(Reuters) - In October 2021, Christopher Anthony, an M&A partner at Debevoise & Plimpton, sent out an email about a big biotech company’s planned acquisition of an Asian business. Anthony dropped the name of the biotech company’s CEO, then asked the email’s recipient to fill out and sign an attached non-disclosure agreement to receive more details about the deal.

The problem: The real Christopher Anthony never sent the email, which came from a website called Debevoise-law.com. Debevoise’s actual website is Debevoise.com. Anthony’s actual email address uses that domain name, not the name that appeared in the October 2021 email.

Debevoise concluded that cyber pirates were attempting to capitalize on the firm’s goodwill — and registered trademarks — to trick victims into handing over sensitive information or even money. The firm contacted Namecheap Inc, the company that registered the allegedly infringing websites Debevoise-law.com and Debevoise-laws.com, but Namecheap sent back only form-letter responses. And the alleged cyber pirates themselves used an Icelandic privacy service to mask their identities, so Debevoise couldn't demand answers from them.

Concerned about imminent fraud, Debevoise chose to go to court to shut down the fake websites. Last December, as my Reuters colleague Blake Brittain reported, Debevoise filed a lawsuit in Alexandria, Virginia – the home venue for Verisign Global Registry Services, the exclusive registry for .com domain names – to request a court order transferring the rogue Debevoise domain names to the firm.

The firm’s strategy proved effective: Within days of filing the lawsuit, Debevoise obtained a preliminary injunction transferring ownership of the disputed sites to the law firm while the case was under way.

Then, on Tuesday, Debevoise won a default judgment from U.S. District Judge Liam O’Grady, who adopted a report in which U.S. Magistrate Ivan Davis of Alexandria concluded that the fake websites had been registered in bad faith in order to “impersonate Debevoise attorneys in an attempt to trick victims into sending funds, trade secrets, or other sensitive information by convincing the recipient that they are communicating with Debevoise.” O’Grady ordered Verisign to change its registry to reflect that Debevoise owns the infringing domain names.

“We welcome this final, default judgment confirming our rights,” Debevoise IP partner David Bernstein said in a statement to Reuters. “The court’s swift action throughout these proceedings shows that fraudsters will not succeed in their attempts to exploit Debevoise’s distinctive brand.”

The Debevoise case is unusual, said domain name expert Doug Isenberg of The GigaLaw Firm, because the firm chose to go to court rather than filing a Uniform Domain-Name Dispute-Resolution Policy complaint. Typically, Isenberg said, businesses that have been targeted by cybersquatters use the UDRP process, which resembles arbitration, to gain control of rogue domain names. UDRP cases, which are handled by such groups as the World Intellectual Property Organization, are typically resolved quickly and efficiently, often in just 60 days, Isenberg said.

Unfortunately, what’s not unusual about the Debevoise fake name brouhaha, Isenberg said, is that the cyber pirates created fake law firm domain names. Isenberg told me he does not have hard data on UDRP complaints filed by law firms, but his anecdotal sense from reviewing case records is that there has been a “significant increase” in cases brought by law firms.

Sophisticated cybersquatters, Isenberg said, often use fake law firm domain names to impersonate law firm personnel in email phishing attempts, like the one perpetrated by a Bryan Cave Leighton Paisner imposter in a UDRP case Isenberg discussed in a blog post last January. The ensuing scam, Isenberg said, can be as simple as sending fake invoices, via fake email addresses, to law firm vendors or clients.

Phillip Marano of Greenberg Traurig, who oversaw the Bryan Cave case as a WIPO arbitrator, agreed that law firms are increasingly likely to be targeted by cyber pirates. That includes Greenberg Traurig, Marano said: The firm has filed two or three UDRP complaints in the last couple of years to shut down fake sites.

Like Isenberg, Marano said cyber fraudsters are becoming more sophisticated, often impersonating specific lawyers in fake emails requesting payment of invoices. Sometimes, Marano said, fraudsters are able to infiltrate a target’s email system to obtain real invoices. In those instances, he said, they send fake follow-up emails requesting payment to a different account – one that the pirate controls.

Marano, who told me he handles between two and six UDRP cases a month, said the quasi-arbitral process is usually the fastest way to shut down fake sites. Targets may turn to courts, he said, when domain name registration companies fail to respond to initial takedown requests.

To get a rough idea of how often cyber squatters register fake domains for large law firms, I searched the WIPO database for recent UDRP complaints by firms at the top of the Am Law 100. My search was casual, not comprehensive. But I turned up quite a haul. There was a 2020 Jones Day case against the anonymous registrants of jonesday-law.com; a 2021 Latham & Watkins complaint about a site registered as lathanwatkins.com; and a 2022 Davis Polk & Wardwell case to shut down davisoolk.com. Sidley Austin brought a 2021 case to shut down sidleyaustin-llp.com. Ropes & Gray challenged ropesgrayus.com in 2021. Simpson Thacher & Bartlett brought two UDRP complaints in 2022, contesting simpsonbartlettlawfirm.com and lists-stblaw.com. There are other examples, but you get the idea.

The law firms prevailed in all of these cases, usually without the cybersquatters who created fake sites even making an appearance. As Debevoise partner Bernstein told Reuters, “Most cybercriminals realize that trying to defraud a law firm with a phishing scheme like this is not going to end well for them.”

But that doesn’t seem to have stopped rogue registrants from trying. Beware, law firms. You could be the next debevoise-law.com or lathanwatkins.com.

