Since 2014, more than 800 new domain extensions have been added to the internet. In addition to the ubiquitous .com and country-code extensions such as the United Kingdom’s .uk and Japan’s .jp, unique spaces have been created for industry sectors, special interests, geographical regions and more.

For consumers, this expansion of online real estate has led to a greater opportunity to purchase domains that are intuitive, freeing up names that are taken in other extensions and making space for creativity in online branding. In mid-2023, more than 28 million domain names had been registered in these new extensions. Compared to 174.4 million names in .com and .net, this suggests there remains plenty of space for exploration and valuable names still available.

However, innovation often creates side effects and comes at a cost. For those responsible for protecting brand identities and IP online, unfortunately, greater opportunity for consumers has resulted in a greater risk and surface area requiring protection for brand owners.

The challenge of staying ahead of impersonating or abusive domain registrations using brand names and trademarks by bad actors around the world has become exponentially more difficult and expensive. In the U.S., the Federal Trade Commission reported that in 2022, business imposters (“scammers who falsely claim affiliations with well-known companies”) lead to a loss of $660 million.

Brand risks of domain abuse

The consequences of brand imitation or online fraud are costly and span a range of complex areas. For example, if a bad actor registers a domain name including a brand name or trademark, they can attempt to hold it to ransom, often leading to expensive and time-consuming processes to purchase it back or dispute the ownership and have it returned.

For example, a request under the Uniform Domain Name Dispute Resolution Policy (UDRP), which is one of the most common ways to contest a domain name, can cost around USD$1,500 for up to five domains, with costs increasing along with the number of domains in question. However, the process typically takes around two months to complete. On the other hand, someone ‘squatting’ on a brand’s domain can often demand upwards of tens of thousands of dollars to return it in an aftermarket sale.

Some bad actors, however, are looking for more than a quick cash grab.

With a domain that appears to belong to a recognizable brand, scammers can attempt to imitate major organizations for the purposes of phishing, fraud, humiliation or other forms of deception. This can result in financial, reputational and operational damage and costs far beyond the price of registering a domain.

Nowadays, the risk extends beyond just a brand’s name. With the expansion of the domain name system, characters other than those in the ASCII alphabet (a through z) can now be registered in domains. This opens a new world of possibilities for impersonating a brand using confusingly similar characters that closely resemble ASCII letters to imitate brands.

In Q2 2023, the Anti-Phishing Working Group (APWG) observed more than 1.28 million phishing attacks worldwide: the third-highest quarter on record. This doesn’t account for attacks that may have gone unnoticed or unreported. The World Economic Forum also reported that in 2020, malware and ransomware attacks increased by 358% and 435% respectively.

It’s not hard to believe, particularly when bad actors have access to a domain that is convincingly similar to a major brand’s. A survey conducted by Proofpoint found that 63% of participants think that an email address always belongs to the corresponding website of the brand, and 44% believe an email is safe when it features familiar branding.

The APWG reported that business email compromise, one of the most common forms of online fraud, has resulted in $50.8 billion dollars in losses between October 2013 and December 2022.

Defensive domain registrations

For a long time, the key strategy for defending against online impersonation has been to defensively register as many domains relating to a brand as possible within a company’s budget. These include the brand name as well as confusingly similar variations, product names, subsidiaries and other trademarks or protected terms.

As the options for domain extensions have increased, this has compounded the complexity of managing defensive domain portfolios. Each domain has its own registration fee, renewal terms, and terms and conditions to be managed, let alone complex policy frameworks that make some extensions entirely unavailable. Multiply the number of online brands that companies wish to protect by hundreds or even thousands of domains, and the financial and operational burden becomes unmanageable and expensive.

Analysis by GoDaddy Corporate Domains of the Global 2000 companies in 2022 found that in the top 50, the average domain portfolio was around 8,300 domains, with an average spend of $373,000.

In its Sixth Annual Corporate Domain Management Survey, GoDaddy Corporate Domains also found that for those companies with more than 10,000 domains, 40% say that legal departments have responsibility for managing domain portfolios.

For these companies, portfolio management takes at least 4-5 days’ work per week and more than half of all respondents said managing domains has become more difficult over time.

According to GoDaddy Corporate Domains, “the complexity and variables that large companies face transcends far beyond the sheer number of domains.”

“Many companies maintain defensive registrations of domains, not because they need them to generate traffic, but because they don’t want them falling into the wrong hands.”

The evolution of domain blocking

In 2011, following the introduction of the .xxx domain extension for use by the adult entertainment industry, a unique solution to prevent the use of brand names and trademarks in this extension was developed by its owner ICM Registry: a blocking service.

In later years, ICM Registry expanded this service into what is now known as AdultBlock, adding the other adult themed extensions .porn, .adult and .sex to a broader service. Over this time a number of other blocking products have been introduced, protecting trademarks in various extensions collectively covering around a third of the market.

One of the largest examples is the Domain Name Protected Marks List (DPML) service from Identity Digital, which similarly blocks domains from being registered in approximately 300 domains under Identity Digital’s management. These include .fail, .fyi, .info, and .group.

Typically, these blocking services have been selective or carried only a small number of extensions. While beneficial for brand owners, there remained no simple, unified approach to blocking on a widespread scale.

How domain blocking works

Unlike defensively registering a domain name, blocking a domain does not allow for the domain to be used for websites, email or any other purpose. The ‘asset’ is owned by the company, but effectively works by removing the domain from availability altogether, meaning no one can register or use it.

Operationally, this can be beneficial for brands who have no intention of using a domain, as they are not required to maintain the registration, renew it each year and continue paying registration fees. In the case of AdultBlock, this was also appealing to companies who did not want to register a .xxx domain and create an association between their brand and the adult entertainment industry.

Additionally, domain blocking services often include features that block variants or ‘look-alikes’ of brands, such as replacing the letter ‘e’ with the number ‘3’ or adding a plural ‘s’ to the brand name - tactics often engaged to trick consumers into clicking fraudulent links or trusting false emails. To identify and defensively register all of these across hundreds of domain extensions would be almost impossible.

Introducing the Brand Safety Alliance

GoDaddy Registry along with partners from across the domain industry recently established the Brand Safety Alliance: a new initiative focused on providing innovative solutions to the challenges brand owners face across a complex internet of more than 1,000 extensions.

Together with GoDaddy Registry, organizations such as Identity Digital, CoCCA, ZDNS, CORE Association, GMO Registry, DNS Business, Tucows, Tango Registry Services and RyCE collectively manage and operate the registries for hundreds of domain extensions around the world.

Recognizing both the opportunities and the challenges posed by a widening internet landscape, the Brand Safety Alliance (BSA) seeks to provide companies around the world with a range of products that alleviate many of the struggles of managing intellectual property online. The goal is simpler, more reliable and more cost-effective brand protection.

The first product launch from the BSA, in Q1 2024, is GlobalBlock: the first unified domain blocking service providing instant protection across upwards of 600 domain extensions in one transaction.

Designed to simplify domain portfolio management and take the guesswork out of online brand protection, GlobalBlock also offers additional features for peace of mind. These include Priority AutoCatch, which instantly picks up any already-registered names the minute they come back on the market and adds them to your block (snatching them from domain squatters and protecting against accidental deletions), and Domain Unblocking, which allows you to unblock and register a domain in your block whenever you like.

With more products and services to follow, the BSA is keen to hear from brands about their requirements and challenges, so it can tailor solutions to meet these needs. By championing the potential of blocking products and innovating in this space, the BSA is set to redefine how businesses protect their digital intellectual property.

For further updates, visit www.brandsafetyalliance.co or check out www.globalblock.co.