Has your company recently been hit by a business email compromise (“BEC”)? This type of cybersquatting and phishing appears to be on the rise.
Here’s what happens: A bad actor registers a domain name that mimics the primary domain name used by a business, which I call the “real company.” Call the domain name used by the real company the “real domain name” and the one registered by the bad actor the “fake domain name.”
The bad actor registers a fake domain name, which looks legitimate. Sometimes, the bad actor adds a word to the real domain name to make the fake domain name look like one that the real company might use. For example, if the real company is Acme, the bad actor might register AcmeCareers.com.
Sometimes, the bad actor will register a fake domain name that substitutes letters or numbers to look like the real company’s primary domain name. For example, the bad actor might replace the letter “m” with two letters, “r” and “n,” which look like an “m” when written together (“rn”). Thus, a bad actor might spoof Acme.com by registering Acrne.com.
People are also reading…
Usually, the bad actor uses the fake domain name only to send phishing emails to targeted people. For example, it might target the real company’s customers, such as by sending fake invoices. Or it might send fake emails to people who think they are applying for a job at the real company, instructing them to buy something purportedly needed for the job.
If this hits your company, what should you do? Below is a list of legal tools you can use. There are technological things you should do, but I’ll leave that to your tech support team.
Immediately File a Phishing Report. Use a WHOIS search service to find the domain name registrar used to register the fake domain name. Go to the registrar’s website and file a phishing report. Most registrars will quickly suspend the fake domain name. This should prevent the bad actor from using the domain name for any purpose, including email.
The identity of the bad actor who registered the fake domain name will almost always be hidden from you. Bad actors usually use proxy services, which mask their identities. Also, because of privacy laws, most domain name registrars hide the identity of domain name registrants.
Send a Cease-and-Desist Letter to the Bad Actor. Send it to the domain name registrar and request that it be forwarded to the domain name registrant (the bad actor). While the letter won’t intimidate the bad actor, it might cause the bad actor to move on to another target. Also, you want to show that you took all reasonable steps to stop the fraud because that could affect your company’s liability.
Consider Filing a UDRP Action. UDRP stands for “Uniform Domain-Name Dispute-Resolution Policy.” It is an arbitration process to recover domain names from cybersquatters. You can use it to freeze the domain name, find the identity of the domain name registrant (it’s probably fake), and recover the domain name. This process can take a couple of months and cost several thousand dollars in legal fees. While this step may not be cost-effective if you have successfully suspended the domain name with a phishing report, you might do this to show that you did all you could to stop the fraud.
Notify People. Use email notices and warnings on your website and social media accounts to warn the affected audience about the fraud.
Notify Relevant Insurance Carriers. You can lose your ability to make a claim by waiting too long.
Backorder the Fake Domain Name. Use a service such as SnapNames that specializes in obtaining domain names when they become unregistered. Your goal is to get and hold the fake domain name.
File a Complaint with the FBI’s Internet Crime Complaint Center. It’s unclear if the FBI acts on these complaints, but filing a complaint is easy, and it’s another way of showing that you did all you could to remedy the situation.
Finally, there are legal things you should do before BEC occurs to put your company in a stronger legal position when an attack occurs:
Federally Register Your Trademarks. Most likely, the primary domain name used by your company is a version of the company name, such as Acme.com. A registered trademark would help you win a UDRP case and might help persuade the domain name registrar to deactivate the fake domain name due to phishing.
Conduct Trademark Infringement Watching and Policing. This program should detect the registration of potentially problematic domain names, allowing you to take proactive measures.
The critical thing is to act quickly when a BEC incident happens. If you take a wait-and-see approach, that delay might allow the problem to worsen, which could increase your company’s liability.
Business openings and closings in Richmond area
Cinnaholic
Lotte Market
Bite by Bite
Barnes & Noble
Txtur
Marshalls
Planet Fitness
Shoreline Seafood Market
Gearharts Fine Chocolates
BLVCK WAX
Scenthound
Ruby
Yellow Umbrella Libbie Mill
Odd Bird
UGK@Hull
Amazon fulfillment center in Henrico
Coca-Cola bottling plant in Henrico
Richmond’s new baseball stadium
The Henrico Sports & Events Center
Shades of Moss
Padel Plant
Jean Theory
Shenandoah Mansions
HomeGoods
Fink’s Flagship store at Short Pump
Painted Tree Boutiques
RVA Hot Wheelz
Bangers & Dinks
Whistle Express car wash
Popshelf
Take a look at the following restaurants and breweries that closed in the Richmond area.
John B. Farmer is a lawyer with Leading-Edge Law Group PLC, which specializes in intellectual property law. He can be reached at www.leadingedgelaw.com.