelated third party.
These automated submissions create a cycle that makes it harder for hosting platforms such as Namecheap to respond to legitimate complaints in a timely manner. And the problem is growing all the time.
Focusing on the right solution
In response to this crisis, we put critical projects on hold while we moved teams to focus on this effort. We anticipated COVID-related fraud, but we were still frankly surprised by the volume of fraud that would occur. As our backlog throttled our ability to stay on top of abuse, it proved almost impossible to react to the level of abuse targeting UK institutions or the increase in ‘smishing’ (phishing via text message) without completely changing the way we look at preventing and reacting to abuse.
As noted above, we received over a million abuse reports, representing an enormous increase in tickets, and we investigated each and every one. Out of all of these reported fraud cases, Namecheap was able to verify abuse for 65,000 of these complaints. We found an additional 24,000 verified cases of abuse that we identified through our own internal anti-fraud efforts.
We quickly discovered that doing things the way we did them pre-COVID wasn’t reducing the backlog, nor allowing us to get to the cases that actually contained abuse in a reasonable timeframe. We had to rethink how we processed abuse cases and how we could address the backlog. It required that we challenge ourselves and at the same time, have a quality of review that honored our principles for privacy and due process.
Delivering new anti-fraud efforts
Making a difference in the fight against fraud means doing a lot more than answering tickets. We mobilized within the company to address the rise in abuse, and we also became experts concerning COVID abuse and trends.
These are some of the things we did (and are still doing) to fight fraud:
- Made significant financial investments against fraud. Namecheap has invested heavily in efforts to combat online fraud and other digital abuse, investing millions of dollars in our fight against abuse each year. In 2020 we increased that investment by 52% over the prior year to combat the growth in abuse.
- Introduced validation. Implemented CAPTCHA and other forms of validation into our reporting channels to ensure automated bots that clogged our ticketing system were ineffective.
- Switched up our approach. We started investigating and responding to the latest tickets first, rather than working from the oldest ticket back. This enabled us to reduce our response time to a matter of hours, thus significantly reducing the benefit that cybercriminals get when establishing themselves on our platform. We are working through our backlog of older tickets, many of which were submitted purely to clog our system.
- Partnered with Netcraft. In addition to our efforts with law enforcement, Namecheap collaborates with Netcraft, a company we identified as a leader in identifying and disrupting cybercrime. Netcraft works with many large enterprises worldwide to counter phishing. With the National Cyber Security Centers of four of the thirty largest countries (when ranked by GDP), it helps protect citizens against cybercrime. As we entered into this relationship, we evaluated their methods to determine abuse and determined that their metrics and ours were aligned. In our ongoing partnership, we work on evaluating new domain registrations against known metrics that indicate abuse, as well as creating and testing expedited submission and investigation processes.
According to Netcraft Director Mike Prettejohn, “Netcraft is delighted that Namecheap is using our anti-cybercrime platform. Over the past month, the median duration of a phishing attack hosted at Namecheap was 7 hours, which is already better than the industry average and roughly a 75% reduction from the 28-hour average measured during 2020. Because of the scale at which Namecheap sells domains and hosting, a reduction of 75% in takedown times there makes a substantial positive change against phishing worldwide.”
- Partnered with the National Cyber Security Centre (NCSC) to fight abuse of the UK postal service, Royal Mail, which was the target of a highly coordinated phishing attack. Having worked closely with NCSC for years, we were recently commended by them for our assistance in combating this abuse.
- Built a COVID task force. Recognizing the opportunity COVID presented for fraud and other online abuse, Namecheap immediately created a COVID task force to develop and oversee all of our COVID efforts. For example, we manually reviewed every domain registered with COVID-related terms (i.e. cov19, covid, virus, etc.) to ensure it had a legitimate purpose and was not perpetrating fraud.
- Created dedicated COVID reporting channels for both law enforcement and consumers. We were part of a national US law enforcement team that included the FBI, CIA, Department of Justice, the Food and Drug Administration, the Securities and Exchange Commission, and the Secret Service. We educated law enforcement on COVID reporting channels and committed to investigating their submissions as a matter of priority. We also provided them with intel regarding abuse trends we were witnessing and verified by the set of metrics we established to track online COVID abuse. We advised the New York and Florida Attorneys General offices and the Department of Justice.
- Maintained newly established reporting channels for law enforcement. We have continued to maintain our direct line of communication to law enforcement, focusing on wider abuse and working regularly with the different government organizations listed above on topics beyond COVID. We remain diligent in ensuring our partnerships with law enforcement target criminals and protect the rights of our legitimate customers around the world.
Namecheap has been busy over the past year catching up and finding ways to combat online fraud as well as doing our part to work with law enforcement to help fight some of the worst threats.
We are committed to the fight against fraud
Taken as a whole, we’re creating a “new world” in how we address abuse.
COVID was a defining moment for us in terms of the deep dive we did to address abuse, our broad approach in understanding all the pieces that went into an effective plan, as well as developing global relationships with law enforcement agencies, and more.
After weeding out the spam and false reports, Namecheap verified approximately 90k abuse cases following a full investigation in 2020. Almost 40% of those cases were independently identified by our abuse team (versus reported by a third party). And each and every one of the 1.27 million reports we received was investigated fully by a member of our team.
Namecheap’s anti-abuse team operates 24/7, constantly working through abuse tickets as well as internal investigations. To combat the significant increase in fraud claims, Namecheap increased overtime for existing team members and increased the size of our team substantially to boost our ability to fight abuse of our platform.
Taken as a whole, we at Namecheap recognize that we underestimated the amount of phishing and other fraud that would take place on our platform and how much it would escalate during the pandemic, and we genuinely regret that initially we were unable to manage the onslaught.
We are encouraged by the fact that we have been able to take steps to address the problem and are already seeing positive results, such as the significant reduction in time from many days to now investigating and taking appropriate action in under 24 hours for the majority of the abuse on our platform.
We also recognize that there is a lot more work still left to do and we will continue improving on our threat detection capabilities, our automation technology as well as coordinating and fighting DNS abuse with all of our current and future partners. We especially appreciate our partnership with law enforcement and recognize the important role we play in helping them to deal with online fraud and abuse.
That is, and will be, our ultimate commitment to a free, open, and safe Internet.