Domain Names, Online Fraud and UDRP Procedures | Allen & Overy LLP


The pandemic has accelerated the company’s reliance on online services, and businesses are relying on their domain names more than ever to provide a secure destination for their customers.

This massive transition to the web has resulted in a marked increase in online fraud. One of the types of fraud perpetrated online is domain name fraud, which occurs when domain names that are similar or incorporate the names of well-known companies are registered in order to defraud unsuspecting customers with their money or data. . Often, the websites in question “clone†a legitimate business website, making it even more difficult to detect the scam. This happens frequently with financial institutions and investment firms, as fraudsters rely on the PRA or FCA permissions of these entities to reassure consumers about the legitimacy of the cloned website.

At the same time, cybersquatting is also a concern. Bad faith registration of a domain that includes a company’s trademark can pose a permanent threat to the safety of its customers, as a seemingly innocuous home page can quickly be replaced by a malicious website.

When the domain name concerned incorporates a mark identical or similar to the point of confusing that of an existing company, one of the avenues open to the companies concerned is to lodge a complaint under the Uniform Dispute Resolution Policy. relating to domain names (UDRP).

The majority of these complaints are made through the World Intellectual Property Organization (WIPO – although it is not the only approved supplier – a full list here). WIPO is the go-to organization for complaints about generic top-level domains (gTLDs, such as .com, .org, .biz and .info to name a few), and a number national top-level domains (some that operate under slightly different rules). However, some top-level domain names are outside of WIPO’s jurisdiction, for example domains are regulated by Nominet, which provides its own domain dispute resolution service. This article focuses on UDRP complaints filed through the PMOI.

In recent years, the number of domain name complaints has grown steadily. 2019 had already been a record year with 3,693 complaints filed with WIPO, and 2020 will set a new record as WIPO statistics show 3,405 complaints were filed between January and October 2020, an increase of 11% compared to the same period in 2019. The PMOI recently announced reaching the 50,000 case milestone since the inception of the UDRP system in 1999, noting that the pandemic has fueled cybersquatting cases.

The basis for a UDRP complaint is always a trademark over which the complainant has rights, and this must be incorporated into the domain name itself. The mark can relate to any jurisdiction and it can be registered or unregistered, although plaintiffs claiming unregistered rights must provide evidence that the mark has become a distinctive identifier that consumers associate with its products / services.

The complainant with his submission will have to convince the panel: (1) that the domain name in question is identical or similar to the point of confusing a mark to which he has rights; (2) that the holder of this domain name has no right or legitimate interest in the domain name; and (3) that the domain name has been registered and is being used in bad faith. These three requirements are cumulative, and if any of these members are not satisfied, the complaint will fail.

This article aims to provide practical advice on the issues that tend to arise when considering whether to file a UDRP complaint, and then as the complaint progresses to a panel decision.

1. The costs of filing (then modifying) the complaint

Although cheaper than traditional court proceedings, a UDRP complaint still incurs a minimum filing fee of $ 1,500 (when requesting a single-member panel, more if a three-member panel is required. ) plus the legal fees for drafting the complaint, which can be significantly more. The complaint follows a standard format, but must be carefully drafted to ensure that all evidence available to the complainant is properly detailed and appended, and that the requirements defined by ICANN are met. This is because every UDRP complaint is reviewed by a panel on its merits, so even without a response from the defendant, an insufficiently detailed complaint can still fail. When a substantial amount of evidence is available, this will greatly increase the chances of success but also increase the legal costs of filing the complaint.

In the majority of recent cases, the contact details of the domain owner are hidden behind a privacy service or are not displayed following the implementation of data protection laws such as the GDPR. WIPO only provides these details after the initial complaint has been filed, leaving the complainant a short period of time to modify their observations in light of this information. This amendment is not mandatory, but it is recommended. Often the details provided are themselves false or inaccurate, which can be used as further evidence of bad faith. However, it is clear that modifying and resubmitting a complaint following receipt of the respondent’s information entails additional work, and therefore legal costs.

2. Group several domains together

A complaint can be filed against more than one domain name, provided that they are registered by the same domain name holder. Since the filing fee for each complaint is $ 1,500, this can lead to significant savings.

However, cybercriminals have become more sophisticated in their approach. As a result, domain names that appear to be linked to the same fraudulent scheme are often registered under different (false) names and addresses and with different registrars, making the link between them more tenuous.

In these circumstances, it is up to the complainant to provide proof that these areas are under the same ownership and control. This may include proof that they were registered at the same time, that they are hosted by the same company or on the same server / IP address and in the same country. Also, showing that websites hosted on these domains have or had the same layout or were used to send very similar fraudulent emails to individuals is all useful evidence to prove this link.

If the panel considers that the evidence provided is not sufficient, the complaint may need to be split, resulting in additional filing fees to be paid for each separate complaint.

3. Pay attention to the domain’s expiration date

Domain names are often only registered for one year. Thus, when a complaint is examined, the expiration date of the domain name should be noted to ensure that the complaint is filed beforehand. Indeed, once the domain has expired, it becomes more difficult and, if enough time passes, impossible to initiate a UDRP procedure against it.

4. Keep the evidence while you can.

Websites can be deleted in a second – when evidence is detected that a website is engaging in fraudulent behavior, relevant screenshots should be taken immediately so that they can be used as evidence in the future . Any attempt to contact the site (for example, by e-mail or telephone) should also be recorded so that it can be used as evidence. Likewise, a business alerted to a fraudulent website by affected consumers should keep a clear record of these interactions.

5. No appeal allowed

UDRP proceedings are a form of arbitration and do not allow appeal. Once a decision is rendered, the only option available to a party challenging the decision is to take legal action in the jurisdiction to which the complainant has submitted. This must be done within 10 days of the decision. This can be a challenge for some of the jurisdictions that complainants submit to.

6. Take into account the urgency and the timetable

WIPO aims to have proceedings completed within 60 days of receiving a complaint. Depending on whether an amendment is required (see above) and whether the respondent decides to file observations, this time limit may extend beyond that.

During this time, the domain name is locked out (i.e. the respondent cannot sell or transfer it), but the website hosted on that domain will continue to operate until a decision is made. be taken and the domain transferred.

7. After a win – align your IT vendor

If compliance is successful, the domain name (s) will be transferred to the complainant. This process requires a bit of technical know-how, so it is helpful to identify in advance which members of a company’s IT team can handle a domain name transfer and can follow this process.

8. Reduce the likelihood of domain name fraud or cybersquatting

Securing key domain names that include a business name along with its most likely variants can be helpful in limiting options for scammers. Registering a domain name that is available on the most common generic top-level domains (gTLDs) such as .com, .net, and .org is inexpensive – typically between $ 10 and $ 30 per year.

However, due to the proliferation of new gTLDs, this strategy will not foil all attempts at domain name fraud. There are now over 1,200 active gTLDs, including .finance, .furniture, .legal, and .computer. This makes it difficult for even the largest organizations to register domain names defensively on all of them. An alternative is to hire the services of a trademark protection agency, which regularly monitors registries and can quickly alert a business of domain names that incorporate its name.


It’s no surprise that, given the growing threat that similar domain names pose to businesses and consumers online, the number of UDRP complaints filed is increasing year by year. Since the domain name holder, hosting company, and registrar can all be in different jurisdictions, this process can be a cost effective solution. On the other hand, UDRP procedures do not protect businesses from the possibility that scammers simply change their operations to a slightly different domain, which can lead to a frustrating punch game.

UDRP proceedings should always be seen as part of a larger strategy to resolve the issue, depending on the individual circumstances of the case. This broader strategy may include sending a cease and desist letter to the website, contacting the hosting company and the domain name registrar (whose responsiveness may be uneven, even in proven cases. fraud), reporting the fraud to the police and any relevant regulatory body (like the FCA), adding warnings to the company’s legitimate website, asking search engines to deindex the website and, if all else fails, seek a blocking injunction against the website.


Previous PTA issues clarification, says it has not implemented centralized DNS control
Next Best VPN for Canada in 2021 for Canadian IPs, Streaming & Security