In Victoria’s Secret Stores Brand Management, Inc. v. Fundacion Private Whois / Domain Administrator, the arbitrator Hon. Karl V. Fink found that the respondent (“Fundacion”) had registered and utilized the domain www.victorassecret.com in bad faith, and transferred the domain to complainant Victoria’s Secret.
An important part of the case, not addressed by the arbitrator, was that the respondent was engaged in “phishing” activities where it attempted to harvest and store personal information from unsuspecting users. While the case reached the proper legal outcome, it missed an opportunity because it failed to address this important cyber-security issue and explain clearly that phishing is an important ground for determining bad faith under the UDRP.
The practice of “phishing” denotes a wide range of activities, all of which are intended to extract sensitive information from unsuspecting users, such as usernames, passwords, and credit card information. Phishing has emerged in a number of highly publicized contexts, most notably where the scammers convince the users that their bank or lending institution is sending them an e-mail and asking them to reset a password or provide personal financial information.
A recent article which appeared in the publication Smart Money (and on the website www.allspammedup.com) discussed a recent phishing attack on a Virginia based payment processing company called Nacha where the scammers sent out over 167 million forged emails that contained the Nacha company logo, contact information and content from the Nacha website – all in one day. Phishing scams and related cyber-crime have become an issue of national security. Just last month the Financial Services Information Sharing and Analysis Center (FS-ISAC) put U.S. banks on high alert against cyber-attackers that it believed were attempting to login credentials from bank employees in order to conduct extensive wire transfer fraud.
In this case, the respondent’s “phishing” ruse came in the form of a software download from a website, initiated by a user’s attempt to take advantage of a gift card being offered by clicking on a link. Specifically, respondent used the victorassecret.com domain name to put up a website which attempted to “lure people into disclosing their private mobile cell numbers in order to get a $500 gift card.” After submitting a mobile number, a user would be prompted by advertisements for auto insurance rates, and if the user clicked “No Thanks,” they would be instructed to enter an e-mail address and zip code. The resolving website also instructed users to install a software program to receive the gift card. (*The site is still active as of this writing.)
The site was clearly designed to extract phone, email and address information by inputting it through the site, as well as by installing software on the user’s computer; these are all indications of “phishing.” Yet the arbitrator didn’t address the issue of “phishing” head on, instead focusing on the fact that the respondent gained a pecuniary benefit from free riding on the complainant’s goodwill. While none of this is technically “wrong” – the decision was decided correctly – it is important for UDRP panels to come down hard on phishers and to establish that phishing as a practice is a major indicator of bad faith on the part of a respondent. Future complainants with properties that lack the strength of the Victoria’s Secret’s mark would benefit greatly from a decision ensconcing “phishing” as a prima facie bad faith practice. This rationale is necessary for the UDRP to provide an adequate response to current cybersecurity issues, while simultaneously protecting those intellectual property owners from the freeriding tactics of cybersquatters.