An organization’s web site is its digital home – the hub where it can attract customers and serve them online.
The first step in setting up that house is usually buying a domain name that reflects the organization’s name. In some cases, though, you may discover others have tried to grab that domain for themselves first through a practice known as cybersquatting and are using it to deceive customers into handing over their data.
What Is Cybersquatting?
If you haven’t landed on a site where it’s happened, cybersquatting might be a confusing term. However, it’s an easy and common tactic among threat actors, and everyone should be aware of it.
Definition and explanation of cybersquatting
Company names can be very valuable, which is why many organizations trademark them. Cybersquatting refers to scenarios where someone registers a domain name in bad faith. That means the name should belong to an entity with a legitimate business interest in the domain or who owns the trademark to the name reflected in a domain.
Impact of cybersquatting on businesses
Cybersquatting can be the basis for a wide range of illegal and unethical activities. Some might register the domain name of a rival company in order to redirect to their own site when customers search for the name online.
In other cases, threat actors could use cybersquatting to set up a bogus but legitimate-looking site where they can steal data or commit fraud. For the legitimate business that should own the domain, it could mean lost revenue, damaged customer relationships and a hit on their reputation.
Common tactics used by cybersquatters
Sometimes cybersquatters have tried to exhort organizations by demanding a high payment in order to transfer ownership of a domain. In other cases, they might use the domain to set up sites that run affiliate marketing or other digital ad campaigns as a money-making scheme.
Some cybercriminals will use cybersquatting as a way to direct people they lure through phishing schemes. They might send an e-mail with a link to the domain name they’ve registered, for example, which leads to a site that looks like a legitimate entity and leads unsuspecting visitors to enter their account details.
Examples of cybersquatting
One of the easiest ways for cybersquatters to get started is by registering the domain of an organization that has already established a digital presence, but with a different extension.
If an organization has set up their web site with a dot-com domain, for example, cybersquatters might register the same name with a dot-org, dot-biz or dot-org extension.
In other cases, cybersquatters might register domains with variations on an organization’s name, such as the main name followed by “Inc” or “Corp.” For organizations with a wide international presence, cybersquatters might also include country or regions in the domain names they register.
When cybercriminals register domains that misspell an organization's name, it is known as typosquatting.
The Legal Implications of Cybersquatting
Given that it involves essentially posing as another organization or individual through a domain name, it’s no surprise that lawmakers have taken action to try and protect people from cybersquatting.
Laws and regulations against cybersquatting
Contrary to the notion that governments are always playing catch-up with technology trends, the U.S. Congress got in front of the issue as early as 1999 with the passing of the Anticybersquatting Consumer Protection Act (ACPA). It’s a piece of legislation designed to protect businesses and everyday citizens alike, and it allows those who feel they’ve been infringed upon to sue at the federal level.
There is also an international arbitration system organizations can turn to that’s run by the Internet Corporation of Assigned Names and Numbers (ICANN), which involves filing a complaint with a service provider that’s been authorized to resolve cybersquatting disputes.
Consequences for cybersquatters
If an organization decides to take legal action under the ACPA and wins, it can be costly for perpetrators. Cybersquatters can be fined anywhere from $1,000 to $100,000 for each infringed domain name. Perhaps even more importantly, the courts can force cybersquatters to transfer a domain name to the legitimate entity that owns a trademark associated with it.
Steps to take legal action against cybersquatters
Before facing off against cybersquatters in court, you’ll need to do some prep work. This includes gathering proof that the cybersquatter was acting in bad faith when they registered the domain. You’ll also have to show you trademarked your organization’s name before the domain name was registered by someone else.
The process is similar under ICANN, though arbitration is not about handing out fines but simply transferring the domain name to the party with a legitimate interest and trademark. This includes domain names that are confusingly similar to the proper name.
Protecting Your Brand from Cybersquatters
It’s easy for an organization to fall victim to cybersquatting, but there’s also a lot they can do to try to avoid it.
Proactive measures to prevent cybersquatting
The easiest step is to secure your organization’s domain name as soon as possible. This should be a domain that most accurately reflects your organization and the type of sector in which you’re operating. For example, organizations that sell to consumers or other businesses might first register a dot-com domain, while those focused on the educational sector might use a .edu, and public sector organizations might register a dot-gov domain.
Registering and monitoring domain names
Don’t stop with that first domain name registration, however. Look for all the possible domains that cybersquatters might use to divert traffic, impersonate your brand or use in other ways that show bad faith. Many people searching up organizations online just make an educated guess when they type a URL into their browser. Register any you think you might use and redirect as needed.
You might also want to monitor for domain name registrations that look suspicious involving words or phrases that closely resemble your trademark.
Enforcing trademark rights
Even if there’s no evidence of any direct damage being caused by cybersquatting, you should never turn a blind eye to it. Enforcing trademarks – either through cease-and-desist letters, arbitration or litigation – is important to ensure you aren’t seen as passively consenting to the infringement. This can make it harder to pursue cybersquatting disputes and resolve them later on.
Recognizing and Responding to Cybersquatting
Cybersquatting cases may seem far removed from your organization’s day-to-day issues, but infringement can come with little warning. Be prepared:
Identifying potential cybersquatting cases
You might first hear about cybersquatters infringing on your trademark through customers who accidentally stumble on the wrong site. The same thing could happen with employees or partners who type too quickly into a Web browser or use the wrong domain extension.
Monitoring tools or services can also detect cybersquatters soon after they’ve registered and are using a domain, especially for affiliate marketing or advertising purposes. And, of course, in some instances those who have taken a domain will reach out directly with an extortion attempt.
Reporting cybersquatting incidents
Before you contact any authorities, the best approach is to send the offending party a cease-and-desist letter. This should inform them that you are aware that they are infringing on your trademark or have registered a domain in bad faith. You can give them a specific deadline to transfer the domain, as long as your intentions to litigate or seek other legal recourse.
If that doesn’t work, consider filing a complaint under ICANN’s Uniform Domain-Dame Dispute Resolution (UDRP) policy. This can begin the process of arbitration with the offending party.
The other recourse is to contact your lawyer and sue under the ACPA.
Recovering hijacked domain names
Getting a domain name back that you own (if a cybersquatter took it because you let the registration lapse, for example), you could begin by contacting your domain registrar for help. This is also an area where you can file a UDRP complaint. You’ll need to provide full documentation about your trademark, your ownership of the domain and any other proof that may be required.
Cybersquatting in Social Media: How to Protect Yourself
Beyond an organization’s web site, trademarks like names are also used to extend into other digital channels like social media. Unfortunately, cybersquatters can cause trouble here, too.
Cybersquatting risks on social media platforms
Sometimes referred to as “username squatting,” cybersquatting on social media involves someone setting up a profile on a platform like Facebook, Instagram or TikTok in bad faith with a name other than their own. This isn’t limited to organizations but can happen to high-profile individuals such as celebrities.
Protecting your brand's reputation online
Cybersquatting on social media can be just as dangerous because those running an account could impersonate an organization to request information from followers, spread malicious links or drive traffic back to their own sites. This is another area where it’s a good idea to have monitoring tools in place, or to at least conduct routine checks for your organization’s trademarked name and variations of the name.
Dealing with impersonation and fake accounts
Unlike traditional cybersquatting, the ACPA and the ICANN’s UDRP doesn’t really provide enforcement options for those squatting on social media sites. You can still send a cease-and-desist letter, and in some cases the organization running the social media platform will have policies and procedures to help trademark owners report imposters and fake accounts.
Educating Yourself and Your Team Against Cybersquatting
The more you understand threats like cybersquatting, the better position you’ll be in to spot, report and rectify them. Ideally you want to have domain names transferred to your organization before any serious financial or reputational damage is done.
Staying updated on cybersquatting trends
Social media is a great example of where traditional cybersquatting evolved into a whole new area. As other digital channels emerge (such as the metaverse), make sure your organization has plans in place and procedures to enforce your trademark and prevent any potential confusion among your customers.
Training employees to identify cybersquatting attempts
Your staff are a great resource to identify and report cybersquatting attempts, given they are often on the front lines managing an organization’s digital channels and serving customers through them. At a minimum they should know how cybersquatters work, why it’s a serious issue and how they should capture details and communicate suspicions they come across through their work or in conversations with customers and partners.
Raising awareness about the importance of online security
Educating the team about cybersquatters can be just one part of a more over-arching effort to provide critical training and education about cybersecurity issues and threats. When employees know how your organization’s information could be compromised or its defenses breaches, they can help minimize negative outcomes before they get worse.
Protect Against Cybersquatting With LastPass
Organizations don’t have to contend with issues like cybersquatting on their own. Trusted advisors like LastPass have services and expertise that can help.
Strong and unique passwords
Even if cybersquatters redirect customers to a bogus site, having strong and unique passwords will make it more difficult for threat actors to steal data and interfere with operations. In fact, LastPass makes it easy to change and update your passwords the moment there’s any concern about potential misuse.
Security alerts
Once you start using LastPass for password management, you can set up alerts when someone else tries to use your credentials, including on a site run by cybersquatters.
Dark web monitoring
LastPass also does routine checks online to ferret out those who might be attempting to sell stolen data to other cybercriminal groups. By monitoring the Dark Web, LastPass can provide customers with early warning on activities they should know about.
Dedicated TIME team
As part of its ongoing commitment to giving customers the best possible service, LastPass also runs a dedicated Threat Intelligence, Mitigation, and Escalation (TIME) team. This group can provide deep insight into emerging threats and the best way to ensure your organization doesn’t wind up among the victims.
Ready to rise up against the cybersquatters? Start your LastPass trial today.