Fending off phishing attacks: Some simple steps using trademark law
The domain name for DLA Piper is www.d1apiper.com. But that’s not right. The domain name for DLA Piper is www.dlapiper.com. Hopefully, you noticed the difference. But if it was buried at the end of an email address in a header, would you notice? Sophisticated criminals, as they engage in phishing scams, are betting on the answer being no for at least an appreciable percentage of the population.
As lawyers, we often think about how to respond once a breach has occurred or how to prepare for the time when a breach occurs. Rarely do we consider how to prevent a breach or scam entirely. This article aims to help lawyers bridge that gap, providing simple, easy-to-implement steps to help keep the phishers at bay.
Defensive domain name registrations
Registering certain iterations of your brand name as a domain name can be helpful to limit the viability of certain phishing scams. This approach, however, has immediate limits. There are myriad versions of domain names and hundreds of potential top-level domains (.com, .biz, .xyz, and so forth). So this approach can reach the point of diminishing returns quickly.
This notwithstanding, it can be valuable to register relatively obvious variations of your brand as a domain name, including the name with your corporate form (www.dlapiperllp.com), geographic indications (www.dlapiperus.com), and obvious bad-faith variation (www.d1apiper.com and www.DLAP1PER.com). While this approach has its limits, it can still be quite effective in combatting the most egregious and tricky domain name targets for scammers.
Real-time domain name watch service
Domain name watch services are valuable tools which alert a company when a domain name is registered that incorporates the company’s brand or a mark which is similar to the brand. These watch notices generally are delivered on a weekly basis, but for additional fees, they can be provided more regularly.
Once a potentially problematic domain name is discovered, a strategy can quickly be developed for addressing it. These steps include:
Blocking emails
A quick and easy step is to block your email servers from receiving emails from the domain name. This helps combat a relatively common scam in which phishing scammers contact invoicing or accounts receivable departments and ask for processing of invoices. The move ensures that the scammers’ email is stopped at the gate and never reaches the internal recipient.
Demand letters
Demand letters can be sent to a few recipients, but rarely resolve a scam situation. First, a demand letter can be sent to the domain name’s registrar, but nearly all registrars will refuse to take action against a domain name, even if it is clearly infringing.
Second, a demand letter can be sent to the hosting company responsible for hosting the website of a domain name. This is often relatively unsuccessful, although it has a better chance of success if there is some demonstrated scam activity associated with a domain name. This most often occurs if a customer or someone else reports receiving a suspicious email from an address associated with the domain name.
Finally, a demand letter can be sent directly to the domain name owner itself. Although new privacy rules now hide the ownership information for domain name registrant’s, the registrar will generally provide a façade email address where a nasty letter can be sent. While it is highly unlikely that you will receive a substantive response, the very act of letting a scammer know that someone is onto them can be enough to scare them off to a new scam or target.
Domain name complaints
A final option for action is the Uniform Domain Name Dispute Resolution Policy (UDRP), which is an arbitration process through which a trademark owner can challenge domain names. To succeed in such a proceeding, the offending domain name must be: (1) identical or confusingly similar to the complainant’s trademark; (2) the registrant has no legitimate right or interest in the domain name; and (3) the domain name was registered and is being used in bad faith.
The UDRP procedure is valuable because it is the most cost- and time-efficient method for wresting ownership of a domain name away from a third party. This being said, it still takes approximately two to three months to receiving a decision in these proceedings, which, in the fast-moving world of Internet scams, is often too slow. Moreover, the registrant can always register a slightly different domain name and start the scam over again. Nonetheless, this can still be an effective method for challenging a particularly problematic domain name.
Communications to clients
Another popular variation of a phishing scam is where a scammer pretends to be from your company and sends a fake invoice to your customer. This invoice often is accompanied by a short statement apologizing that you have changed your bank account information and asking for payment of this very overdue invoice.
Even though there is little a company can do to protect itself when the actions of its clients are involved, one helpful step is to implement consistent procedures and protocols for delivery of invoices. It is further helpful to include a cover message or statement on the invoice itself, reminding customers that invoices will always come from your company’s specific email address. Doing so will help train your customers to raise red flags when an invoice or communication strays from this protocol.