This article was first published in the World Trademark Review magazine on 4th March 2021.
In a recent case of a domain name being used for phishing purposes, internet users visiting the site ‘bmẉ.com’ were greeted with an enticing survey, which used official Bayerische Motoren Werke AG (BMW) branding and offered a free BMW car. In reality, these users were giving away their personal data, with the reputable car brand as bait.
The domain name used to deliver the attack was almost indiscernible from the brand owner’s official website – a small dot beneath the ‘w’ was the only difference. As hyperlinks are typically underlined, this dot becomes even harder to detect, particularly for users on small screens.
Thankfully, BMW successfully retrieved the domain name by way of a UDRP decision (WIPO Case No D2018-2016). Nevertheless, the case highlights just how important it is for brand owners to understand how fraudsters create such deceptive domain names and how the UDRP can be used to recover these.
‘Bmẉ.com’ is an internationalised domain name (IDN). In their primary form, IDNs appear nonsensical. They invariably start with ‘xn--’ and may contain seemingly random letters and numbers (eg, the domain name ‘xn--krcher-bua.com’). Pasting this into a browser and hitting enter will reveal that it transforms into ‘kärcher.com’ and directs users to the brand owner’s official site. The domain name in BMW was actually ‘xn--bm-e3s.com’, but appeared as ‘bmẉ.com’ in browsers and links.
IDNs contain characters from non-Latin alphabets (eg, Arabic and Cyrillic, among others). A system named ‘punycode’ is used to create IDNs, which transcribes a code of standard characters into non-Latin alphabet characters.
In their transcribed form, IDNs may be important for brands with non-Latin characters to accurately reflect their trademark in a domain name. While punycode allows for greater accessibility in domain names, it also comes with risks to brand owners. Examples of characters that use punycode representation are ‘ẹ’, ‘ɾ’, ‘ı’ and ‘ẉ’. These characters have all been used in domain names subject to dispute proceedings brought by trademark owners.
Non-Latin characters that bear significant similarity to those in the Latin alphabet are a clever way to trick unsuspecting online users into visiting an illegitimate website. It is, effectively, an evolution of typosquatting, where single letters in a trademark are conspicuously omitted from or swapped in the domain name. Instead, malicious impersonators use characters that will, at first glance, recreate the targeted brand identically.
In domain name dispute resolution proceedings, such as those of the UDRP, trademark owners must show that a domain name is identical or confusingly similar to their mark.
UDRP panels assess IDNs in their final, visual form. The particularly deceptive nature of punysquatting (ie, cybersquatting with the use of punycode) means that malicious IDNs present a real risk to the public.
The BMW case is far from unique. In WIPO Case No D2017-2211, the domain name ‘ıĸea.com’ (‘xn--ea-gpa2a.com’) displayed a website, which “informed users that they could win a free voucher from the Complainant’s Group if they completed a survey”. Instead, those users were giving away personal details to an illegitimate source.
A registrant’s intentions when registering a domain name can help to determine confusing similarity, particularly if those intentions include fraud. This is established outside of the punysquatting context and where the similarity is less obvious (eg, WIPO Case No D2020-3200, which compared the mark G4S with G4LOGISTIC).
Thus, WIPO panels will view an intentionally deceptive IDN as presumptively malicious. In WIPO Case No D2018-1654 (‘ɯhatsapp.com’ (‘xn--hatsapp-fid.com’) and ‘whɑtsɑpp.com’ (‘xn--whtspp-cxcc.com’)), the panel stated that “the fact that Respondent used Punycode to make the Domain Names visually similar to Complainant’s mark” pointed to bad faith.
Some instances of punysquatting can be almost indiscernible – even for the most observant of online users (eg, the domain name involved in Forum Claim 1802017 for ‘bloombeɾg.com’(‘xn--bloombeg-m0d.com’)). Even where these domain names are unused, panels have no issue finding bad faith.
There have been similar cases that make no mention of fraudulent activities, such as WIPO Case No D2019-2192 (‘aırfrance.com’/’xn--arfrance-tkb.com’) and WIPO Case No D2019-2984 (‘facẹbook.com’/’xn--facbook-ts4c.com’). Yet the potential for these domain names to be used as vehicles of fraud is clear. Scammers will use this type of domain name in hyperlinks within emails, where the tiny differences between real and fake domain names are harder to spot on smaller screens.
For this reason, punysquatting can cause real damage to a brand’s reputation and consumer trust. This is well documented in WIPO Case No D2018-1286. The domain ‘ẹos.com’ (‘xn--os-g7s.com’) was used for fraud, mimicking the name of the EOS cryptocurrency. The complainant, which operates in the data technology sector, was unrelated to this cryptocurrency, yet it received several complaints because of the confusion between its legitimate website and the disputed domain name. The case shows that punysquatting can cause all types of damage, including collateral.
IDNs have value and should not be viewed as an unacceptable risk to domain name system security, as they expand the domain name space to users of non-Latin alphabets.
Nevertheless, trademark owners must be aware of the punysquatting threat. Their use in emails can be highly deceptive, compounded by the public’s relative lack of knowledge of the existence of IDNs. Defensive domain registrations are recommended as a first resort. Thankfully, when needed, the UDRP and other domain name dispute policies allow for the straightforward recovery of such high-risk domain names.