Domain Hijackers Prey on Business Websites

Businesses can protect their websites from fraudsters looking to hijack their clients

by Mario C. Vasta

Today, it’s relatively easy to have a professional-looking website that inspires confidence and drives customers to one’s company. If a particular domain name is available, a business needs only use an internet domain registrar to make it its own. 

Unfortunately, the ease of registering a domain name comes with a price: It can allow fraud to proliferate. For example, imagine you run a home security company. You have a website: TheBestSecurityCompany.com. By virtue of owning this domain name, your employees can use email addresses with “@TheBestSecurityCompany.com” as the suffix to communicate with customers regarding many subjects, including billing.

One day, you realize one of your oldest customers failed to pay an invoice, and you reach out to the customer and find out that she believes she already paid the invoice. The customer tells you three weeks ago she received an email from Jane, your company’s billing clerk, providing new account information for payment of the invoice. As a result, the customer sent Jane electronic payment to that new account.

You are stunned. Your company has not sent out new billing information. You discover that the customer had not been contacted by your billing clerk, but rather the customer had received an email from “jane@TheB3stSecurityCompany.com,” where a “3” had been substituted for an “e” in the domain name. Your customer was scammed. But you don’t want to make this loyal customer pay twice, so your company eats the bill. You realize several of your customers are also late on payments this month, so you make more calls.

Other fraudsters attempt to use your business’s reputation and relationships to obtain goods on credit. Let’s say your hypothetical home security company (referenced above) orders certain technology products from a vendor, Security Supply, throughout the year. One day the vendor receives an email from “john@TheBestSecurltyCompany.com;” this time the “i” in “security” is replaced with a lowercase “L” in the domain name. Unfortunately, the vendor doesn’t notice the difference. The email asks for an order of certain products to be delivered to a specified address. Relying on your genuine company’s good credit, the vendor fills the order and ships the goods with 30-day payment terms. Of course, payment never arrives but the fraud is not discovered until after 30 days — the goods are lost. The vendor suffers damage in association with your company’s name, potentially tarnishing your relationship.

There are countless similar scams where typo-squatters can take advantage of a business and its customers by registering confusingly similar domain names. Nefarious actors may create websites that look nearly identical to a legitimate business and purport to sell its products or services, perhaps at a steep discount. When a would-be customer attempts to order from the fake website thinking it’s genuine, and no goods are sent in return for the payment, that business’s reputation is sullied, potentially leading to bad reviews of the genuine business.

Traditional Remedies May Not Work

What options does a business have to stop these bad actors? Although fraud is a crime and complaints can be filed with the authorities, it is rare that a victim would receive satisfactory or timely resolution. Even normal civil litigation may not be a good option unless the victimized business knows the identity of the perpetrator and how to find that person. Even then, it may face significant legal fees. 

Unfortunately, it has become increasingly difficult to identify the person or company that owns a particular domain name. As a result of the evolution of privacy laws, including the European Union’s General Data Protection Regulation (GDPR), tools like the Whois search site (www.whois.com/whois) now provide very little help. The websites that register the domains, known as registrars, will usually not provide any information due to the privacy rights of their customers. It is difficult to file a lawsuit when one does not know whom to sue.

Although obtaining the identity of the registrant by issuing an early subpoena to the registrar may be worth doing in certain circumstances, a response from the registrar might reveal only that the domain was registered with a fake identity or by an overseas actor. All the while, the legitimate business’s customers continue to fall victim to the fraudulent website, it continues to lose business, and its goodwill suffers as defrauded customers associate it with a scam.

Efficient and Practical Ways to Fight Back

Fortunately, there are other routes to stop users of misleading domain names by using a company’s trademark rights. Nearly all companies will be able to claim trademark rights so long as they are using a non-generic name, mark or logo in commerce to identify the company as the source of goods or services. The trademark need not be formally registered, although a formal registration grants broader rights. Most businesses use their trademark (e.g., their name) as part of their domain name. Accordingly, a company can use trademark rights to protect its domain name.

Even without knowing the identity of the “real” party that owns the offending domain name, the Uniform Domain-Name Dispute Resolution Policy is likely available to bring some resolution to the situation in a short time frame and at a relatively low cost. The UDRP provides a straightforward procedure for transferring an offending domain name into ownership and control by the trademark holder — or to cancel a domain altogether. The policy is implemented through arbitration and is handled online. A trademark holder can file a complaint to show that the offending domain name is confusingly similar to the holder’s trademark, that the domain name registrant has no legitimate rights to use the domain name, and that it has been registered and used in bad faith. 

The UDRP process sometimes produces results with lightning speed — getting a website removed in as little as five days from the date of filing. Even when it takes longer, final results are usually obtained in six to eight weeks. Such swift action is normally unheard of in a litigation context. If the fraud on the website is particularly obvious, or if there has been a history with similar typo-squatters in the past, the registrar tends to remove the website more quickly. In all cases, when the appointed arbitrator, or panel of arbitrators, makes a decision, it is published and the registrar behind the domain administers the decision. In addition, one may be able to obtain identifying information for the registrant at the beginning of the process. In some cases, such information may lead to the ability to pursue further relief from the perpetrator after the domain has been removed. The UDRP process itself is not a way to recover monetary damages.

In this age of internet anonymity, attempting to use standard methods when falling victim to a typo-squatting fraudster may ultimately increase the costs to resolve the issue and waste valuable time. Businesses should, rather, contact a trademark attorney to discuss what options are appropriate for their specific circumstances, and always stay vigilant when conducting online commerce.  

Mario C. Vasta is an attorney at Fennemore focusing his practice on civil litigation where he represents clients in domestic and international intellectual property matters. These include trademark cancellation and opposition actions, counterfeiting issues and litigation relating to trademarks, copyrights and trade secrets.

Speak Your Mind

In Business Dailies

Sign up for a complimentary year of In Business Dailies with a bonus Digital Subscription of In Business Magazine delivered to your inbox each month!

  • Get the day’s Top Stories
  • Relevant In-depth Articles
  • Daily Offers
  • Coming Events