Domain names, online fraud and UDRP proceedings
11 December 2020
The pandemic has accelerated society’s reliance on online services and businesses depend more heavily than ever on their domain names to provide a safe destination for their customers.
This mass shift to the web has resulted in a marked increase in online fraud. One of the types of fraud perpetrated online is domain name fraud, which occurs where domain names similar to or incorporating the names of known companies are registered in order to defraud unsuspecting customers of their money or data. Often, the websites in question ‘clone’ a legitimate company’s website, making it even harder to spot the scam. This happens frequently with financial institutions and investment firms, as fraudsters rely on the PRA or FCA authorisations of these entities to reassure consumers of the legitimacy of the cloned website.
Alongside this, cybersquatting is also a concern. The bad faith registration of a domain that includes a company's trade mark may constitute an on-going threat to the safety of its customers, since an innocuous-looking holding page can quickly be replaced by a malicious website.
Where the domain name of concern incorporates a trade mark that is identical or confusingly similar to that of an existing business, one of the avenues open to the affected businesses is to file a complaint under the Uniform Domain Name Dispute Resolution Policy (UDRP).
The majority of these complaints are filed via the World Intellectual Property Organisation (WIPO - although it is not the only approved provider - a full list here). WIPO is the reference organisation for complaints relating to generic top-level domains (gTLDs, such as .com, .org, .biz and .info to name but a few), and a number of national country code top level domains (some of which work under slightly varied rules). However, some top level domain names fall outside of WIPO’s remit, for example, .co.uk domains are regulated by Nominet, which provides its own domain dispute resolution service. This article focuses on UDRP complaints filed via WIPO.
Over the past few years, there has been a steady increase in the number of domain name complaints. 2019 had already been a record year with 3,693 complaints filed at WIPO, and 2020 will set a further record as WIPO's statistics show that 3,405 complaints were filed between January and October 2020, an 11% increase over the same period in 2019. WIPO recently announced reaching the milestone of 50,000 cases since the UDRP system was created in 1999, noting that the pandemic has fuelled cybersquatting cases.
The foundation of a UDRP complaint is always a trade mark in which the complainant has rights, and this must be incorporated in the domain name itself. The trade mark may relate to any jurisdiction and it may be either registered or unregistered, although complainants relying on unregistered rights need to provide evidence to show that the trade mark has become a distinctive identifier which consumers associate with its products/services.
The complainant with its submission will need to convince the panel: (1) that the domain name in question is identical or confusingly similar to a trade mark to which it has rights; (2) that the holder of that domain name has no rights or legitimate interest in the domain name; and (3) that the domain name was registered and is being used in bad faith. These three requirements are cumulative, and if one of these limbs is not satisfied the complaint will fail.
This article aims to provide some practical guidance on issues that tend to arise when considering whether to file a UDRP complaint and then subsequently as the complaint moves towards a decision by the panel.
1. The costs of filing (and then amending) the complaint
While cheaper than traditional court proceedings, a UDRP complaint still entails a minimum USD1,500 filing fee (when requesting a single-member panel, more if a three-member panel is required) plus the legal fees for drafting the complaint, which can be significantly more. The complaint follows a standard format, but needs to be drafted carefully to ensure that any evidence available to the complainant is properly detailed and annexed and that the requirements set out by ICANN are satisfied. This is because each UDRP complaint is considered by a panel on its merits, so that even when there is no reply at all from the respondent, an insufficiently particularised complaint may still fail. Where a substantial volume of evidence is available, this will increase the prospects of success significantly but will also increase the legal costs of putting the complaint together.
In the majority of recent cases, the details of the domain’s registrant are hidden behind a privacy service or are not displayed further to the implementation of data protection laws such as GDPR. WIPO only provides these details after the initial complaint has been filed, allowing the complainant a short window of time to amend its submissions in light of this information. This amendment is not mandatory, but it is recommended. Often, the details provided are themselves fake or inaccurate, which can be used as additional evidence of bad faith. However, there is no denying that amending and re-submitting a complaint following the receipt of the respondent's information leads to additional work, and hence legal costs.
2. Grouping multiple domains together
A complaint may be filed against multiple domain names, provided that these are registered by the same domain name holder. Given the filing fee for each complaint is $1,500, this can provide significant costs savings.
However, cyber criminals have become more sophisticated in their approach. As a result, domain names which appear linked to the same fraudulent scheme are often registered under different (fake) names and addresses and with different registrars, making the link between them appear more tenuous.
In those circumstances, it is down to the complainant to provide evidence that those domains are under the same ownership and control. This can include evidence that they were registered at the same time, that they are hosted by the same company or on the same server/IP address and in the same country. In addition, showing that the websites hosted on these domains have or had the same layout or were used to send very similar fraudulent emails to individuals all constitute helpful evidence towards proving that link.
If the panel considers that the evidence provided is not sufficient, the complaint may need to be split out, resulting in additional filing fees being payable for each separate complaint.
3. Mind the domain expiry date
Domain names are often registered for just a year – so when a complaint is being considered it is worth noting the expiry date of the domain name to ensure that the complaint is filed beforehand. This is because once the domain expires, it becomes more difficult and, if enough time passes, impossible to start UDRP proceedings against it.
4. Save the evidence while you can
Websites can be taken down in a second – when evidence is spotted of a website engaging in fraudulent behaviour, relevant screenshots should be taken immediately so that they can be used as evidence in the future. Any attempts to contact the site (for example, via email or telephone) should also be logged so they can be used as evidence. Similarly, a business alerted to a fraudulent website by concerned consumers should keep a clear record of those interactions.
5. No appeals allowed
UDRP proceedings are a form of arbitration and do not allow for an appeal. Once a decision is issued, the only option available to a party contesting the decision is to start a court action in the jurisdiction to which the complainant has submitted. This needs to be done within 10 days of the decision. That can be a challenge for some of the jurisdictions to which complainants submit.
6. Consider the urgency and timeline
WIPO aims for proceedings to be completed within 60 days from receipt of a complaint. Depending on whether an amendment is required (see above) and whether the respondent decides to file any submissions, this timeline may extend beyond this.
During this time, the domain name is locked (i.e. the respondent cannot sell it or transfer it), but the website hosted on that domain will continue to operate until a decision is made and the domain is transferred.
7. After a win – line up your IT provider
If the compliant is successful, the domain name(s) will be transferred to the complainant. That process requires a bit of technical know-how, so it is helpful to identify in advance those in a business' IT team who can deal with a domain name transfer and can keep track of that process.
8. Reducing the likelihood of domain name fraud or cybersquatting
Securing key domain names that include a company’s name plus its most likely variations can be helpful in limiting the options for fraudsters. Registering an available domain name on the most common generic top-level domains (gTLDs) such as .com, .net and .org is cheap – usually somewhere between $10 and $30 per year.
However, due to the proliferation of new gTLDs, this strategy won't foil all attempts at domain name fraud. There are now over 1,200 live gTLDs including the likes of .finance, .furniture, .legal and .computer. This makes it difficult even for the largest organisations to register domain names defensively on all of them. An alternative is to engage the services of a brand protection agency, which regularly monitors the registers and can alert a company promptly of domain names that incorporate its name.
It is unsurprising that, in light of the increasing threat posed by look-a-like domain names to businesses and consumers online, the number of UDRP complaints filed increases year-on-year. Since the domain name registrant, the hosting company and the registrar may all be in different jurisdictions, this process can provide a cost-effective solution. On the other hand, UDRP proceedings do not shield businesses from the possibility of fraudsters simply switching their operations to a slightly different domain, which can result in a frustrating game of whack-a-mole.
UDRP proceedings should always be considered as part of a broader strategy to address the problem, depending on the individual circumstances of the case. That broader strategy may involve sending a cease and desist letter to the website, contacting the hosting company and the domain name registrar (whose responsiveness can be patchy, even in proven instances of fraud), reporting the fraud to the police and any relevant regulator (such as the FCA), adding warning notices to the business’ legitimate website, asking search engines to de-index the website and, if all else fails, seeking a blocking injunction against the website.