While many of us are working from home due to the current pandemic, criminals and scammers are also hard at work from home and have been increasingly more brazen since the stay-at-home orders have been put into effect. In popular media, we see television shows such as “90 Day Fiancé,” “Catfish: The TV Show,” and others depicting people being scammed by unscrupulous individuals online who are pretending to be someone they are not. Those scams are often colloquially referred to as phishing or catfish scams. Not only do these scams affect and target individuals, but they also target businesses.
We have seen businesses, including law firms, be targeted with false emails from people purporting to be the CEO of the business asking someone to “do them a favor” and buy gift cards or wire money. However, while people are more keen on these scams, there are much more complex scams. For example, scammers have registered domain names that appear to be similar to a company’s domain name. They will add an extra character to the company’s domain name or trademark, or make an easily made mistake such as substitute “nn” in the domain name to an “m” or change a “t” to an “f” and therefore create a false, but official looking domain name or one that is easily mistaken with the official domain name. For example, I own the domain name nulud.com, but a scammer could create the domain name mulud.com or nu1ud.com and try to purport to be me. Creating such a domain name is not difficult, nor is it costly, which is why these scams are prevalent.
What I have personally seen as an attorney for some of these businesses that have been unfortunate targets of such online scams is that the scammer first creates a false domain name similar to the company’s own official domain name or trademark. Then, they create an email address using that domain name that impersonates a company executive (since typically that information is public). Using that false email address they then ask an employee or employees of the company or clients of the company for some innocuous information such as a report of accounts receivable. Once they receive this report, they contact the people on the report that may have outstanding balances using the false email address (or they create an additional email address to appear like the person that they obtained the information from). They then ask that the person wire the payment to a bank account that the scammer controls. Thankfully, most people have been able to spot the scam and have averted disaster.
A similar type of scam involves the creation of a fake store that impersonates the business. They create a domain name using the business’ trademark, often times adding a descriptive term such as “store” or “clothing” (or whatever the business sells). This creates a domain name that appears to be related to the business. The scammer then creates a false website that is usually a virtual copy of the business’ own official website. They then purport to sell the business’ goods at a significantly discounted price to consumers. Typically, they do this to steal consumer’s credit card information (this is referred to as phishing) or to sell poor quality knock-offs of the business’ goods. Either way, not only does it hurt consumers, but it also hurts and disrupts the business and the goodwill they have established under their trademarks.
If one of the aforementioned scams occurs, there are various ways a business can take action. They can contact and work with law enforcement or they can ask their attorney to get involved. While local, state, and federal law enforcement has the most amount of discretion and can handle these types of cases, they oftentimes do not have the bandwidth to do so. What I have done as the attorney in this situation is to enforce the business’ trademark rights and issue letters to the registrar the false domain name is registered under and/or file a Uniform Domain Name Dispute Resolution Policy (UDRP) complaint to take control over the false domain name. A UDRP is an out of court administrative proceeding that is decided by an arbitrator and enforced on the registrar (unless one side appeals). The UDRP can either remove the registration of the domain name from the current owner or it can transfer ownership of the domain name to the plaintiff. Oftentimes, this is faster or as fast as law enforcement getting involved.
With a UDRP, one has to prove that 1) they have trademark rights and that the registered domain name is identical or confusingly similar to the trademark which they have rights in; 2) that registrant of the domain name has no rights or legitimate interest with respect to the domain name; and 3) that the domain name was registered and being used in bad faith. The UDRP process is a usually a one shot, one complaint, affair in which we establish the trademark rights and aforementioned elements, give the other side a chance to respond, and then an arbitrator issues a ruling. Action can occur in as early as thirty days. The remedy is that the client obtains control over the false domain name, locking out the scammer and preventing them from scamming more customers related to the company.
There are many different nuances with regard to the UDRP process, the required elements, as well as trademark rights. We recommend that you speak with an experienced attorney to discuss your potential claims.
About the Author:
Philip Nulud is an experienced intellectual property attorney at Buchalter. He has successfully represented many businesses from fashion brands to well-known celebrities and musicians in recovering hundreds of false domain names as well as establishing and protecting their trademark rights worldwide.