This post was co-authored by Nicole Candelori and Christiane Schuman Campbell, and it is the first installment of a multipart series.
As most brick and mortar stores across the U.S. remain closed due to the COVID-19 pandemic, phishing scammers have ample opportunities to attack the retail industry online by stealing customer data. One common method scammers use to steal information involves purchasing a domain name that includes (or is confusingly similar to) the name of a well-known business. For example, “typosquatters” might purchase a domain name similar to your business’ domain name, but it could include a common typo that a customer might make when searching for your legitimate website. The fake website might look similar to your legitimate site and prompt customers to input a username, password, credit card number, or other personal information that the scammer could then steal to use or sell.
During a time like this when customers are increasingly looking to purchase consumer goods online (e.g. home décor, kitchen appliances, and home office furniture), businesses selling these goods should be extra vigilant of these misleading (and often, infringing) websites. Businesses can hire trademark watch companies to monitor for any new domains that encompass their trademark or variants thereof. If your business becomes aware of a domain name that encompasses its trademark (or something confusingly similar) in an attempt to mislead consumers, there are a number of steps you can take to protect your brand and customers.
Contacting the Domain Owner
First, you should review the domain name registration (also known as the WhoIs record), which can provide valuable information about the owner, registrar, and host of the website. A number of sites provide search tools to review these records, including DomainTools. If the WhoIs record lists the domain owner’s contact information, you could reach out to the owner directly and request that they take down any infringing content. However, it is important to note that a domain name that simply includes your business’ trademark without displaying any content on the website may not necessarily infringe your trademark. Currently, U.S. trademark law treats domain names in a manner similar to street addresses, where including a trademark in the address without more would not constitute infringement. [1]
Contacting the Registrar/Host
If the domain owner’s name and contact information are private, a next step might be to contact the domain’s registrar or host. Registrars often prohibit phishing and infringement of intellectual property in their domain name registration agreements, which the domain owner has agreed to. If you can demonstrate to the registrar that the domain owner has violated any of these terms, the registrar may be inclined to suspend or terminate the domain registration. Additionally, under the Digital Millennium Copyright Act (DMCA), when domain host providers receive proper notification of copyright infringement, they are required to promptly take down or block access to the material. [2] DMCA notices must meet a number of specific requirements in order to constitute a proper notification, so these should be handled by an attorney. Host providers are a great resource if you can show that the domain infringes your business’ copyrights.
UDRP Complaints
When the aforementioned strategies are unsuccessful, businesses can file Uniform Domain-Name Dispute-Resolution Policy (UDRP) complaints against domain names that are identical or confusingly similar to their trademark. [3] UDRP complaints are generally a cheaper alternative to full-fledged litigation (WIPO filing fees start at $1500 when the complaint includes 1-5 domains). [4], [5] These complaints are like dispositive motions with no federal rules or discovery. The entire record is your complaint, so these should also be handled by an attorney.
Complainants must meet a number of UDRP requirements in order to have the disputed domain transferred, including proving that the domain was registered and is being used in bad faith. The World Intellectual Property Organization (WIPO) has held that phishing constitutes a bad faith use under the UDRP. [6] Accordingly, if your business can show that a domain is being used as a phishing scam to deceive your customers and the remaining requirements of the UDRP are met, this may be an appropriate takedown strategy.
At a time when phishing scams are becoming much more prevalent, the above strategies can be extremely useful to protect your customers and their data, which in turn will protect your brand’s reputation in the long run.
References:
[1] Terese L. Arenth, Trademark Protection in the Digital Age: Protecting Trademarks from Cybersquatting, A.B.A. (May 31, 2019), https://www.americanbar.org/groups/business_law/publications/blt/2019/06/trademarks/.
[2] The Digital Millennium Copyright Act of 1998, U.S. Copyright Office Summary (Dec. 1998), https://www.copyright.gov/legislation/dmca.pdf.
[3] Terese L. Arenth, Trademark Protection in the Digital Age: Protecting Trademarks from Cybersquatting, A.B.A. (May 31, 2019), https://www.americanbar.org/groups/business_law/publications/blt/2019/06/trademarks/.
[4] Terese L. Arenth, Trademark Protection in the Digital Age: Protecting Trademarks from Cybersquatting, A.B.A. (May 31, 2019), https://www.americanbar.org/groups/business_law/publications/blt/2019/06/trademarks/.
[5]Schedule of Fees under the UDRP, World Intellectual Property Organization, https://www.wipo.int/amc/en/domains/fees/ (last visited May 12, 2020).
[6]Yahoo Holdings, Inc. v. Registration Private, Domains By Proxy, LLC / Technonics Solutions, WIPO Case No. D2017-1336.