Hard Earned Trust Lost to Automation

A few days ago I found a shop selling my company's products. Polished site, confident copy, a toll-free number, an official-looking suburban address, and a banner across the top reading "WitFoo Authorised Partner." There was one problem. We have no such partner. We never authorised anyone to resell under that badge. And the "products" listed for sale are not our products.

The site is witfoo-authorized-partner.com. It advertises thousands of "WitFoo licences," a full catalogue of things wearing our names (Precinct, Reporter, Conductor and a handful of components we have never shipped under those labels), a glowing customer quote I cannot match to any customer we have ever had, and a reassuring row of badges (authorised dealer, ISO this, TAA that). It is, in plain terms, a counterfeit of our partner programme, dressed well enough to fool a busy buyer on a Friday afternoon.

Follow the footer and it is not even hiding. The store is "operated by A5 IT," a small IT reseller out of Illinois that, by its own account, runs an "AI-driven automation platform" and stands up a whole network of these "[brand]-authorised-partner" storefronts. Their public brands page lists something north of 600 of them. The recipe is simple: scrape a vendor's public materials, generate a storefront, bolt on an "authorised" badge, and wait for the quote requests to roll in. We are one brand in the mill. The same page name-checks CrowdStrike, Zscaler and Splunk for good measure, and waves a distributor's GSA schedule around as though it were a hall pass.

I want to be careful here, because the careful version is the damning one. I have no evidence that anyone has yet wired money to this particular page, and I am not going to inflate a real problem into a movie plot. But I have spent enough years watching how cybercrime actually pays to recognise the shape of this, and the shape is not harmless.

Why a fake reseller is a supply-chain problem, not just a nuisance

Think about who buys security tooling from an "authorised dealer." It is rarely the security team. It is procurement, working from a vendor name a colleague mentioned, chasing a quote and a purchase order. If the dealer is a fiction, the failure modes run in a nasty range.

At the polite end, you have advance-fee fraud: a buyer pays for licences that do not exist and gets nothing, and the real vendor (us) inherits the angry phone call and the reputational bruise. In the middle, you have grey-market and bait-and-switch: the buyer is steered toward whatever the operator can actually source, at a margin, under our name. At the ugly end (and I stress this is a risk model, not something I have caught happening) you have the classic supply-chain compromise: a buyer who believes they are installing genuine security software from a genuine partner, and is instead handed something tampered with, welcomed straight through the front door of the network they were trying to defend. The whole point of a security product is that you trust it with privileged access. A counterfeit distribution channel is a lovely place to abuse exactly that trust.

That is what makes "just a trademark thing" the wrong lens. Impersonating a hardware brand costs a buyer money. Impersonating a security brand costs a buyer the thing they were buying security to protect. When you multiply that by 600-odd brand storefronts generated by a scraper, you are not looking at one scam. You are looking at a factory for manufacturing misplaced trust across the whole tooling market.

The part where I reported it, and a form letter came back

Because the domain and the site's assets live on Cloudflare, I filed an abuse complaint with Cloudflare. What I got back reads like it was assembled by a vending machine. Cloudflare offers pass-through security, a CDN and registrar services; my complaint had been forwarded to the customer; Cloudflare does not arbitrate disputes and would act only on "a valid order from a court or competent tribunal"; here is a link to the ICANN dispute process; have a nice day.

Every clause of that is technically defensible. Cloudflare is an infrastructure provider, not a court, and I do not actually want my registrar deciding trademark law on a whim. But sit with the result for a second. A self-identified operator, wearing a dozen companies' brands without permission, invoking a distributor's government schedule, and the answer from the trust layer of the internet is: this is a private dispute, please return with a judge. The burden lands entirely on the victim, and the counterfeit stays up while the paperwork grinds.

The uncomfortable timing, and the thesis I keep coming back to

Here is the bit I can only offer as a worry rather than a proof, so I will mark it plainly as one.

In May of this year, Cloudflare cut more than 1,100 jobs, roughly a fifth of its workforce, and framed the move explicitly around an "agentic AI-first" way of operating. To their credit, the company said the layoffs were about the shape of the work rather than performance or cost, and said they kept their engineers and their sellers. There is also a healthy chorus of analysts pointing out that "AI made us do it" is a convenient story for a decision management made for other reasons, and that a tool never fires anyone; a person does. I am not going to pretend I know which desk (or which model) generated my form letter, or that a larger human team would have answered differently.

What I will say is that I have written this cautionary note before, in a different key. When you automate a process that was already broken, you do not fix it. You just run the breakage faster, and at a scale no human is watching. Abuse handling at an internet-scale provider was already a thin, thankless, judgement-heavy function on a good day. If the industry's instinct is to hand exactly those functions (the ones that exist to weigh context, spot a pattern, and exercise discretion) to an unsupervised bot, then the thing we are quietly automating away is not headcount. It is judgement. And judgement is the entire product when the job is deciding whether a self-identified reseller is a legitimate business or a brandjacking machine.

I have argued for years that people beat machines precisely inside the loop where context and decision live. A fraud like this one is a small, almost mundane test of that argument. A person who had seen a few of these would have recognised the storefront-mill pattern in about ninety seconds, noticed the same template stamped across hundreds of brands, and understood that "we forwarded it to the customer" is not a response when the customer is the problem. A form letter cannot do any of that, no matter how quickly it arrives.

For buyers, plainly

If you are buying WitFoo, buy it from us or from a partner we can confirm, and if you are ever unsure whether a "partner" is real, ask the vendor directly (for us, that is witfoo.com). This applies well beyond WitFoo. An "authorised dealer" badge is a picture, not a credential. Badges have never been proof of anything. If a store cannot point you to a listing on the manufacturer's own site, treat the "authorised" claim as decoration.

We are pursuing this through the proper channels (trademark, the domain dispute process, and referral to the appropriate authorities where warranted), and we will keep doing so. What I would ask of the infrastructure providers who sit at the root of internet trust is simpler than it sounds: treat brand impersonation and false "authorised partner" claims as a first-class abuse category, worth a human being, rather than a private squabble to be waved off toward a courthouse. You built businesses on being trusted. That is an asset. It depreciates faster than any of us would like when the desk behind it stops thinking.

Last Words

Trust took us the better part of a decade to earn, one honest deployment and one kept promise at a time. It can be counterfeited in an afternoon by a scraper, and it can be shrugged off in the time it takes to generate a reply. I do not think the lesson is "AI bad." I use these tools every day and I am glad to. The lesson is older and duller than that: some functions are load-bearing, and the moment you take the human out of them for the sake of speed, you find out which ones were holding up the roof. Abuse handling is one. Deciding who gets to wear your name is another. I would rather we learn that on purpose than one form letter at a time.

Tags