Katya Allison:  

Welcome to the GRIN Gets Real podcast, a show for marketers by marketers to talk shop and share insights on the ever-changing landscape of the digital world. This is a special episode that features one of GRIN’s software partners. 

 

Our software partners help ecommerce brands either drive consumers along the customer journey or empower brands to provide an excellent customer experience. 

 

In this episode, we chat with Alex Heckmann, VP of partnerships at clean.io. clean.io offers a unique solution built to give ecommerce merchants total control of their website user experience and their revenue. cleanCART prevents coupon extensions like Honey and Capital One Shopping from auto-injecting discount codes at checkout and puts a stop to untrustworthy affiliate fees and attribution reporting. 

 

If you run influencer or affiliate promotional codes, cleanCART is the best way to ensure that you are protected. So put your AirPods in and get ready for today’s episode on how to combat discount code hijacking. 

 

All right, Alex, welcome to the GRIN Gets Real podcast. I’m really excited to have you on here talking about discount codes and all of that good stuff.

 

Alexander Heckmann: 

Thank you for having me.

 

Katya Allison: 

Of course! Well, let’s get the ball rolling. I’d love to hear a little bit about what clean.io is. What is it? What does it do? What do you do in it?

 

Alexander Heckmann: 

Yeah, absolutely. So I’m part of the founding team at clean. We started in late 2017 as a real-time cybersecurity company that services the media telco space. So we’ve worked with a number of large SSPs, DSPs, and publishing partners to prevent basically unauthorized injections and malicious events from compromising user experiences. And in layman’s terms, we’re securing web pages as the distributor intended. 

 

So we prevent nasty pop-ups, you know, client-side injections, as well as third-party extensions, from interfering with the organic delivered experience that the creator wanted to. And we work with everyone from Warner Media—who owns CNN—and HBO to Barstool Sports, independent newspapers like the Boston Globe, and independently touch about 7 million websites. 

 

And through that process, about 18 months ago, we actually discovered that third-party extensions like Honey and Capital One Shopping are doing unauthorized injections and widespread web scraping, which is how they wind up getting lots of these discount codes that escape into the wild through influencer marketing, which can be coordinated through the likes of GRIN, as well as podcasts, or just general codes that are out there in the wild, even employee discount codes. 

 

Basically, how these extensions work is, let’s say I have Honey or Capital One Shopping installed, and I see an influencer code in the wild on a YouTube video. Let’s call it “Ben20.” And I go to biore.com. And I have Honey installed. And let’s say I type in “Ben20.” As I’m getting ready to check out, if I have Honey installed, when you actually install Honey, you see your privacy rights and give them read/write permissions online. So they see that code get validated in real-time. And what they’ll do is they’ll then scrape it into their database. 

 

And now anyone that comes back to the Bioré would be able to access that code, as long as they have Honey to inject it at the checkout. So even if they never saw that code—first time at Bioré—what will happen is it’ll try to inject that code at checkout. And now that merchant thinks that attribution is going to be tied to that “Ben20” code, so they have to pay out that merchant on the affiliate fee, and then they lost the margin at checkout. 

 

What we do is we block these extensions from being able to scrape and inject these codes at checkout. And we’ve been able to recover merchants hundreds of millions in lost revenue from fraudulent affiliate payouts as well as margin discounts.

 

Katya Allison:

I love it. That was a full definition not only of clean but also of just kind of in a—discount code injections. Am I saying it right? Because I know another term that’s used is hijacking—the code hijacking. I’m assuming that they’re both interchangeable. Is that correct?

 

Alexander Heckmann: 

They’re totally interchangeable. And then the other side of it is actually affiliate hijacking. So, a lot of people don’t have a tight grip on how sites like Capital One Shopping and Honey make money now. So they’ve been bought for hundreds of millions, if not billions of dollars in Honey’s case. 

 

Basically, how we’ve seen them work is they will start to scrape all of these codes into their database. Eventually, they’ll reach out to merchants and say, “Hey, we’ve been driving tons of sales to your site.”  What they’re actually doing is just, they’re just stealing that last-click attribution from affiliates that might have organically driven someone there, like, “Well, Honey actually injected the code, so we drove that session.” 

 

So they’re hijacking affiliate fees. And basically, what they do is they say, “We’ll stop scraping other codes in the ecosystem if you give us our own code, which will discount a user’s cart, and then you give us, you know, call it anywhere from 1 to 5% of that cart value.”

 

The issue is that Honey and Capital One Shopping are just lurking there at checkout. They don’t actually drive overall sessions from the data that we’ve seen. They’re just handing out free money at the register, which is, you know, really unfair to a lot of merchants that are out there as well as affiliate programs that are legitimately driving traffic.

 

Alexander Heckmann: 

Absolutely. I think, as a marketer, everybody should be concerned about this if they have an ecommerce site, but also correct me if I’m wrong. I’m you know—cybersecurity is something that should be top of mind for any ecommerce store. So as an ecommerce store or brand, what can I do as a form of precaution? Right? To secure myself from this? If I don’t have clean, what other kinds of steps should a brand take?

 

Alexander Heckmann: 

Yeah, so a couple of things that we’ve actually seen, and I actually saw this in GRIN’s platform when I got a demo the first time, I think what you guys have is actually a piece of your platform where you can disable codes from influencers that are sourced there. So that’s a really great way. 

 

If you run a discount report, if you’re on Shopify, for example, they can actually show you how many times a code has been used and how often it’s used. And that’s really just a great way to start out to identify, like, how often are your codes being used? If you’re running an influencer campaign with someone that has, you know, maybe 100 or 200,000 followers on their socials, but their code has been used 7,000 times, that’s probably a red flag for if it’s being—.

 

Katya Allison:

Maybe they are just really engaging! 

 

Alexander Heckmann: 

They might be really engaged—. 

 

Katya Allison: 

But more likely they aren’t, which is, I think, for influencer marketing, specifically, the hijacking of codes, the injection, the—I keep wanting to say injection because you say it so smoothly, and all I can think of is hijacking. So I’m gonna use code hijacking. The code hijacking is really kind of top of mind. 

 

I actually just finished conducting a workshop earlier today, where promo codes were part of the discussion. Like, it is definitely a worry for brands who are working with creators whether or not they’re going to use promo codes. There was a question that we had received in regards to just kind of best practices when it comes to promo codes. Do you have any thoughts on just kind of best practices for brands when they’re setting up the promo codes? 

 

So, for example, one suggestion was don’t put, like, a number at the end of it. Don’t put a 15, or 25, or 30 because that’s a flag for people to “steal the code.” Do you have any tips like that when it comes to setting up codes so they’re less susceptible? Or, is there even anything you can do at that level?

 

Alexander Heckmann: 

So if you’re gonna do influencer marketing, it’s really tough. So the—what I will say is, numeric nomenclature at the end of any code, Honey’s not going to discriminate against it. They basically just check to see if it’s getting validated, and they’re seeing the rewrite on the sessions. And since they’re also watching browser sessions, they’re just gonna see no matter what, and they don’t discriminate on codes that they’re going to scrape into their database. And that goes for every extension. 

 

And the reason why financial institutions are starting to buy these extensions—Klarna bought, I believe it was Piggy, not long ago for about $100 million. They’re all buying specifically to get the data on what’s happening across all these sessions because the terms of service when you sign up for these give these extensions such incredible views into transactions on storefronts. 

 

So if you’re going to do influencer marketing, it’s tough. You can—the nomenclature of how you issue these codes isn’t gonna affect anything. They’re still gonna scrape it regardless if they see it gets validated. And then, beyond that, coupon sites can pick them up. 

 

And then you can’t really cap usage. I mean, you could start to cap usage for influencer programs, but then you’re essentially limiting how much an influencer can actually use it. Influencer programs are really tough. 

 

So beyond that, if you’re doing employee discount codes or some sort of affiliate codes, what would I would do there is, like, either cap usage or turn them off after a certain period of time. 

 

Katya Allison: 

Yeah. 

 

Alexander Heckmann: 

But as we see more and more of our merchants actually move towards podcast advertising or influencer-based advertising with the changes to Apple’s operating system—. 

 

Katya Allison:

Yeah. 

 

Alexander Heckmann: 

More and more folks are migrating that way, which is great news for GRIN, and I think really great news for influencers as an ecosystem as a whole. 

 

Katya Allison:

Yeah. 

 

Alexander Heckmann: 

But I don’t think there’s really a silver bullet besides, you know—we’re not biased towards our solution; I just personally haven’t seen other merchants find a way to do it besides installing a security solution to block both the discount sites and the extensions.

 

Katya Allison:

Well, I was hoping for a silver bullet answer, but I will live with the fact that there is also something to be said about, like, okay, there isn’t a naming convention that I should watch out for, right? 

 

I think that where we ended up landing in the workshop is that as a brand, you just kind of have to test things out as well, too. And be able to, like, monitor the codes, like, have a system for monitoring and taking a look at kind of what you just touched on earlier was, you know, if you have an influencer that has 200 followers, but their code is used a significant amount more, like, that’s a red flag. And that’s definitely something that you should look out for. 

 

Now, as an ecommerce brand, we’ve already just talked about just kind of the discount codes, but what other risks are ecommerce brands exposed to from a cybersecurity standpoint that really you feel like often gets missed from brands? 

 

Alexander Heckmann: 

Yeah, so I think the unique part about clean right now—so we live and breathe. We have actual script that runs on hundreds of large ecommerce sites. So we see billions of transactions every year now, and then we can track down to the granular level of sessions that we’re running our script on versus not running our script on what conversion rates look like, as well as, you know, how discounts and sales impact overall cart completion rates. 

 

I think the two biggest things that I’ve seen from a cybersecurity standpoint, right now, are bot traffic is a bigger deal than people realize. It’s a really big thing. It impacts your overall site metrics and impacts your overall marketing spend. A lot of companies are retargeting bots, and they don’t even realize it. And they’re basing actual business decisions and site design and UX decisions without knowing that, in some cases, up to 10% of overall sessions, especially if you’re doing exclusive drops, are from, you know, bots on the overall web. 

 

So bots are a large and, you know, growing part, and it’s difficult for—historically, it’s been difficult for what I would call SMBs, or medium-sized merchants, to adopt a cybersecurity solution that prevents bot traffic. It’s typically been geared more towards enterprise. We are seeing solutions start to come downstream, and we work with a number of them. 

 

The other thing that I’ve seen is overall session hijacking, which is something that we do. It’s something that merchants aren’t familiar with. Apps in the overall Chrome or Safari extension market are compromised all the time, and they can wind up hijacking sessions and taking users to either competitive sites or just distributing malware across their site in general. 

 

And then mange carding is another big thing that’s out there, and that’s basically people trying to steal, you know, payment processing information at checkout.

 

Katya Allison:  

How would a merchant know that they’ve been compromised? Like, how would a merchant know that they’ve been compromised by bots? Because I would assume where it stands out is if there’s a significant spike, but, you know, you mentioned, like, 10%, and that people are, you know, don’t even know that they’re retargeting to bots. Like, what should I, as a merchant, be looking out for?

 

Alexander Heckmann: 

So the difficult part about fraud, in general, is a lot of people don’t really understand that, like, fraud is a business. So—. 

 

Katya Allison: 

Yeah, good point. 

 

Alexander Heckmann: 

It sounds crazy, but a lot of people think, like, fraud is just gonna be obviously out there, and you can look for key indicators; they’re gonna tell you whether or not there’s fraud there.

 

Historically, and we’ve seen this as—we’re a real-time malware detection solution, and we basically pioneered a threat mitigation language, which is now patented. So we basically analyze code executions on 7 million websites. And we read and watch how code is executing. And we’re looking for deterministic factors to see whether or not someone’s trying to run a fraudulent piece of code on a website or do something that’s malicious that’s rendering on a user’s device. 

 

With that, where it used to be blatantly obvious, and people would carpet-bomb on, like, basically nights and weekends when companies aren’t staffed, and their engineers are off, or people like just aren’t as active on their sites. That’s when most fraud used to occur is nights and weekends. 

 

Now, what they’re moving towards is rather than carpet-bombing when they think people aren’t at their desk, they’re actually just doing it in a much more sophisticated way, where they’re maybe targeting 1 to 4% of overall sessions. So they can just glide under the radar because there’s typically discrepancies in data between like Google and Shopify and everything else, and they thrive on the fact that not everyone’s data is ubiquitous, and they try and hide in the margins. 

 

So really, the easiest way to start to take an approach to figure out if you have an issue is, like, every one of these cybersecurity companies, whether you think you have bot-traffic issues, whether you think that you have discount-abuse issues, or you have mange carding, most cybersecurity companies offer you a free trial, and a lot of merchants think, “Oh, it’s going to be biased on their data.” 

 

Most companies are just willing to try and show you like, “Hey, there’s an issue here. And it makes economic sense,” or, “Hey, there’s an issue here. It doesn’t typically make economic sense. You have a fraud issue, but it’s such a small amount of money you’re losing right now that you could probably live with, like, just dealing with it.”

 

So it really depends. Do you just want to invest in trying to understand what’s going on? Or do you want to invest in making sure that you’re completely fraud-free? It’s a difficult situation that, like, a lot of smaller merchants are in the bucket of, “Do I invest in being proactive? Or do I wait until something happens?”

 

Katya Allison:

I guess I would always lean—not that you were asking anything—but I would lean towards going to be fraud-free? I think the sentiment from my perspective is if you let a little in, what if they take a mile, right? You give them an inch, and they’ll take a mile. 

 

I think that would be the fear of letting it just kind of slip. But to your point, if it doesn’t make economic sense, especially if you’re a small business, it’s tough to make that sale.

 

Alexander Heckmann: 

Yeah. And that’s exactly it. So we’ve been catering more and more solutions towards SMBs. So, like, we offer, like, a completely free program now. We call it Scan and Plan, where you can install our app, and we’ll tell you everything that’s going on for free. But we’re not going to block anything until you actually, like, sign up for our product. 

 

Katya Allison:

Yeah.

 

Alexander Heckmann: 

And our overall goal is just to educate people. “Hey, here’s what’s going on out there. And it could be a huge problem or not.”

 

And we actually had someone sign up for Scan and Plan. And it turns out they were losing 70 grand a month from, like, basically discount extensions, like—.

 

Katya Allison: 

That hurts my soul! That’s a lot!

 

Alexander Heckmann: 

It’s a lot. And we’ve had merchants that really didn’t believe that Honey was an issue, and they’re like, “No, our influencer marketing is just working really well.”

 

And we had one merchant—I can’t say who—they recovered 1.3 million last year that was strictly from blocking Honey and Capital One Shopping. 

 

Katya Allison. 

Oh my God, well—.

 

Alexander Heckmann: 

And their overall completion rate went up 2% when they started blocking those extensions. So that’s the other myth is that, like, discount codes improve cart completion rates and reduce cart abandonment rates? It’s not true because they add a ton of latency to sessions.

 

Katya Allison:

Oh my gosh. That—I’m actually really speechless. Like, you know, because, you know, I’m hearing what it is that you’re saying. And I’m also hearing, like, that what you had just said about, “Well, you know, sometimes it doesn’t benefit, like, they’re willing to lose a little bit,” but you should absolutely at least—at the very least—check to see what that minimum amount or that minimal amount is right? Because as a business, you have to be able to decide that. 

 

So when it comes to influencer marketing, specifically, how do you help brands kind of secure the experiences with influencers?

 

Alexander Heckmann: 

Yeah, absolutely. So most of the brands that adopt our services, whether in the Shopify ecosystem, or BigCommerce ecosystem, or you’re just a completely headless, native merchant, they are doing influencer marketing, whether it’s across socials, podcasts, YouTube, et cetera. 

 

And basically what will happen is whenever their codes are getting picked up into one of these extensions or they do get leaked down to the wild into, like, a retailmenot.com, or whatever it is, when our solution is living and breathing on a checkout page, we block them from being abused because the only way you would actually be able to use that code is if you organically came to a site and manually typed in that code without being a traffic-referral session from a coupon site. And the codes can’t be injected from an extension-based solution in the browser. 

 

So they would actually have to have seen that site, not come from a deal discount site. And the code can’t be injected from, like, Honey or Capital One Shopping. So, in turn, most of that behavior is legitimate. 

 

With our solution, we can see every time one of these extensions tries to inject an influencer-based code or an influencer-based code was copied and pasted from, like, a RetailMeNot of the world. 

 

So we can basically say, “Hey, let’s call it ‘Becky20.’ Becky’s an influencer on Instagram. You know, Honey tried to inject that code 5000 times on orders in the last month. Well, you now didn’t have to pay out Becky on those 5000 sessions, as well as, you know, all the other uses of the “Becky20” code were legitimate.”

 

Katya Allison: 

That’s wild. Well, I love it. I love that there is a solution out there, especially for those who are engaging in influencer marketing as a strategy that helps support their entire marketing strategy because there are just so—. When it comes to security online, I think it’s—I know for me, it’s really easy to be like, “Ah, you know, save password. Use the same thing.” 

 

Like, you know what I mean? Like, it’s so easy because it’s not something that you see until it impacts you and it impacts your bottom line so significantly. So, you know, any tips and whatnot that we can provide people who are listening is super helpful. 

 

But now we are to the prediction time. So with online shopping having really changed so much since the pandemic, what do you think is in store for the digital landscape from a security standpoint over kind of the next year or two?

 

Alexander Heckmann: 

Well, from a security point, I think that a lot of security solutions in the next two years are going to be more holistic. Typically, people are addressing one thing, whether you’re addressing bot traffic, or compromised JavaScript, or whatever else. I think you’re gonna see more solutions consolidate their offering to give people a more economically friendly security solution, where you don’t actually have to be, you know, a security-based engineer to understand what you’re purchasing. 

 

So I think security solutions will be easier to adopt, and they’ll be, you know, native apps that you can just install from the Shopify ecosystem or plug-and-play JavaScript that you can drop in the header of your environments. And it’ll cover a wide spectrum of things rather than a specific security niche. 

 

And then beyond that, I think also, Google and a lot of the social networks where traffic is acquired are going to be rolling out some of their own tools to provide a lot more validation for user sessions in general because that’s where a lot of fraud actually comes from is, you know, unsecured sessions from traffic referral—traffic referral sources.

 

Katya Allison:

That was a mouthful. That was a mouthful. 

 

But I’m so glad that you were able to bring and drop all of this knowledge in regards to cybersecurity when it comes to codes, when it comes to links, when it comes to the things that people just aren’t thinking about—kind of the, you know, the invisible. I don’t want to say invisible, but you know what I mean? They’re not upfront and in your face, but they are so highly important to your bottom line. 

 

So, I really appreciate you coming on and just sharing all of your knowledge.

 

Alexander Heckmann: 

Yeah, absolutely. Thank you so much for having me.

 

Katya Allison:

Thanks. 

 

From affiliate hijacking to discount code injections, this episode was all about protecting your website. And for those who work with creators, this podcast should have had your ears perked. 

 

Any ecommerce brand needs to have cybersecurity top of mind, especially in this day and age where online security is quickly becoming something consumers are really unwilling to compromise on. I don’t know about you; It’s very true for me. 

 

But what really stood out in this episode for me is that some fraud is expected and that not all fraud is worth removing because it’s not cost-effective. I don’t know why it’s a total shocker for me, but it makes sense. 

 

Want to hear more? Be sure to subscribe to the GRIN Gets Real podcast to get the latest episodes. Give us some stars, and drop us a review. Tell me which episode is your favorite and why. I want to know! And go to the show notes to find out more information about clean.io. 

 

Connect with me on social. You can find me on LinkedIn. The name is Katya Allison. And as always, keep grinning.