Mindless though most Internet chatter is, paying attention to what is being said online has become critical for retailers today—to protect brands, avert threats, respond to crisis, and improve store operations. Most recently—and dramatically—the imperative was underscored when multiple active shooter plots against retailers were averted after threatening online posts came to light.
- Three days after the tragic killing of 22 customers inside an El Paso Walmart, a Florida man was arrested after writing on Facebook: “3 more days of probation left then I get my AR-15 back. Don’t go to Walmart next week,” according to the Florida Department of Law Enforcement.
- Five days later, the Harlingen (Texas) Police Department said it “learned that a male subject had used a social media site to post up an imminent threat that was to occur at the Walmart in Harlingen on a specific date” and arrested him for making a terroristic threat.
- A week later, the police department in Daytona Beach Shores, Florida, arrested a man outside a Winn-Dixie after an ex-girlfriend alerted them to text messages that he sent her in which he threatened mass violence. The incident was reminiscent of an incident earlier this year when a Florida City man was arrested after writing that he planned to “shoot up Winn-Dixie” on Facebook, according to the Miami-Dade Police Department.
In addition to learning of an unknown person’s violent ideation, a review of social media posts is an important part of a workplace threat assessment of a specific individual, such as an employee who comes to the attention of the asset protection department. Social media posts can provide an additional piece of evidence to help investigators assess whether a specific individual poses a legitimate threat of violence.
Preventing a violent event is an obvious benefit, but an effective process for monitoring social media can also prove useful during the unfolding of a crisis event. During a tornado or an active shooter event at a nearby business, for example, information flows first from social media accounts. By effectively bringing together open source data sets, retail crisis management teams may be able to react more quickly and in correct scale with the event.
“The goal with any active threat is to achieve situational safety quickly and with as little risk as possible,” according to Mike Anderson, chief operating officer at Echosec, a dark web and social media threat intelligence firm. “Getting a clear perspective on the events as they unfold is critical for understanding what’s actually happening. Social media monitoring allows rapid access to this information, reducing the burden on your team.”
For a major retailer with multiple locations, leveraging publicly available information—such as online posts, government weather data, and so on—is essential to effective crisis response, according to Ryan Mason, asset protection analyst at Big Lots.
“We can plan, but we don’t always have a good sense of the scale of an event, such as during a hurricane,” Mason explained in a presentation at the 2019 NRF Protect conference. By using a real-time information platform (Dataminr), “We can have eyes on the ground during the event through social media.” He said it allows for more timely and informed decisions about issues that have significant financial ramifications, such as how to re-route supply chains and whether it is possible to keep store doors open. “Because when you close stores for security, the business impact is immediate,” he noted.
Social media monitoring also acts as a force multiplier for Big Lots when conducting executive protection work, said Mason. His team uses the intelligence platform for alerting to online threats against key executives, as well as for hints of trouble in locations where leaders are planning to go. “We use it for advance work, setting up a geofence around where the executive is going to be,” he said.
In location-based social intelligence, software allows users to define a specific geographic area—such as a specific street address or a mile-wide circle around an event location—and display the geo-tagged location of all social media posts within the defined area that contain keywords of interest, “protest” for example. Posts can be reviewed in a report for a specified time period or streamed live.
Big Lots also monitors social media for keyword combinations—“Big Lots,” “theft,” “shoplifting,” and other terms of interest—for insight to in-store conditions, said Mason. Case in point: A store customer took a picture of a calcified sprinkler head and posted it on Instagram, triggering an alert to the asset protection team, which was able to track down the store’s location through the user’s account. AP then notified the operations team of the safety issue, which was able to quickly correct it.
Increasingly, however, retailers also need to know what people are saying in darker corners of the internet, according to Anderson.
“Our retail clients have been using social media monitoring for loss prevention to understand events in the store, and for intelligence on mass coordinated shoplifting events, and the same customers are now very interested in the dark web,” Anderson told LP Magazine. “The same communities that collaborate around theft have migrated the discussion of those activities into niche places; it used to be discussions on Twitter, but now that has moved to smaller website like Rattle and to dark web chat groups.”
To help retailers keep pace with this shifting threat landscape, Echosec recently launched Beacon, a dark web intelligence solution. The tool allows a retailer to extract information from the dark web to aid in the detection and prevention of physical and information security threats. “It’s a constantly changing landscape and it provides a way to take in information quicker and extract key information because there is way too much to crawl through with a hand tool for sure,” said Anderson.
With it, retailers gain awareness of a range of potential harmful events, from sale of counterfeit merchandise, to selling of stolen customer or employee data, to the spreading of disinformation about the brand, or someone trying to trick customers into revealing personal data. “There is significant risk of reputational damage from anyone out there trying to pretend to be the company,” Anderson warned.