Cyber-squatting Scams: Hijacking brands one domain at a time.....by Gurjot Singh Kaler

In an age where digital presence defines credibility, a domain name serves as more than just an internet address—it’s the signature identity of a business, often preceding physical assets.However, an insidious threat lurks behind the veil of this online identity: cyber-squatting.

This deceptive practice involves registering, trafficking, or using a domain name similar to a known brand or individual with the intention of profiting from its goodwill. The cost is not just monetary; it’s reputational, legal, and strategic.

Cyber-squatting, or domain squatting, occurs when someone deliberately registers a domain name identical or strikingly similar to a well-established brand, company, or personality, intending to later resell it at a premium or misuse it. Most cyber-squatters have no legitimate connection to the domain name.

They exploit the value of a brand that someone else has built—either by holding the domain for ransom or using it to mislead visitors, conduct fraud, or redirect users to harmful websites.

The early 1990s saw a surge in such practices as businesses began shifting online. While laws have evolved globally to address the issue, enforcement and awareness, especially in developing economies like India, remain inconsistent.

Modern cyber-squatters have become more strategic. Instead of just using the .com Top Level Domain (TLD), they register variants like .org, .biz, or regional extensions to outsmart the system. For example, a domain like "support-hdfcsecure.org" may appear harmless but is designed to impersonate the official brand.

These practices create significant consumer confusion, lead to phishing attacks, and dilute brand identity.

The stakes are higher today with Indian startups booming and influencers creating personal brands. Any lapse in securing digital identities can lead to severe financial and reputational loss.

Famous Global Examples :

• Walmart44.com: This domain misused the Walmart brand to lure unsuspecting users into downloading malicious software, including adware and spyware.
• TikToks.com: Attempting to cash in on TikTok’s explosive growth, squatters registered a similar domain. ByteDance’s offer to buy the domain was rejected, and legal proceedings were initiated. The court eventually ruled in TikTok's favour.
• Nissan.com: Uzi Nissan registered this domain for his computer business. Later, Nissan Motors tried to claim ownership, alleging cybersquatting. However, the court sided with Uzi, stating the domain reflected a legitimate business and personal identity.
• MikeRoweSoft.com: Mike Rowe, a teenager, used this for his web design company. Microsoft objected due to phonetic similarity. After media attention and public sympathy, the case was settled amicably.

Noteworthy Indian Cases :

• Rediff vs Cyberbooth: The Bombay High Court ruled against radiff.com for being deceptively similar to rediff.com and acting in bad faith.
• Yahoo! Inc vs Akash Arora: In India’s first domain name dispute, Yahooindia.com was barred due to its striking similarity to Yahoo.com.
• Reliance vs JioHotstar.com: A domain was registered by a Delhi techie anticipating a merger between Reliance and Disney+. Although not used maliciously, it was an opportunistic move. Eventually, it was handed over voluntarily to Reliance.

How Cyber-squatting Works-

Cyber-squatting begins when someone registers domain names before the legitimate business or person secures them. These domain names are then held ransom or used for fraudulent activities.

Variants may include typos (e.g., "gooogle.in" instead of "google.in"), misleading prefixes ("login-hdfc.in"), or added words ("support-paytmhelp.org"). In many cases, the goal is to confuse users, steal data, or sell the domain at an inflated price.

Other tactics include:

• Typo-squatting: Minor spelling errors to capture users who mistype URLs.
• Name-jacking: Registering public figures’ names to impersonate or profit from their popularity.
• Pre-emptive Squatting: Securing domains related to upcoming events, product launches, or political campaigns.
• Brand Cloning: Adding terms like "secure" or "help" to mimic brand communication style.

Identity Theft vs Brand Cloning :

Take the example of a fake domain like "hdfcbank-login.com"—created to mirror the official HDFC Bank website and collect user credentials. This is identity theft through domain mimicry. In contrast, a domain like "support-hdfcsecure.com" does not directly impersonate the official site but misleads users by mimicking the tone and trust signals of the brand. Both are deceptive, but the former involves direct impersonation, while the latter manipulates perception subtly.

Reverse Cyber-squatting :

Reverse-squatting is a lesser-known but equally malicious practice. In this, a party registers a company or entity name legally and then falsely accuses an existing domain owner of infringement to take control of the domain. For example, someone might register “Bluecrest Holdings Ltd” and then try to seize “bluecrest.com” under the guise of IP ownership, despite the domain having legitimate prior use.

Impacts of Cyber-squatting - 

• Brand Damage: Customers may land on fake sites and lose trust in your brand.
• Revenue Loss: Missed traffic leads to lost sales.
• Security Risks: Scam domains often host phishing pages.
• Legal Costs: Pursuing squatters through courts or arbitration can be expensive.
•  

How to Prevent Cyber-squatting :

1. Register Your Domain Early: Secure domains before public launch.
2. Buy Variants: Get .com, .in, .org, .net, and misspelled versions.
3. Enable WHOIS Privacy & Domain Locking: Prevent unauthorized transfers and conceal personal info.
4. Trademark Your Brand Name: Strengthens legal rights and speeds up arbitration.
5. Limit Early Publicity: Don’t announce brand names before securing digital assets.
6. Use Monitoring Tools: Services like DomainTools, Trademark247, and Google Alerts help track suspicious domains.
7. Issue Cease-and-Desist Notices: A legal notice often resolves matters out of court.
8. Use Indian Dispute Resolution Policy (INDRP) or Uniform Domain-Name Dispute Resolution Policy (UDRP): File complaints under the Indian or global domain dispute policies.
9. Report Fraudulent Domains: Inform CERT-In or use www.cybercrime.gov.in.
10. Negotiate if Needed: Sometimes, buying the domain is faster than fighting legally.

What To Do If You're a Victim : 

1. Collect Evidence: Screenshots, WHOIS data, emails.
2. Check Trademark Status: If not registered, show prior use.
3. File INDRP or UDRP Complaints: Depending on domain extension.
4. Seek Legal Counsel: Courts can grant injunctions.
5. Report to Authorities: Alert CERT-In or local cybercrime units.

Legal Remedies in India :

• Trademarks Act, 1999: Allows action for infringement or passing off. However, it lacks extraterritorial scope, making enforcement difficult when the squatter is based overseas. Still, Indian courts are proactive.
• IT Act, 2000: Section 43 (unauthorized access) and 66 (fraud) can be applied indirectly.
• INDRP: Arbitration through National Internet Exchange of India (NIXI) for .in domains. Generally resolved within 60 days with a filing fee of ₹30,000.
• UDRP -The Internet Corporation for Assigned Names and Numbers (ICANN): For .com, .org, .net domains. Arbitration through World Intellectual Property Organization (WIPO) or other approved panels.
• Civil Litigation: Legal notices, court injunctions, and mediation are additional avenues.

International Law – ACPA (US) - Unlike India, the United States has a dedicated Anti-Cybersquatting Consumer Protection Act (ACPA), which provides clear legal recourse, including financial damages.

This framework protects registered trademark holders and penalises bad-faith domain registrations. India lacks a similar dedicated law.

Needed Reforms:

• Make ICANN Decisions Binding: Grant enforceability of UDRP decisions within Indian courts to streamline the process.
• Mandatory Registrar Checks: Domain registrars should conduct background verification before issuing sensitive domains.
• Trademark Registration Encouragement: Companies should be incentivized to register domains as trademarks.
• Awareness of UDRP: Encourage training and awareness programs on domain dispute mechanisms.
• Sui Generis Law: India must create a dedicated cybersquatting statute with clear definitions and penalties.

A domain name is no longer a luxury—it’s a vital asset, much like a company’s logo or legal registration. Cyber-squatting is not just an attack on a brand, but on digital trust itself.

As India transitions into a robust digital economy, protecting online identities must be treated with the same urgency as securing physical assets.Cybersecurity laws, consumer awareness, and strong trademark enforcement are no longer optional—they’re foundational.

The time to act is not tomorrow—it’s now.

June 10, 2025