No industry is immune from cybersquatting—not even the legal industry.

In three recent (and unrelated) UDRP decisions, law firms won decisions ordering the transfer of domain names that contain their trademarks.

One of the cases involved Alston & Bird, the large law firm where I began my legal career and first learned about domain name disputes 20 years ago. As the UDRP decision describes it, Alston & Bird (which is often referred to as “A&B” or, in my personal experience, less frequently, “Alston”) is “a well-known law firm founded in 1893 with offices throughout the world.” The firm’s website lists 843 lawyers, and The American Lawyer ranks it as the 46th largest firm in the United States with revenue of $645.5 million.

Alston & Bird, in my recollection, was one of the first law firms to have a website; it registered the domain name <alston.com> on January 14, 1995—before such prestigious (and even larger) firms as Baker & McKenzie, Skadden and Kirkland & Ellis got their domain names.

In A&B’s recent UDRP dispute, the respondent registered the disputed domain name <alston-ny.com> (the law firm has an office in New York City), which A&B said was used “to fraudulently elicit payment while posing as an employee” of the law firm. In one instance cited in the UDRP decision, A&B said that the respondent sent an invoice via email for $477,000 to a wheelchair company. (The decision does not state whether the wheelchair company was a client of the firm or why the respondent may have chosen that company.)

The UDRP panel had little trouble finding that A&B had satisfied all three elements of the domain name dispute policy. Still, it’s impossible for any trademark owner to register all variations of its trademark as domain names, and it’s a common tactic of cybersquatters to append a geographic identifier to a domain name. So, the firm’s troubles may not be over.

Perhaps most interestingly, A&B does not appear to be the registrant of a number of obvious domain names that contain its trademark, including <alstonbird.com>, <alston-bird.com> and <alstonandbird.com>—all of which are registered via a privacy service and none of which resolve to the law firm’s website. So, it’s certainly possible that the firm may find itself filing additional UDRP complaints in the future.

In another recent law firm UDRP decision (in which I served as the panelist), a much smaller law firm, Kramer Law Firm of Maitland, Florida (whose website using the domain name <mykramerlawfirm.com> identifies eight lawyers), filed a complaint for the domain names <kramerlawfirm.info> and <kramerlawfirm.org>. The decision in that case states that the registrant of the domain names used them in connection with emails “sent to people to solicit clients with the promise of recovering some $15,812,664.00 from two Bank of America accounts that will be ‘confiscated shortly.’ However, the targets must first pay $24,000.00 with another $7,000.00 due a later date.”

The Kramer Law Firm decision concluded: “While this scam is not, as Complainant has noted, a ‘typical’ case of phishing, it is nevertheless clearly a way in which ‘Internet fraudsters impersonate a business’—something that the U.S. Federal Trade Commission associates with phishing activities. Numerous UDRP panels have found such impersonation to constitute bad faith, even if the relevant domain names are used only for email.”

Interestingly, the domain name <kramerlawfirm.com> (not <mykramerlawfirm.com>, which is used by the complainant in the UDRP decision discussed here) is associated with another law firm, Kramer Radin in Los Altos, California. So, it is interesting to note that law firms with similar names can—apparently—peacefully coexist online.

In a third decision involving a law firm, a UDRP panel ordered transfer of the domain name <dorrsey.com> (with two letter R’s) to Dorsey & Whitney (a 500-attorney firm) that uses the domain name <dorsey.com> (with one letter R). Similar to the Alston and Kramer cases, the cybersquatter in this dispute used the domain name “for the purpose of hosting an email address in an attempt to defraud Complainant through attempting to pass off as an employee of Complainant.” More specifically, the cyberquatter engaged in so-called “spearfishing” by using an email address with the domain name “to contact an employee of Complainant to request an unauthorized transfer of $184,893.33 from a client trust account.” The decision doesn’t state whether the targeted employee actually made the transfer.

Lessons for Lawyers and Clients

Of course, the Alston & Bird and Kramer Law Firm disputes are not the only examples of law firm cybersquatting problems; they’re just the most recent. Other UDRP disputes initiated by law firms include interesting cases that don’t involve personal names and that don’t always end up in the law firms’ favor, such as an early (2001) decision over <theinjurylawyers.com>; and cases that involve top-level domain names other than .com, such <adamsandremers.me>.

Although law firms don’t rank among the most common targets of cybersquatters, these cases demonstrate that they are in some ways no different than their clients when it comes to protecting themselves online. While the launch of some new gTLDs such as .attorney, .law and .lawyer may eventually provide a safer home for law firms online, these new gTLDs (like most others) have not yet proven to be very popular.

As a result, law firms—and their clients, who may be victims of scams perpetrated by cybersquatters—should continue to be as mindful about domain names as they are about their own businesses.