What Is Cybersquatting? What Can I Do About It

Graphic of people shaking hands with text 'Confidential Domain Name Brokers'.  | VPN.com

Staff Writer @ VPN.com

Last Updated:

The Internet has revolutionized the business world, but it has also delivered new ways for criminals to infringe on your company’s trademark rights. Read on to learn about how cyber pirates execute a crime called cybersquatting, what your business can do to fix a cybersquatting issue, and steps you can take to prevent becoming a cybersquatting victim.

A Fictitious Example Of Cybersquatting

Imagine you are the proud owner of the Acme Widget Factory. Last year was a breakout year for your company, as your Widget 1000 product was a huge commercial success. Your marketing effort was spot-on and those ads your team created drove a ton of traffic to your widget1000.com website.

As sales plateau on the Widget 1000, it is time to introduce the next generation of the Widget line. After a long brainstorming session with your marketing team, it has been decided the next product will be called the Widget 2000. Boom, decision made, set in stone, the marketing team is running.

A few months and many sunk marketing hours later, the IT consultant who builds your website tells you some bad news. The website domain widget2000.com is not available for your company to use. An unknown party had recently purchased it. You ask your team how this could have happened and how do we fix it. Your IT consultant says you have been a victim of cybersquatting.

What Is Cybersquatting?

Cybersquatting, a.k.a. domain squatting, is the deliberate purchase of available website domain names, done in bad faith against a trademark, with the sole intention of reselling the domain at a future date for a profit.

If a domain name is available, anyone can buy it for just a few dollars, by using a domain registrar such as Domain.com, GoDaddy, Network Solutions, etc. A few dollars and a few minutes are all it takes for someone else to register your desired domain and ruin your product launch.

Domain pirates can steal a domain from you by either simply registering it before you or through Expiration Date Exploitation — Every year, the owner of a domain must do some simple paperwork and pay a few dollars to keep ownership of a domain. The expiration dates on domain ownership are public information, and cyber-vultures like to hover around waiting for the expiration day to come, and then swoop in to steal ownership.

What Is Domain Grabbing?

Domain grabbing, also known as domain investing or domaining, is very similar to cybersquatting in that domains are purchased with the sole intention of reselling the domain at a future date for a profit. The key difference is that domain grabbing does not involve bad faith against a trademark.

These domains usually have generic names like insure.com and investors avoid names of specific companies, products and services that are trademarked. So, for example, a domain investor grabs the insure.com domain and hopes that one day State Farm or Allstate will come calling with a big check in hand.

Is It Bad Faith Or A Misunderstanding?

Before going into full panic mode, try to discover what the domain owner’s intentions are:

  • When you visit the domain, does it go to a fully functional website or a junk page filled with ads or a page that reads like a ransom note?
  • If the domain goes to a functional website, does the website reasonably appear to be related to the domain name? Or does it bounce you to a tire service company in Nebraska that couldn’t possibly have anything to do with the domain name in question?
  • Contact the domain owner to clarify their intent. The contact info usually appears on the ransom note page, or you can use Whois.net to look up the domain owner information.

In the case of our fictitious example, visiting Widget2000.com bounces you to a brightly colored site with a variety of advertisements for Not Safe For Work (NSFW) content and provides an email address to contact the owner.

Upon contacting the individual using your most stern legal voice, you receive a reply that indicates the person wants $20K to hand ownership of the domain to you.

So yeah, your company and its trademarks are being extorted by a cybersquatter. Be safe from cybersquatting!

Is Cybersquatting Illegal?

Yes, deliberately purchasing a domain that is associated with a trademark, with the bad faith intention of selling for profit, is illegal.

In 1999, the United States Congress passed the Anticybersquatting Consumer Protection Act (ACPA) to directly tackle domain legal disputes that occurred within American borders.

In the same year, ICANN, the non-profit organization that controls the domain naming system, adopted the Uniform Domain-Name Dispute-Resolution Policy (UDRP) to govern domain name disputes across international borders.

Both of these actions clarified the definitions involved in cybersquatting cases and provided legal methods for companies to remedy the domain dispute.

Anticybersquatting Consumer Protection Act (ACPA)

The early days of the Internet (a.k.a. the 90s) was the Wild Wild West of domain poaching with a huge number of available domain names getting scooped up by companies, investors, bad-faith actors, and bored teenagers.

At the time, companies that were harmed had only the Lanham Act (a.k.a. Trademark Act of 1946) to turn to for relief. This law, written 50 years before the internet even existed, did a decent job at defending against trademark theft on the internet.

The primary limitation of the Lanham Act was that the domain had to be “registered with a bona fide intent to use it in commerce”. Using our fictitious example, the offending party had to use the widget2000 site to sell a product very similar to the Widget, like a counterfeit product, or use the Acme/Widget name to take customer money and not send any product.

The “use in commerce” provision of the Lanham Act did not handle domain ransom cases very well. Cybersquatting was more of a domain kidnapping/hostage situation against the corporation, rather than a “trick the customer” scenario.

In 1999, to modernize the Trademark Act of 1946 and specifically extend trademark protection to kidnapped domains, Congress passed the ACPA.

The ACPA defines cybersquatting as:

“The registration, trafficking in, or use of a domain name that is identical or confusingly similar to a trademark or service mark of another … with the bad-faith intent to profit from the goodwill of another’s mark (commonly referred to as “cyberpiracy” and “cybersquatting”)”

Essentially, the “use in commerce” clause of the Lanham Act had been replaced with the more fitting “bad-faith intent to profit” language.


The Anticybersquatting Consumer Protection Act (ACPA) provided a legal remedy against cybersquatters who lived inside American borders, but it did not have jurisdiction to reach internationally.

ICANN, with help from the United Nations, solved the international dilemma by adopting the Uniform Domain-Name Dispute-Resolution Policy (UDRP). ICANN is the non-profit organization that controls the Internet rules related to domain names. It was formed in 1998 to corral the Wild Wild West of the early internet days.

A quick, over-simplified lesson in how domain names work and why ICANN is so important:

  • Pretend there is a webserver sitting in the basement of the Acme company headquarters. How will customers reach that server to retrieve the contents of the website? ICANN assigns the server a domain address. Let’s pretend the address is 123.456.
  • It is not convenient to ask a customer to type 123.456 into their web browser, so ICANN lets you buy a domain name — widget2000.com
  • When a customer types widget2000.com into their web browser, how does it get translated into a 123.456 address? ICANN owns the Domain Name Servers (DNS) that seamlessly bounces a person from widget2000.com to 123.456.

So ICANN, one single centralized organization, creates the worldwide policies and enforces the rules related to domain addresses, domain names, and the automatic translation of names to addresses.

When the world disagrees on a certain internet rule, they go complain to ICANN. To handle cybersquatting disputes, ICANN created UDRP. This is an internal policy dictating how ICANN will react when two parties get into a domain name dispute. When someone purchases a domain name from ICANN, that person must agree to the ICANN rules and dispute procedures.

Uniform Domain-Name Dispute-Resolution Policy (UDRP)

In 1999, ICANN passed their Uniform Domain-Name Dispute-Resolution Policy (UDRP), which identifies cybersquatting using a three-part test, with language similar to the American ACPA:
  1. The domain name harms a trademark.
  2. The owner of the domain name has no legitimate rights to the domain name.
  3. The domain name was registered in bad faith.

To resolve such matters, ICANN created a binding arbitration process. A panel of internet and/or trademark experts review the dispute and make a decision. Whichever party wins gets to take/keep ownership of the domain name.

The decision under UDRP comes quickly and is final; there is no appeal process. Any parties unhappy with the result must take the matter through their local court using the ACPA.

In the 20 years since UDRP was established, there have been over 50K UDRP cases, across 91K domains, involving parties from 180 countries. In 2020 alone, there were 3,405 UDRP cases.

Typosquatting And Other Variations Of Cybersquatting

Honestly, the traditional kidnapping-for-ransom style of cybersquatting, as used in our fictitious story, does not happen much these days. There are nearly 360 million domain names officially registered, so there simply are not a lot of unpurchased domains available anymore. In addition, companies have gotten much better at taking steps to prevent becoming cybersquatting victims.

Modern-day domain cyber pirates have moved on to new variations of trickery, including:

  • Typosquatting — A customer wants to visit your widget2000 website but accidentally types in widget200 (drops the last zero) which bounces the customer to a typo squatting domain owned by the pirate.
  • Look-Alike Domains — A pirate steals a variation of your domain name, such as widget-2000.com and 2000widget.com. They may also produce look-alike sub-domains such as widget.2000.com.
  • Top-level Domains (TLDs) Exploitation — A company owns widget2000.com but a pirate has grabbed widget2000.net and .tech and .org

All of the above cybersquatting methods are meant to earn the pirate money by redirecting the customer to an alternate website that:

  • Is full of paid advertisements, usually for other scam companies and pornography
  • Sells knock-off or tangential products related to the true site
  • Lure customers into disclosing private information like their emails, phone numbers, etc.
  • Extort payment from the true owner.

Also, check out how to Protect the Medical Records of Patients by learning Cybersecurity Best Practice Every Nurse Should Know in hospitals. Be safe from cybersquatting!

Freaquently Asked Questions

What Can I Do If I Am A Victim Of Cybersquatting?

If you are in the unfortunate position of being a victim of a cybersquatting pirate, here are some basic options you can choose:

1. Pay the ransom — This may be, by far, the cheapest and easiest option. Just swallow your pride and pay the pirate to transfer the domain into your name.

In our fictitious example, paying the criminal $20K to release the kidnapped domain is a drop in the bucket cost compared to the product’s marketing budget and how much the product launch will be worth. Acme should just pay up.

You will want to get IT experts involved to help guarantee that the domain is successfully transferred over to you and that the criminal doesn’t just take your money and run. A lawyer can also help draw up a domain transfer contract, assuming the other party is legitimate enough to care about contract law.

If the pirate demands a ridiculous amount of money (e.g. $20M instead of $20K) and is unwilling to negotiate, then you will need to proceed to another option.

2. Change the product name or website — In our fictitious example, Acme could always pivot and change the new product name from “Widget 2000” to “Widget 1100”. Suddenly, losing the widget2000 domain becomes irrelevant.

Obviously, this strategy depends on where your company is in its product development lifecycle, and how much money it would cost to suddenly change direction and re-do work.

3. Threaten a Lawsuit — Have your lawyer deliver an intimidating takedown or cease & desist order. The pirate just might decide to move on to easier victims.

4. File a UDRP claim — Even if both parties are American, the UDRP provides an efficient process to remedy the dispute. The entire UDRP dispute process should take about 40 days and cost around $4000. If you win, ICANN will transfer the domain over to your name. If you lose, you are free to file a lawsuit under the ACPA.

5. With all other options exhausted, the last possible option is to file a lawsuit in District Court under the ACPA. You will probably want to hire a lawyer that specializes in trademark law. As with most lawsuits, unless settled out of court, this will be a long and expensive legal effort.

How Do I Prevent Becoming A Victim Of Cybersquatting?

Prevent Becoming A Victim Of Cybersquatting
As with many business problems, prevention of the issue is cheaper than mopping up the carnage. The following are some simple, almost common-sense tips for avoiding becoming the victim of a cybersquatting pirate:
  1. Be quick with new registrations — As soon as your team proposes a new website, go spend the $10 to secure the domain. If your team is debating six possible product names, go out and register all six domains now. If your company decides to go a different direction, you can just let unused domains expire in a year.
  2. Be quick with renewing existing registrations — Every year, you need to renew your domain registration. Set a calendar reminder and pay attention to the emails sent by your domain provider.
  3. Be proactive in identifying and purchasing typosquatting domains, look-alike domains, and top-level domains — Take ownership of all variations of your real domain now, before the pirates get it.
  4. Register your trademarks as soon as possible — these legal battles are far easier when you actually own a trademark on the name in question.

Wrapping Up

Businesses, regulators, and courts have long recognized the critical importance of respecting trademarks. The invention of the internet provided new methods for criminals to profit from trademark infringement. Thankfully, lawmakers and regulators stepped up and modernized trademark law to specifically address these issues.

With the internet being 25+ years old, businesses have learned a lot of lessons about how to protect their intellectual property online. Should a problem like cybersquatting hit a company, there are tried and proven options for resolving the issue.

Traditional kidnapping and hostage cybersquatting is not very common these days. With nearly 360 million domain names officially registered, there just is not a lot of unused domain names for companies and criminals to choose from. So, cybercriminals have moved on to other pirating techniques such as typosquatting, and businesses need to keep up-to-date on how to protect their valuable trademarks and domains.

With nearly 360 million domain names officially registered, it is also unlikely that the domain name you desire for your company will be available. So, you will need a domain broker, like VPN.com, to identify the existing owner of your desired domain and negotiate a sale on your behalf. Our company has helped facilitate $65 million worth of domain-related transactions, and we are an industry leader in the brokering of high-dollar domain sales.

Worldwide Premium Domain Brokers

Helping you acquire premium domain name appraisal in any country you desire. Inquire today about our Global Brand Protection Program if you want to register your brand in EVERY country.

"*" indicates required fields


See Plans