“Find the code under the cap”: how to conduct a promotional campaign for a brand and avoid scammers

The world is digitizing, and with it, crime. From crimes in the real world, fraudsters have long migrated to the digital world, including innocent advertising campaigns. A whole shadow economy of consumer promotion has formed with shadowy structures and organized groups that profit from the organizers' weak security against hacking. The holidays are just around the corner — a time when brands and retailers run various promotions to delight their customers. Marketing communications agency Brain Tank has encountered fraudsters firsthand. Brain Tank co-founder and strategy managing partner Yevhenii Myroniuk shared his case, which draws on a true detective story.

National consumer promotions known to the consumer as "find the code under the cap or inside the package" are a fairly common activity aimed at increasing sales and attracting scammers. From the organizer's side, the mechanics are simple: the buyer must purchase the product, find the promotional code inside and send it to the organizers. According to the promotion terms, everyone with a code will receive a gift. Such raffles are often held by retail chains and directly by manufacturers of FMCG goods.

Marketing agencies' detective routine

National consumer promotion campaigns (NCP for short) help to get to know a wide audience of the product, increase loyalty and stimulate sales throughout the country. We at Brain Tank regularly develop and implement such campaigns for various brands and have extensive experience in this. So we immediately knew something was wrong when we noticed suspicious activity on the giveaway landing page: someone was sending codes from a single IP address at a rate of 1,000 requests per second. We drew attention to this and started our own investigation.

We began to unravel this tangle from the end and realized that we were dealing with a group of several people. Everything is in the best traditions of the detective genre when there is an information collector, an operator, and a think tank who can write a program and, having promotional codes, can use it for fraudulent purposes.

The first protagonist of our criminal play is an employee of a bar or a store with an open bar. He opens the bottles, writes the codes from the caps, and hands them over to Person #2. Person #2 collects all the codes in the system and transfers them to Person #3. Person #3 is a programmer who bought a lot of phone numbers and wrote a special code. With this code, he automatically registers on the raffle site from the "left" numbers, fills out the questionnaires, enters the promotional codes taken from Person #2, and...

takes all the gifts. When it comes to hundreds of prizes, the total amount of the prize fund can amount to hundreds of thousands of hryvnias - a good prey for the usual fraud with a small IT resource.

We have revealed this scheme. We found out what kind of store it was, who the burglar was, and how they tried to deceive us. The scammers found a loophole in the system and took advantage of it. We closed their access: we wrote a special program that cuts off users with suspicious behavior and blocks participation in the promo. It is possible to find such people and even bring them to justice, but it is better not to fall for them.

How to protect yourself from scammers 

When you understand the vulnerabilities of the system, it is easier to manage the process. Based on our own experience, we at Brain Tank created a checklist of rules, thanks to which we strengthened the entire organization of the promos.

1. Entrust the case to an experienced and attentive contractor/technical specialist

Large promotions, in which dozens of types of prizes are raffled off, are practically impossible to implement manually, so the organizers have to automate everything. And where there is automation, there can be vulnerabilities that become fatal. Few people follow the promo progress after the launch, and this is the biggest risk for the organizers.

2. Build a complex IT infrastructure

Even when cheaters come your way, the promo must go on! So that the system does not collapse from a DDOS attack due to an influx of scammers, the configuration of your server and communication channel must withstand a large number of simultaneous requests.

3. Create detailed IT solutions

Set detailed parameters of user data analysis. These are the indicators by which you can determine the fact of fraud. Pay attention to the frequency of requests, check the phone numbers and IP addresses of the raffle participants.

4. Leave the final check to the moderators

Manage the automated process manually. Moderators should be responsible for overseeing questionnaire data. A simple mechanism of verification of suspicious participants` numbers will allow fraudsters to be exposed. If someone enters false data and cannot identify himself as a participant of the promotion in accordance with the rules of the promo, he may be prosecuted according to Ukrainian legislation on personal data.

Promo price

Despite all the difficulties, NCP remains an interesting marketing tool. An important resource needed for a successful promotion is analytics. The organizers of the promotions must be aware of all the processes that take place during the promo in order to find vulnerabilities in the rules. Investments in security pay off with results: new audience data, additional sales, and increased brand trust.

As for consumers, they should follow the promo rules. For them, a promotion is a completely safe story, except when it comes to gift promotional codes. Brands and retailers sell certificates for some amounts that can be purchased as a gift. They are often seen in classified ads at a discounted price. In this case, the consumer needs to understand that if something is too profitable, then someone paid for it. Who? Maybe these certificates were obtained by criminal means?