Stay informed about the acquisition of Public Interest Registry

by Ethos Capital

Home / Blogs

How Companies Can Use the UDRP to Combat Rising COVID-19-Related Phishing

Evan D. Brown

Straightforward out-of-court domain name proceeding can provide efficient relief against fraudulent websites and email.

Google has seen a steep rise amid the Coronavirus pandemic in new websites set up to engage in phishing (i.e. fraudulent attempts to obtain sensitive information such as usernames, passwords and financial details). Companies in all industries — not just the financial sector — are at risk from this nefarious practice. But one relatively simple out-of-court proceeding may provide relief.

Varieties of Phish Species

Phishing schemes can take a variety of forms. A fraudster may register a domain name similar to the company's legitimate domain name and use it to send email messages to the company's customers, requesting payment and providing wire instructions. Distracted or untrained customers who receive the email may unwittingly wire funds as instructed in the fraudulent email to an account owned by the criminal. Or the phishing party may set up a legitimate-looking but fake website at a domain name similar to the company's legitimate domain name, and direct users there to purportedly log in, thereby disclosing their usernames, passwords, and perhaps additional sensitive information.

Taking Sites Down with the UDRP

Everyone who registers a domain has to agree, by contract, to have disputes over the domain name's ownership resolved through an administrative proceeding (similar to arbitration). The Uniform Domain Name Dispute Resolution Policy (UDRP) governs disputes over .com, .net, .org and many other domain name registrations. The World Intellectual Property Organization (WIPO) provides administrative panels who decide disputes under the UDRP. These are decided "on the papers," with each party having the opportunity to submit arguments and supporting documentation. The time and expense of a UDRP proceeding is a small fraction of what one sees in typical litigation — UDRP cases usually conclude within weeks, and generally cost a few thousand dollars.

The UDRP Frowns Upon Phishing

To be successful in bringing a UDRP proceeding, a party has to prove (1) that it owns a trademark that is identical or confusingly similar to the disputed domain name, (2) that the party that registered the disputed domain name has no rights or legitimate interests in the disputed domain name, and (3) that the disputed domain name was registered and has been used in bad faith.

UDRP panels typically show little tolerance for blatant phishing efforts. Companies bringing UDRP actions against registrants of domain names registered for phishing purposes enjoy a high rate of success. A good phishing effort (that is, "good" in the sense that the fake domain name succeeds in deceiving) will require using words similar to the company's mark. So the first element is usually a low hurdle. On the second and third elements, UDRP panels are readily persuaded that a party using a disputed domain name for phishing gains no rights or legitimate interests, and demonstrates clear bad faith. "Using the disputed domain name to send fraudulent email is a strong example of bad faith under the [UDRP]." Samaritan's Purse v. Domains By Proxy, LLC / Christopher Orientale NA, WIPO Case No. D2019-2403

By Evan D. Brown, Attorney – Evan focuses on technology and intellectual property law. He maintains a law & technology focused blog called Internet Cases and is a Domain Name Panelist with the World Intellectual Property Organization deciding cases under the UDRP. Visit Page
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias