Domain Hijackers Prey on Business Websites

Mario C. Vasta is an attorney at Fennemore focusing his practice on civil litigation where he represents clients in domestic and international intellectual property matters. These include trademark cancellation and opposition actions, counterfeiting issues and litigation relating to trademarks, copyrights and trade secrets. fennemorelaw.com

by Mario C. Vasta

Today, it’s relatively easy to have a professional-looking website that inspires confidence and drives customers to one’s company. If a particular domain name is available, a business needs only use an internet domain registrar to make it its own.

Unfortunately, the ease of registering a domain name comes with a price: It can allow fraud to proliferate. For example, imagine you run a home security company. You have a website: TheBestSecurityCompany.com. By virtue of owning this domain name, your employees can use email addresses with “@TheBestSecurityCompany.com” as the suffix to communicate with customers regarding many subjects, including billing.

One day, you realize one of your oldest customers failed to pay an invoice, and you reach out to the customer and find out that she believes she already paid the invoice. The customer tells you three weeks ago she received an email from Jane, your company’s billing clerk, providing new account information for payment of the invoice. As a result, the customer sent Jane electronic payment to that new account.

You are stunned. Your company has not sent out new billing information. You discover that the customer had not been contacted by your billing clerk, but rather the customer had received an email from “jane@TheB3stSecurityCompany.com,” where a “3” had been substituted for an “e” in the domain name. Your customer was scammed. But you don’t want to make this loyal customer pay twice, so your company eats the bill. You realize several of your customers are also late on payments this month, so you make more calls.

Other fraudsters attempt to use your business’s reputation and relationships to obtain goods on credit. Let’s say your hypothetical home security company (referenced above) orders certain technology products from a vendor, Security Supply, throughout the year. One day the vendor receives an email from “john@TheBestSecurltyCompany.com;” this time the “i” in “security” is replaced with a lowercase “L” in the domain name. Unfortunately, the vendor doesn’t notice the difference. The email asks for an order of certain products to be delivered to a specified address. Relying on your genuine company’s good credit, the vendor fills the order and ships the goods with 30-day payment terms. Of course, payment never arrives but the fraud is not discovered until after 30 days — the goods are lost. The vendor suffers damage in association with your company’s name, potentially tarnishing your relationship.

There are countless similar scams where typo-squatters can take advantage of a business and its customers by registering confusingly similar domain names. Nefarious actors may create websites that look nearly identical to a legitimate business and purport to sell its products or services, perhaps at a steep discount. When a would-be customer attempts to order from the fake website thinking it’s genuine, and no goods are sent in return for the payment, that business’s reputation is sullied, potentially leading to bad reviews of the genuine business.

What options does a business have to stop these bad actors? Although fraud is a crime and complaints can be filed with the authorities, it is rare that a victim would receive satisfactory or timely resolution. Even normal civil litigation may not be a good option unless the victimized business