Carrefour SA secured the transfer of carrefourpassdigital.online after the domain was found to be triggering browser-level security warnings indicative of phishing. The panel ruled that the addition of ‘digital’ to the well-known CARREFOUR PASS mark suggested a fraudulent affiliation, confirming both bad faith registration and use.
Case Snapshot
| Case Number | D2026-0566 |
|---|---|
| Complainant | Carrefour SA |
| Respondent | dora dora, fastusa |
| Disputed Domain | carrefourpassdigital.online |
| Threat Tactic | Phishing and Email Fraud |
| Decision Date | 2026-04-08 |
| Panelist | Igor Alfiorov |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2026-0566 |
Fraudulent Impersonation and Customer Trust Risks
The registration of carrefourpassdigital.online presents a direct threat to customer trust by leveraging the well-known ‘CARREFOUR PASS’ trademark alongside the descriptive term ‘digital.’ This specific combination creates a strong commercial implication of an official loyalty or financial service portal, which is a high-value target for phishing operations. At the time of the complaint, the domain triggered automated browser-level security warnings identifying the destination as dangerous. Such warnings not only deter users but also create a negative psychological association between the brand and digital insecurity, potentially undermining the complainant’s legitimate online ecosystem and the safety of its 1.3 million daily webstore visitors.
The use of a privacy service—specifically Super Privacy Service LTD—combined with the respondent’s alias ‘dora dora, fastusa,’ illustrates a common tactic intended to obscure the identity of bad-faith actors and complicate legal service. In this instance, the domain was registered on January 27, 2026, and the complainant initiated UDRP proceedings by February 11, 2026. This rapid response was necessitated by the fact that the domain did not resolve to a bona fide offering of goods but rather to a flagged phishing environment. For global hypermarket pioneers like Carrefour, the risk is not merely traffic diversion but the active exploitation of a globally recognized mark to facilitate commercial gain through harmful, deceptive websites.
The panel’s conclusion that the respondent could not have been unaware of Carrefour’s rights underscores the calculated nature of this business threat. By incorporating the entirety of the complainant’s international marks dating back to 1956 and 1999, the respondent sought to capitalize on the reputation of a company with substantial global revenue and a high-profile presence, including partnerships with the Paris 2024 Olympic Games. For IP professionals, this case highlights that the addition of generic terms like ‘digital’ or ‘online’ does not diminish the confusing similarity but rather targets specific digital service sectors, requiring immediate intervention to mitigate risks of credential theft or large-scale financial fraud.
Analysis of Panel Reasoning: Trademark Affinity and Phishing Indicators
The Panel determined that the disputed domain carrefourpassdigital.online is confusingly similar to the Complainant’s CARREFOUR and CARREFOUR PASS trademarks. The domain incorporates these protected marks in their entirety. The addition of the descriptive term “digital,” alongside the “.online” generic Top-Level Domain, does not prevent a finding of similarity but instead enhances it. This combination suggests a digital service specifically affiliated with the Complainant’s established loyalty programs, thereby increasing the risk of consumer deception through implied official endorsement.
Regarding rights and legitimate interests, the Complainant established that the Respondent had no authorization to use the trademarks. The Respondent, identified as dora dora, fastusa, failed to respond to the allegations or demonstrate that they were commonly known by the disputed name. Importantly, the Panel noted that directing the domain to a website triggering browser-generated security warnings indicative of phishing does not constitute a bona fide offering of goods or services or a legitimate noncommercial use. The evidence showed that the site was identified as dangerous at the time the complaint was filed, precluding any claim of rights.
The Panel’s finding of bad faith registration and use was rooted in the global fame of the CARREFOUR mark. Because the Complainant has held international registrations since 1956 and 1999, the Panel found it non-credible that the Respondent was unaware of these rights when registering the domain in January 2026. Use of a privacy service to hide the registrant’s identity further suggested an attempt to evade detection. The intent to create a fraudulent association with the Complainant for commercial gain was evidenced by the security alerts, leading the Panel to conclude there was no plausible good-faith scenario for the Respondent’s actions.
Strategic Leverage of Brand Fame and Technical Malfeasance
Carrefour SA’s successful strategy hinged on demonstrating that the disputed domain name, carrefourpassdigital.online, was a calculated attempt to mimic its established financial and loyalty program identity. By highlighting international trademark registrations for CARREFOUR and CARREFOUR PASS dating back to 1956 and 1999, the Complainant established a high barrier against any claims of good faith or ignorance by the Respondent. The legal argument effectively pivoted on the inclusion of the term ‘digital,’ asserting that its addition to the CARREFOUR PASS mark did not create a distinction but rather enhanced confusing similarity. This framing persuaded the Panel that the domain was specifically designed to suggest an authorized digital extension of Carrefour’s global services, leveraging the well-known reputation of the mark to create a deceptive association for commercial gain.
The Complainant’s submission of technical evidence regarding browser-generated security warnings was instrumental in securing the transfer. By documenting that the domain triggered ‘dangerous site’ alerts indicative of phishing, Carrefour successfully argued that the Respondent lacked any rights or legitimate interests. The Panelist determined that directing a domain to a page associated with potential fraud cannot constitute a bona fide offering of goods or services. Furthermore, the rapid procedural response—initiating the complaint shortly after the January 2026 registration—prevented prolonged brand damage and consumer trust erosion. The combination of historical brand fame and evidence of harmful technical resolution left no plausible scenario for good-faith use, especially given the Respondent’s failure to provide a formal response or rebut the allegations of phishing activity.
Practical Recommendations
- Configure domain monitoring alerts specifically for the combination of flagship marks with infrastructure-related keywords such as ‘digital’, ‘pass’, ‘portal’, or ‘login’ to identify high-risk impersonation attempts.
- Document and timestamp browser-generated security warnings (e.g., Google Safe Browsing or Microsoft SmartScreen alerts) as primary evidence of bad faith use, as these alerts confirm the domain is recognized as a phishing or malware threat.
- Initiate UDRP proceedings rapidly—ideally within 30 days of registration—when phishing indicators are present to preemptively secure the domain before significant consumer data or brand trust is compromised.
- Argue in legal submissions that descriptive terms related to digital services (like ‘digital’ or ‘.online’) increase confusing similarity by falsely suggesting an official technological extension of the brand’s existing services.
- Utilize the respondent’s use of a privacy service as corroborative evidence of bad faith when combined with a domain name that targets a well-known mark and triggers security warnings.
Frequently Asked Questions (FAQ)
Why did the panel consider ‘carrefourpassdigital.online’ to be confusingly similar to the complainant’s marks?
The panel found that the domain incorporated the well-known CARREFOUR and CARREFOUR PASS marks in their entirety. The addition of the descriptive terms ‘digital’ and ‘pass’ did not mitigate the risk of confusion but instead suggested an official, authorized digital service.
What evidence established the respondent’s lack of rights or legitimate interests?
Carrefour SA confirmed it never authorized the respondent to use its trademarks. Furthermore, because the domain triggered browser-generated security warnings indicative of phishing, the panel determined this did not constitute a bona fide offering of goods or services or a legitimate noncommercial use.
How was bad faith registration and use proven in this case?
The panel relied on the global fame of the CARREFOUR trademark, finding it implausible that the respondent was unaware of the complainant’s rights. The use of the domain to host a site flagged as dangerous, coupled with the attempt to create a deceptive association for commercial gain, satisfied the criteria for bad faith.
What tactical lesson can be drawn from the handling of this phishing attempt?
This case demonstrates the effectiveness of documenting browser-level security warnings as primary evidence of bad faith. By highlighting that the domain triggered ‘dangerous’ alerts, the complainant successfully shifted the burden to the respondent, who failed to provide any justification for the registration, leading to a prompt transfer.
Detecting Phishing and Impersonation Risk
Is your brand being targeted by domains that trigger browser security warnings or facilitate fraud? Don’t wait for your reputation to suffer—let us evaluate your enforcement options.
This case note is for informational purposes only and is not legal advice.



