The unfortunate reality is: threat actors – commonly referred to as fraudsters – will try to exploit your business. A recent domain fraud incident highlights the critical need for swift, coordinated action in response to cyber-related abuse. In this instance, and despite the clear-cut nature of the fraud, legal process through the Uniform Domain Name Dispute Resolution Policy (UDRP) took nearly two months – underscoring systemic delays and communication breakdowns that can prolong exposure and increase risk. Accordingly, your response strategy needs to be multi-pronged to minimize impacts on your business and your customers’ businesses.
The Incident
A client was targeted in a spear phishing attack in which a fraudster credibly impersonated the client’s CEO in an email to an accounts receivable (AR) manager. The fraudster obtained a list of aged receivables, and used that information to launch a typosquatting scam – impersonating the AR manager and attempting to redirect payments to a fraudulent bank account.
Typosquatting involves registering domains that closely resemble legitimate ones, often by substituting visually similar characters (e.g., replacing the letter “o” with the number “0”). In this case, the fraudulent domain differed by a single character, making it difficult to detect at a glance. Consider how easily the following can be confused:
- l (lowercase “L”) vs. I (uppercase “i”) vs. 1 (numeral one)
- O (Latin letter) vs. Ο (Greek omicron)
Imagine you receive an email that superficially looks like it’s from your boss’s email address, complete with a signature block, but has one or two characters swapped as shown above. For example, would you notice the difference between the email addresses Sergey@GOOGLE.com vs. Sergey@GΟΟGLE.com?[1] Your computer will – but your eyes may not.
So, what do you do if your business is targeted? You need to swiftly engage legal support, but also quickly engage in customer support.
You and your business need to shut down the fraudsters through every legal channel. But you also should, and in many cases may be contractually obligated to, contact your customers. Without proactive outreach, the incident can damage trust and strain client relationships.
Key Takeaways
- Registrar Lock ≠ Full Protection —While the fraudulent domain was quickly placed under registrar lock following a UDRP complaint, the associated email account remained active. Despite repeated reports, the registrar failed to disable the email, allowing the scam to continue. This highlights a critical enforcement gap. The UDRP process was only about two months, but that is an eternity for a scammer. Nevertheless, the fraudulent domain must be shutdown.
- Top-Level Domains Are Just the Beginning —After legal counsel successfully shut down the top-level domain (TDL), which was a “.com,” the fraudster registered additional domains using other TDL extensions, including a “.org” and “.net.” Those were also shut down, but the incident underscores a critical point: threat-actors are persistent and can cheaply register multiple domains in no time at all. Be proactive in shutting down TDLs and, where feasible, register common TDL variations of your primary domain.
- Banks Can Be Gatekeepers – If You Reach the Right Person — Once engaged, the bank in this incident froze the fraudulent account(s). However, initial attempts through standard customer service channels were ineffective. Escalation to legal or compliance contacts may be necessary. But stopping the flow of money helps stop the fraud. Communication with customers is critical, and learning the banking information can help stop the fraudulent activity.
- Information Sharing Is Crucial — Timely, accurate communication among all stakeholders – clients, customers, banks and legal counsel – can significantly reduce the window of exposure. Early and frequent updates help shut down fraud faster.
- Reporting to Authorities Builds a Record — This incident was reported to the FBI via the Internet Crime Complaint Center (IC3). While such reports may not yield immediate results, they contribute to broader law enforcement efforts. Submitting a report is strongly recommended in all cases of cyber fraud, as it helps to build patterns for law enforcement and informs investigations.
- Don’t Rely Solely on Email to Notify Customers — Despite repeated email alerts around this incident, several customers were still defrauded – direct phone calls to potentially-affected customers proved far more effective. Email alone is often overlooked or misinterpreted, especially after an email fraud. Human contact is critical and conveys urgency, authenticity and accountability – qualities that email often cannot reliably deliver. Moreover, human contact can be a way to grow or maintain client relationships. Bottom line: call people!
Suggested Action Items in the Event of Typosquatting
- Ensure registrar action includes disabling associated email accounts.
- Consider proactively registering potential fraudulent domains.
- Establish escalation paths with financial institutions.
- Share relevant information promptly with banks and legal counsel.
- Report incidents to IC3 and other appropriate authorities, as well as cyber insurance carriers as appropriate.
- Personally contact affected customers – don’t rely solely on email.
If you have questions about domain fraud response or need assistance navigating a similar situation, please contact any of the authors, or your regular Lathrop GPM attorney.
[1] Google was not involved in this incident nor was Sergey Brin, nor are they affiliated with this alert; they are just really well-known and illustrative.