Preventive measures: getting in early in the fight against counterfeiting


Andy Churley

The internet has never experienced such a sophisticated and globally-integrated technological crime network as the one it faces today. Online criminals have new tools at their disposal and are more adaptable than ever.

Piracy and counterfeit goods continue to be some of the fastest growing types of online fraud. Each month, thousands of pirated e-books, software applications, licence keys, music albums and movies are made available over the Internet to download for free, or to purchase as hard goods or from publicly available hosting sites and file-sharing networks.

Most anti-piracy and counterfeit measures are reactive rather than preventive, often relying on customer reports or eagle-eyed employees to police these diverse and rapidly changing networks informally.

The driving requirement of services in this new world is rapidity of detection and successful takedown in order to minimise the effect of the counterfeit goods or pirated media being offered. However, much like in medicine, the ultimate goal is prevention rather than cure. Organisations are increasingly turning to early detection methods and intelligence gathering services to identify pirated media on websites rapidly and to tackle counterfeits before they are even offered for sale.

A comprehensive anti-piracy and counterfeit programme comprises four key elements:

  • Detection
  • Assessment
  • Action and reporting
  • Investigation and countermeasures.


The most important element in minimising the damage caused by content piracy and counterfeiting fraud is early detection. No matter how rapid and effective the enforcement action is after detection, if the attack is not identified early enough, the financial damage caused to a brand can be substantial. Ideally, counterfeits and pirated content will be detected almost as soon as they are offered for sale or download, at which point rapid enforcement action can be taken.

A key question to ask when considering an anti-counterfeit or anti-piracy programme is “What data sources should we monitor?”.

Budgets will play a key role in determining the scope of any detection service. It is crucial to be clear what the objectives are for an anti-piracy or anti-counterfeit programme. Is the aim to:

  • Provide metrics and focus on the scale and scope of the issue before undertaking enforcement, marketing and education programmes?
  • Embark on proactive detection and takedown to protect loss of revenues?
  • Undertake intelligence gathering to identify the individuals or syndicates behind content piracy or counterfeit rings for civil or criminal prosecution?

Depending on the goal, ome or all of the following types of monitoring may be applicable. At certain times some of these information sources may be more useful than others. Therefore, any third party monitoring on behalf of the brand owner should have the capability to monitor any of the sources below as and when needed.

  • Domain analysis—Intelligent scanning of new domain name registrations can flag up suspicious activity before products are offered for sale.
  • Online auction, trade boards and e-commerce sites—24/7 monitoring of products offered for sale using specific criteria to flag suspect items.
  • Cyberlockers, torrent portals and peer-to-peer (P2P) networks—Capability to index or monitor these dynamically changing networks to identify content piracy.
  • Spam mail analysis—Monitoring millions of mails from spam feeds and honeypot accounts to identify links to pirated media automatically.
  • Abuse box mail analysis—Loyal customers can provide a valuable early stage alerts to counterfeit products or pirated media. Automated analysis of abuse boxes and automated link crawling is very valuable.
  • Social networks—Monitoring these networks can help identify links to pirated content and the network of users involved in file-sharing and counterfeiting.
  • Internet relay chat—IRC is an ad hoc series of chat networks comprising hundreds of public domain servers. Pirated media, crack codes and counterfeit rings can all be found in IRC.
  • File-sharing networks—Often used for file-sharing, these dynamic, ad hoc networks host pirated software, e-books, movies and music.
  • Blogs and forums—Often used by fraudsters to plan counterfeit production; monitoring these sites allows early detection and silent information gathering, heading off an incident before it begins.
  • Newsgroups—There are hundreds of thousands of newsgroups on the Internet, sometimes used by fraudsters to plan and coordinate operations.


Early detection of a newly launched piracy or counterfeit operation provides valuable information upon which to make an accurate assessment of the threat level and determines the type of action to apply. Any monitoring activity should involve a combination of automated systems and experienced human assessors with sufficient information to take an informed and accurate decision on whether to initiate takedown, how and when. Key considerations are:

  • Automated analysis—Of spam emails and abuse boxes by intelligent systems allows first stage rating in terms of threat to brand. An automated system identifies the brands being copied, classifies the type of abuse and follows links to verify the nature of the infringement. This information can be passed to a skilled staffer for in-depth assessment.
  • Infringement threat analysis—Automated assessment of the level of abuse against specific criteria such as:

– Type of product offered

– Volumes offered

– Price points

– Origin of product

– Availability

– Number of links to pirated content

– Activity on file-sharing networks

– Product descriptions

– Images of product

  • Manual analysis—All suspect infringements should be viewed and assessed by a trained operative in order to verify the threat level and to confirm and assign an action.

Action and reporting

Once the decision to take action has been made, speed is the overriding priority. There are a number of factors that can dramatically affect the time to successful takedown and these factors are important when implementing an enforcement programme. When looking at takedown, the following action and reporting criteria should be considered:

  • Hours of operation—For high profile, multi-national brands it is vital to have a 24/7 takedown operation.
  • Relationships with Internet service providers (ISPs), domain registries and domain registrars—Personal relationships with ISPs, registries and registrars in all the major countries around the world are crucial in order to effect a rapid takedown of a serious infringement without any delay.
  • Relationships with cyberlockers and torrent portals—Good relationships with these sites can help reduce takedown time.
  • Relationships with auction sites, trade boards and e-commerce sites—Familiarity with each site’s rights owner programme and requirements for takedown simplifies the process and reduces the likelihood of errors.
  • Multilingual takedown capabilities—Takedown time is reduced through the use of clear and easy-to-understand communications in the native language of the site being actioned.
  • Local representation—Bodies on the ground make a real difference in the trickier cases. Local resources which can be called upon are highly desirable in order to effect rapid takedown and revenue recovery.
  • Real-time performance measurement data—Brand owners will need to view their current landscape and activities carried out using realtime status monitoring and verifiable metrics.

Investigation and countermeasures

Investigation activities can be undertaken at any time during monitoring and takedown operations. Countermeasures can be applied after a suspected attack has been identified. It is important not to underestimate the value of investigation activities in a takedown operation.

Critical capabilities include:

  • Behaviour analysis—Behaviour analysis uses sophisticated techniques to identify known fraudsters by their online behaviour and actions.
  • Mystery shopping—Test purchases can be used to confirm counterfeiting and to provide useful evidence when building a case.
  • Silent monitoring of piracy activities—On suspect sites, ongoing monitoring can provide invaluable intelligence and evidence in the fight against counterfeit and piracy.
  • Identifying the pirate or counterfeiter—Should a brand owner be intent on pursuing civil or criminal action, the capability to identify the real perpetrators of the fraud accurately through in-depth investigation is essential.
  • Experience in case building—For successful law enforcement action and solid evidence gathering, experience is crucial.
  • Law enforcement agencies and legislation—Relationships with law enforcement agencies and a good understanding of legislation and judicial process in key jurisdictions around the world greatly increases the chances of a successful enforcement action, prosecution or revenue recovery.

Online counterfeiting is becoming more sophisticated and content piracy is becoming ever more prevalent.

Fraudsters are expanding the scope of their activities to cover more products than ever before. Brand owners in all sectors should understand the risks and what they can do to reduce the likelihood of counterfeiting and content piracy, which can cost a company a great deal, both financially and and in terms of its reputation. Finally, brand owners should define a policy and have a clear position on their approach to mitigating counterfeiting and content piracy.


Andy Churley is head of products at Group NBT Corporate Brand Management. He can be contacted at:

This article was first published on 01 May 2012 in World IP Review

anti-counterfeiting, online piracy, domain names, ISPs, cyberlockers

Trademarks and Brands Online