GPSolo Magazine - March 2006
Intellectual Property Law
How to Prevent and Respond to a Phishing Attack on Your Client’s Brand
Anybody who has ever watched a commercial fishing boat cruise the open waters with hundreds of poles dangling overboard in hopes that even a few lines will snare unwary victims will appreciate how one of today’s biggest threats to e-commerce got its name. “Phishing,” as it is commonly known, typically involves a person (the “phisher”) who sends bulk e-mails seeking to persuade the recipients to visit a fraudulent website that solicits personal, confidential, and financial information. Like their aquatic namesake, phishers succeed in only a few instances, but the significant rewards they can reap from even a single victim and the ease with which they can simultaneously launch numerous attempts makes this criminal activity attractive.
Phishing is not a new phenomenon, but it is becoming more common and more sophisticated. It is estimated that banks and financial institutions incurred $1.2 billion in losses in 2004 from phishing scams. Hundreds of famous brands have been used to lure consumers into a false sense of security and then defraud them into providing everything from credit card and banking information to ATM pin numbers and their mother’s maiden name.
Phishing attacks are harmful, not only to individuals victims and their banks and financial institutions, but also to companies that own the intellectual property used in the fraudulent e-mails and websites. On a personal level, a defrauded consumer may lose trust in the company whose brand was used in the phishing scam. On a larger scale, phishing tarnishes all online communications and diminishes the overall confidence consumers have in e-commerce transactions.
Most companies and attorneys that have dealt with the issue have focused on responding to an attack. Although knowing what to do when an attack occurs is critical, a comprehensive brand protection strategy should also include tactics to help prevent such attacks from ever occurring.
Responding to an attack. When responding to a phishing attack, the first order of business should be shutting down the offending site as quickly as possible to prevent unwary visitors from accessing it and providing confidential information. Usually, the fastest way to shut down a phishing site is to contact the host and request immediate assistance. To help ensure a prompt response, the communications to the host should include specific instructions and information. For example, the host needs to know the exact URL where the offending site resides, an explanation as to why the site is unlawful and/or infringing, and a citation to the relevant statutes and laws that are being violated. Because most phishing sites violate both copyright and trademark laws, it usually is proper to reference in correspondence to the host the Lanham Act and the Digital Millennium Copyright Act, as well as the statutory language required under the laws.
If the initial communication is proper, most hosts will respond promptly and shut down a phishing site. Others may be slower to react, so follow-up correspondence and telephone calls may be necessary to ensure the site is deactivated. In all cases, familiarity with the applicable laws and the host’s terms of service and policies will expedite a resolution.
To help create the false impression that a phishing site is operated by the legitimate trademark owner, many phishers use domain names that incorporate, or are confusingly similar to, a trademark owner’s brand; for example, a phisher might use the fraudulent site www.ACME-billing.com, which looks like the real site www.ACME.com. In such cases, in addition to shutting down the site, the trademark owner should consider steps to deactivate or obtain control over the domain name to ensure it is not used again to confuse or defraud unsuspecting consumers.
Most, if not all, domain names used in connection with phishing schemes are registered by the phisher in the name of an unknowing third party. The phisher does this, of course, to hide from the legal authorities, trademark owners, and other aggrieved parties. Because the Internet Corporation for Assigned Names and Numbers (ICANN) prohibits domain name registrants from using false or misleading contact information, a domain name used with a phishing scheme usually can be canceled by filing a false Whois complaint with ICANN and/or the sponsoring registrar. Upon expiration, the trademark owner can register the domain as a defensive measure.
Once notified that the domain name has been used in connection with a phishing scheme, some registrars will assist in transferring the domain to the legitimate trademark owner (often for a small registration fee). If not, the bad faith manner in which the domain name was used should be sufficient to allow the trademark owner to file and prevail in a Uniform Domain Name Dispute Resolution Policy proceeding.
Preventing attacks. All trademark owners should be prepared to respond quickly if a phisher strikes. Equally, if not more, important is taking steps to prevent a phishing attack from ever occurring.
Because phishing attacks rely on deception, an educated consumer is less likely to fall victim. It therefore is prudent for companies to routinely send their customers warnings about the perils of phishing and other online scams and also remind their customers that most legitimate businesses do not solicit confidential and personal information via unsolicited e-mails. Customers should be invited to report suspicious e-mails, websites, and similar activities.
Trademark owners should vigilantly monitor domain name registrations. These reports not only help protect against traditional cybersquatting and infringing online activities; they also identify suspicious domain name registrations that may be used for phishing activity. For example, domain names that combine a trademark with a word like “billing” (e.g., “ACME-billing.com”) are prime suspects for use in connection with online fraud schemes. Trademark owners with an efficient policing strategy often are able to challenge and suspend this type of domain name before the infringer has even had an opportunity to activate it.
Finally, trademark owners or their counsel should routinely monitor online activities and third-party uses of brands. An ongoing trademark policing effort increases the chance that infringing and phishing websites will be identified before significant harm is inflicted on consumers or the goodwill associated with the targeted brand.
Summary strategy. E-mail providers, hosting services, and software programmers are working frantically to create systems that prevent phishing attacks from occurring. So far, phishers have remained one step ahead of such preventative measures, and trademark owners should not wait passively for such third-party assistance to arrive. An effective trademark protection strategy should not only include a plan to act quickly to terminate an active phishing site, but also should incorporate consumer education and ongoing policing efforts that seek to prevent phishing attacks from ever occurring.
By working closely with counsel experienced in such issues, a trademark owner can devise an appropriate and comprehensive strategy to help protect the valuable goodwill and reputation associated with the company’s intellectual property.
James R. Davis II is a trademark associate in the Washington, D.C., office of Arent Fox PLLC. He can be reached at firstname.lastname@example.org.
|For More Information about the Section of Intellectual Property Law|
- This article is an abridged and edited version of one that originally appeared on page 44 of IPL Newsletter, Summer 2005 (22:4).
- For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.
- Website: www.abanet.org/intelprop.
- Periodicals: IPL Chair’s Bulletin, a monthly update of Section activities and timely intellectual property issues; IPL Newsletter, a quarterly newsletter with current developments and Section news; Annual Report, a comprehensive summary of committee activities.
- Books and Other Recent Publications: Fundamentals of Intellectual Property Valuation: A Primer for Identifying and Determining Value; The Intellectual Property Handbook: A Practical Guide for Franchise, Business and IP Counsel; Patent Litigation Strategies Handbook, 2d ed. Pamphlet series intended for clients, including Marketing Your Invention, Submitting an Idea, What Is a Patent?, What Is a Trademark?, and What Is a Copyright? Extensive course materials in connection with CLE programs are also available.