The perils of personal identity theft are well-known, but criminals target more than individuals and their credit card numbers. In recent years, businesses have become a popular target for identity thieves aiming to exploit brand recognition and customer expectations in the pursuit of illicit gains. Corporate identity theft’s effect on businesses can range from brand dilution to the exposure of sensitive company information. Hackers and data thieves have employed a number of identity-theft techniques that have proven catastrophic for some businesses.
Many corporate identity thefts begin with “typosquatting,” where thieves register look-alike domain names that vary only by a single letter or domain extension from the address of a business’s actual domain name (for example, “goggle.com” as a typosquatter for Google, or verizon.org for Verizon, which uses a .com extension). Typoquatting can be used in several ways.
- Domain-parking – extorting money from businesses that would like to own variants of their corporate name as web domains, for example, XYZ corp might want to use xyzcorpusa.com. Typically, the squatter has no rights under trademark law to use the name XYZ.
- Capitalizing on advertising hits that occur when a user mis-types the address of a web site (or clicks on a shady link). This can be considered “freeriding” on the name and reputation of the impersonated company.
- Using mis-typed addresses (or lookalike links) to pursue the sinister purpose of collecting personal data from users.
- Phishing company employees with emails purportedly sent from within the company but that are actually sent from outside.
- Pursuing invoicing and payment scams with suppliers or customers of the business, frequently spoofing the “sent from” address perfectly – and then using a lookalike domain for the reply-to field.
But recently, identity thieves have been posing as businesses on LinkedIn and elsewhere, scraping real job postings and creating cloned job postings on employment sites, using lookalike domains to establish accounts and mimic real HR managers. Applicants who may not be familiar with the business’ actual domain name might respond to the fake posting—thinking they are communicating with the business. Applicants who are strangers to the business may have no idea there is a problem. Because job applications frequently involve personal information, “job posting” attacks put the information of applicants at risk—and redouble the potential for reputational harm to businesses. We have recently seen instances where the imposters get as far as giving the applicants tasks—such as purchasing gift cards—and asking them to cash bogus checks.
Although domain name registrars purport to allow the reporting of abusive behavior related to a domain name, the affected domains are frequently registered anonymously via the registrars’ own captive anonymous registration services. As such, legitimate businesses cannot count on the registrars to shut down illegitimate activity. For obvious business reasons, the registrars also make it difficult to obtain the true identity of a site owner.
Where the registrar-provided process does not work, it is important to consult with counsel on next steps. ICANN, the organization that allocates IP addresses, has a Uniform Domain Name Dispute Resolution Policy (“UDRP”) that provides businesses a basis to file an arbitration action to address the misuse of domain names (whether the name of the complainant or a lookalike name). UDRP rests on a representation and warranty by a domain name registrant that the domain registered does not violate the rights of a third party. UDRP proceedings can result in the discontinuance in use of, or transfer of ownership in, domain names. The federal Anticybersquatting Consumer Protection Act, 15 U.S.C. § 1125(d) provides an overlapping set of protections to be pursued via litigation, including monetary damages, in rem actions, and potential collateral attacks on decisions in UDRP proceedings. The choice of a remedy should be carefully considered to minimize duplicative costs, avoid any hazardous issue preclusion and maximize results.
Although many companies spend money and resources defending against reputational attacks in the traditional media, repairing the damage wrought by online attacks presents a wholly different set of concerns and protocols. Vigilance is key. Identity thieves are constantly recalibrating their approaches to snare new victims. Some protective measures are straightforward: companies should monitor domain names similar to their own and keep an eye out for fake invoices. Some, as noted above, begin climbing the hill of arbitration and litigation. The best course is to consult with experts and develop a robust enforcement strategy to protect against corporate impersonators and cybersquatters.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.