Typosquatting refers to malicious criminal online behavior where “bad actors” set up a website with a domain name that is a “typo” away from a legitimate website. In other words, a fraudulent website is established with a domain name that is a purposeful misspelling of a legitimate domain name. For example, a cybercriminal might create a website with a domain name BOOKINGS.com to mimic the more famous BOOKING.com. Typically, the “fake” website looks very similar to a legitimate website. The criminal actors hope for two types of behaviors from which they can unlawfully profit:

• Sending phishing-type emails that might be opened by employees of the legitimate business allowing hacking and/or the injection of malicious code and/or
• The hope that, by accident, an internet user (customer) might be diverted to the fake website, which looks “real,” for various nefarious purposes like stealing funds, obtaining the customer’s personal information, or diverting sales to the mimicking website

Typosquatting is a form of cybersquatting and has become more common over the last few years. Cybersquatting is where a person or business sets up a website domain name that is the same as a trademark like WALMART.com. With typical cybersquatting, the criminal actor is hoping to be paid to transfer the domain name to the owner of the trademark (and this can be the purpose of typosquatting too). Cybersquatting is also defined as using a “confusingly similar” domain name like WALMARTSTORES.com. Typosquatting is the use of a “confusingly similar” domain name, but tends to be only one letter “off.” Criminal actors engaged in typosquatting focus on creating a domain name that could be an “easy” typo for a customer to make as they are typing or for an employee not to notice.

How Do I Protect My Business?

Both typosquatting and cybersquatting are unlawful and any business that is damaged by such behavior has legal recourse. However, prevention is often a better option. Here are a few strategies that can be used to protect your business from typosquatting:

• Register and own domain names that are misspellings — One of the easiest methods for a business to protect itself from typosquatting is to register and own multiple domain names that are close misspellings of their “main” website domain name; of course, there are costs associated with registering and owning domain names, but the costs are far less than the damage that can be inflicted on your business by typosquatting

• Monitor the marketplace and internet for typosquatting — Monitoring the marketplace and internet for typosquatting can be done in-house; but there are also reasonably priced services that will accomplish the same task

• Prepare to dispute domain name ownership — if a domain name is “confusingly similar” to a domain name that is trademarked, ownership of that domain name can be disputed via arbitration proceedings before the Internet Corporation for Assigned Names and Numbers

• Prepare to litigate — As a form of cybersquatting, typosquatting is prohibited by the Anticybersquatting Consumer Protection Act which was passed in 1999; those engaged in typosquatting can be sued in federal court for money damages and injunctive relief

Contact Revision Legal For more information or if you have other questions related to domain names and internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

The Anticybersquatting Consumer Protection Act (ACPA)

The Anticybersquatting Consumer Protection Act of 1999, 15 U.S.C. § 1125(d), provides the primary federal civil remedy against cybersquatting and typosquatting. To prevail under the ACPA, a trademark owner must prove: (1) it has a distinctive or famous mark; (2) the defendant registered, trafficked in, or used a domain name that is identical or confusingly similar to the mark; and (3) the defendant acted with a bad faith intent to profit from the mark.

Courts apply a nine-factor test for bad faith intent, including: whether the registrant has trademark or other IP rights in the domain name; whether the domain name contains the registrant’s legal name; prior use of the domain name for a legitimate website; evidence of intent to divert consumers; offer to sell the domain name; use of false contact information when registering; acquisition of multiple domain names incorporating others’ marks; and whether the mark was distinctive or famous at the time of registration.

Statutory damages under the ACPA range from $1,000 to $100,000 per domain name, in an amount the court considers just. Courts can also order transfer of the domain name and may award attorneys’ fees in exceptional cases. For typosquatters who operate at scale — registering dozens or hundreds of variant domain names — ACPA damages can be substantial.

ICANN’s Uniform Domain-Name Dispute-Resolution Policy (UDRP)

An alternative to federal litigation for domain name disputes is the Uniform Domain-Name Dispute-Resolution Policy (“UDRP”), administered by ICANN and various approved dispute resolution providers including the World Intellectual Property Organization (“WIPO”) and the National Arbitration Forum. UDRP proceedings are faster and less expensive than federal litigation — proceedings typically conclude within 60 days and costs are several thousand dollars rather than the tens or hundreds of thousands associated with federal litigation.

To prevail in a UDRP proceeding, the complainant must prove: (1) the domain name is identical or confusingly similar to a trademark in which the complainant has rights; (2) the registrant has no rights or legitimate interests in respect of the domain name; and (3) the domain name has been registered and is being used in bad faith. UDRP panels have consistently found typosquatting — the deliberate registration of a domain name that is a common misspelling of a well-known trademark — to constitute bad faith registration and use.

The remedy available in UDRP proceedings is limited to transfer or cancellation of the domain name — no monetary damages are available. For businesses primarily concerned with reclaiming a domain name rather than recovering damages, the UDRP is often the more practical option.

Typosquatting as Email Fraud: The Security Dimension

Beyond diverting web traffic, typosquatting poses a serious email security threat. Cybercriminals register typosquatted domains specifically to intercept misdirected emails or to send fraudulent emails that appear to come from a trusted business. This is sometimes called “email spoofing” or “business email compromise” (“BEC”). According to the FBI’s Internet Crime Complaint Center, BEC schemes cause billions of dollars in losses annually — more than any other category of cybercrime.

Businesses can take technical steps to protect against email-based typosquatting attacks. Email authentication protocols — including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) — help receiving email servers identify and reject spoofed emails. Registering common typo variants of your domain name and pointing them to your main website or to a warning page also prevents criminals from sending email from those domains.

When to Seek Legal Help for Typosquatting

Not every discovered typosquatting incident requires full-scale litigation. The appropriate response depends on the harm being caused and the resources available. A demand letter from an attorney is often sufficient to prompt removal of a typosquatted site, particularly when the registered domain name clearly infringes a well-known trademark. For cases where demand letters are ignored or where the registrant cannot be identified, UDRP proceedings or ACPA litigation may be necessary.

If your business discovers a typosquatted domain that is actively diverting customers or being used to send fraudulent emails in your name, you should contact legal counsel promptly. The longer a typosquatted site operates, the more customer confusion and reputational damage can occur. Contact the internet lawyers at Revision Legal at 231-714-0100 for immediate assistance.