By Lucy Rana and Pranit Biswas
“Hello, this is @#&% from &*&^ Bank, you are being given a loan of Rs. 5,00,000!!”
“Hi, this is ABCD from XYZ Credit Card Company, you have been selected for a cash prize of 1,00,000 rupees!”
Many of us have at one point of time or the other disconnected such unsolicited calls in frustration. Unsolicited calls for such ‘scams’ have been there for decades. Additionally, we also receive innumerable unsolicited e-mails from a variety of enterprises, many of which are blatantly scams, that we are constrained to delete from our inboxes on a daily basis. Correspondingly, there have been increasing number of initiatives to make the general public cautious and aware of such scams and have the presence of mind not to fall into such traps.
However, con-artists/criminals/scammers/ ‘phishers’, trying to keep a step ahead of security practices, have come up with ingenious and nefarious new methodologies to trap users – which have brought to the fore concepts such as “typosquatting”. While this is not a new concept, this is something which assumes great importance in this day and age, when such scams/phishing can spill-over in the pharma world/industry due to the prevalence of COVID-19 and vaccines and such.
“Typo-Phishing”, “Typoscams” or “Typosquatting”
“Typo-phishing” or “typo-squatting” is not a new menace, but has reared its ugly head in this time of global crisis in the face of the COVID-19 pandemic. Internet users can be targeted to disclose personal information under the guise of medical assistance or for registering for an ever elusive vaccine.
The perpetrators of such typoscams are well aware that most busy individuals do not have the time to carefully scrutinize each and every email dropping into their flooded inboxes. Therefore, we prioritize our attention on emails we believe are likely to be necessary or urgent, such as those from banks, hospitals, medical institutions, financial institutions, educational institutions, etc. Knowing this, ‘phishers’ attempt to capture our attention by engaging in ‘typosquatting’.
In such cases, the perpetrators tend to register a domain name which closely resembles the official websites of such institutions, and/or host websites thereon which may be identical or closely similar to the original ones. From the said websites, the phishers may then send emails which may even be very similar to original emails from these institutions, with the intention of duping users to divulging confidential personal information (such as card numbers, passwords, bank details, etc.) towards eventually depriving the users of their money. The high quality and deceptive similarity of some of these websites/emails is the core threat of typo-squatting cases. As phishers become cleverer and sophisticated, in some cases it becomes VERY DIFFICULT to distinguish fake from real. For example, a user desperately searching for vaccines and related information, may easily be misled into providing critical personal details to a ‘fake’ website such as AZTRAZENECA.COM or PIFZER.COM and/or email IDs associated with such websites/domains.
It is very easy, for even highly educated and aware customers, to get fooled by such typo-squatters who may adopt such and similar tactics. It is a common cognitive error wherein readers comprehend the entirety of the text based on a few familiar letters, despite spelling errors and other misplaced letters therein. For example, it is very easy to confuse ‘AstraZeneca’ and ‘AztraZeneca’, especially if it is in an email/website/SMS, and particularly for those anxious under present circumstances to get vaccinated.
Therefore, skilled typo-squatting can lead to very serious crimes, including but not limited to identity theft, fraud and financial scams, theft of intellectual property, theft of confidential business information, and even (as indicated by the above example) frauds having undesired, perhaps even dangerous, medical consequences.
[For more information about examples of such Cyber Theft and the laws governing such cyber-crime in India, please refer to https://ssrana.in/articles/cyber-theft-a-serious-concern-in-india/.]
DOMAIN NAME ARBITRATION – A SOLUTION TO OBTAIN SUCH DOMAIN NAMES
Typo-squatting has come before domain arbitration forums, such as the WIPO Arbitration and Mediation Center (for gTLDs such as .COM, .NET, etc., domains) and NIXI in India (for ccTLDs such as .IN and .CO.IN) for a long time. Many brand owners may opt to take more stringent measures such as filing lawsuits/ criminal complaints or ‘soft’ measures such as sending cease & desist letters to such typo-squatters, however a better option (in cases where a typo-squatting domain is the sole instance of infringement) is to file domain complaints, as they not only result in cessation of use of the fraudulent activity, but also lead to transfer of the domain names to the brand owners, at the fraction of the cost of litigation.
UDRP (Uniform Domain-Name Dispute-Resolution Policy) on Typo-squatting and Typoscams
Typosquatting has been recognised in numerous decisions under the UDRP. Under the UDRP, three elements have to be established (domain name is similar/identical to a trade mark or service name; respondent lacks any legitimate rights or interest; and use and registration of the domain name is in bad faith). It is evident that such domain names are similar/identical to trade names or trademarks, and it would be difficult for typo-squatters to come up with arguments justifying that they are making legitimate or fair use of such similar/identical domain names and that the same are not in fact bad faith registrations.
In fact, an example of how typosquatting can lead to big problems in today’s pandemic-ridden world is when it extends to the pharmaceutical industry. In 2005, AstraZeneca AB, the co-creators of the “Covishield” vaccine had to file a UDRP domain complaint to recover the domain names <ASTRASENECA.COM> and <AZTRAZENECA.COM> (as mentioned earlier as an example), which were basically the name ‘AstraZeneca’ with minor typographical errors. One can imagine the havoc a typo-squatter could have wreaked in 2020-2021, if these domain names/websites had been allowed to be around for purposes such as phishing or identity theft. Even Pfizer Inc., a maker of another COVID-19 vaccine, had to tackle a similar instance back in 2006, for the domain name <PIFZER.COM>. In both these cases, the respective WIPO panels had recognised typosquatting.
INDRP (.IN Domain Name Dispute Resolution Policy) on Typosquatting
Typosquatting has also been recognized in decisions under the INDRP, including but not limited to the ones below:
|S.No.||Trade Mark||Domain Name||Case No.|
Thus, if facing a “typosquatting” problem with respect to .IN or a .CO.IN domain name/website, brand holders have the viable option of filing a complaint under the INDRP before NIXI, to recover the said domain name/s.
Thus there is a big potential of misuse/fraud via typosquatting in domain names, including (as depicted above) with respect to the pharmaceutical industry. Perpetrators may be able to dupe unknowing members of the public into leaking confidential medical, financial and personal records. A good option for recovering such infringing domain names by brand owners is by filing domain complaints – provided no active or hazardous fraud is being perpetuated by the domain name, as in those cases, a lawsuit (for interim injunction) or a complaint with the cyber cell would be a more comprehensive option.
In conclusion, it is imperative for the general public to be wary of such scams and read content in emails or over the Internet very carefully, especially if it concerns topics such as medical care, vaccinations, pharmaceuticals, financial information, educational information, etc.
[For more information regarding how to spot such instances of phishing, please refer to our earlier article at https://ssrana.in/articles/emerging-frauds-digital-world/.]
Concurrently, it is also important for brand owners to conduct timely due diligence and take reports of fraud regarding such phishing and typosquatting seriously, as the same is likely not only damage their goodwill and reputation, but cause actual harm to the general public.
 AstraZeneca AB v. Alvaro Collazo [Case No. D2005-0367], available at https://www.wipo.int/amc/en/domains/decisions/html/2005/d2005-0367.html.
 Pfizer Inc. v. Registrant [Case No. D2006-1646], available at https://www.wipo.int/amc/en/domains/decisions/html/2006/d2006-1646.html.