It’s an all too common scenario. An unsuspecting Internet user opens an email with a link to a website spoofing that of a leading financial institution. The user is asked to input personal information such as bank credentials or social security numbers and in a matter of seconds the user becomes the victim of a phishing scam and is left to deal with the financial and emotional fallout stemming from the identity theft.
Phishing scams accounted for nearly 70 percent of all Internet fraud in the second quarter of 2010, and the financial services industry remains the prime target. Gartner Group estimates theft through phishing activities costs U.S. banks and credit card issuers an estimated $2.8 billion annually. While many of the scam emails are blocked by increasingly sophisticated spam and anti-phishing filters, a larger number continue to make their way to consumers’ email accounts.
According to a 2009 survey, 45 percent of bank customers who are redirected to a phishing site divulge their personal credentials. The monetary and identity theft losses sustained by consumers through phishing attacks have led to diminished consumer confidence in the security of the online services rendered by leading financial institutions. Something must be done to reduce the volume of phishing attacks and restore consumer confidence. But what? One answer may lie in the financial services sector embracing the roll-out of new generic and branded top-level domain extensions.
The number of domain names registered since the inception of .com 25 years ago is staggering.
A recent report indicates the number of generic top-level domain registrations (e.g., .com and .net) is more than 209 million with another 81 million existing in the country code top-level domain space (e.g. .ru for Russia and .cn for China).
Most financial services institutions operate their official websites at the .com level; however, with so many domains and spoofed websites existing in cyberspace (many of which contain official brand names or close variations thereof), consumers can be easily tricked into believing they have landed at an official site when in fact they have stepped into a phishing mine. These problems may very well be eliminated for those financial institutions with the foresight to control and operate their own branded domain extensions — e.g. .citi, .hsbc, .wachovia, etc.
In June 2008, the Internet Corporation for Assigned Names and Numbers (“ICANN”), the governing body of the domain name system, approved a plan to expand the number of top level domain names by allowing an unlimited number of global top-level domains (gTLDs) consisting of brand extensions, organized communities and generic organizations (e.g. .food or .bank). ICANN’s plan has undergone many revisions, but it is now in its final stages and is expected to begin accepting applications for the new domain extensions in late 2011.
Banks and other financial institutions can now register a single .com, .net. or any other gTLD for around $10. However, the top-level domain name is shared with millions of other registrants. With the new gTLD program, it is possible for one company to own the entire top-level domain space and register names under the newly created gTLD to third parties. In other words, a bank can become a domain name registry operator.
The fees required for this right are substantial. As an initial matter, applicants must pay an “evaluation” fee of $185,000. In addition, applicants must provide proof they have contracted with a registry provider to assist with technical requirements. Only established corporations, organizations and institutions in good standing will be eligible to apply for a new gTLD, and applications submitted by individuals or sole proprietorships will not be considered.
The time is now for financial institutions to decide whether to apply for a .brand gTLD or simply monitor online applications to ensure their intellectual property rights are not being violated by others who are applying for them. Given the significant costs of the evaluation process and the need to work with an established registry to assist with technical requirements, the decision must be based on a cost-benefit analysis.
While many brand owners have been slow to embrace the marketing value in a new gTLD , the financial sector is distinguishable. Why? Because consumers’ lives are so closely tied to their finances and the institutions that control them. As one author put it, “We trust banks with not only our money, but our future and the future of our children. We pick the one that is the safest.”
By running a branded gTLD, a financial institution has ultimate control over all consumer interactions, thus mitigating (and possibly eliminating) the phishing and identity theft problems currently faced by the industry.
The new gTLD would not only promote the brand, but also protect it. Consider the possible ways in which a gTLD could be utilized — www.checking.wachovia, www.savings.wachovia, www.loans.wachovia, etc.
With the .wachovia branded domain extension, consumers of this bank will have no doubt they have landed at an official Wachovia webpage. Of course it remains to be seen whether tech savvy criminals and hackers will find a way to manipulate the new system. Moreover, financial institutions will have to invest substantial sums and resources to educate consumers to move from their .com domain name to their .brand domain name. But imagine the power a slogan like “If it's not dot Wachovia, it's not safe” could have in building consumer confidence in the online banking services rendered by Wachovia.
How will the new gTLD process work? It is important that the application process for the new gTLDs is not on a first-come, first-served basis. ICANN will accept applications only during an open application period estimated to begin in late 2011. Through the online application system, applicants will answer a series of questions to provide general information and demonstrate financial, technical and operational capability. Immediately following the closing of the application period, ICANN will check each application for completeness and then post at one time all of the completed applications.
There are intellectual property rights protection mechanisms in place that permit brand owners to object to applied-for gTLD strings that are identical or confusingly similar to their trademarks.
However, the Internet is global, and trademark rights are predominantly territorial. Thus, there will be instances in which two corporations who have legal rights to the same mark apply for the same gTLD string. In those cases, ICANN will encourage the parties to enter into voluntary agreements or settlements and, as a last resort, will institute an auction procedure with the highest bidder winning rights to the extension.
In sum, the financial services industry should weigh the pros and cons of applying for and maintaining a branded gTLD. This should include both a cost-benefit assessment and risk analysis. At the very least, defensive measures should be taken to obstruct an application by a third party that has no rights or legitimate interest in a gTLD incorporating the name of your financial institution or its sub-brands. But the new gTLDs may pave the road to restoring consumer confidence in online banking and financial services.
--By Eric T. Fingerhut and Shannon M. McKeon, Dykema Gossett PLLC
Eric Fingerhut is a member of Dykema Gossett in the firm's Washington, D.C., office. Shannon McKeon is an associate with the firm in the Washington office.
The opinions expressed are those of the authors and do not necessarily reflect the views of the firm, its clients, or Portfolio Media, publisher of Law360. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
|