Carvana, LLC successfully recovered carvanahr.com after an individual used the domain to impersonate the company’s Human Resources department. The Panel found the domain was part of a fraudulent scheme to collect personal information from users, constituting clear bad faith. The domain was ordered transferred to the Complainant.
Case Snapshot
| Case Number | D2025-4338 |
|---|---|
| Complainant | Carvana, LLC |
| Respondent | Jelap Falod |
| Disputed Domain | carvanahr.com |
| Threat Tactic | Corporate Impersonation |
| Decision Date | 2025-12-31 |
| Panelist | John C. McElwaine |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4338 |
Fraudulent HR Impersonation and Personal Data Risks
The registration and use of carvanahr.com to host a fraudulent website impersonating the human resources department of Carvana, LLC presents a critical risk of data exfiltration and identity theft. By mimicking official recruiting and onboarding processes, the respondent, Jelap Falod, targeted sensitive personal information from prospective employees and potentially current staff. This specific impersonation tactic exploits the high degree of trust usually afforded to corporate HR communications. Because the CARVANA mark was well-established and widely known for over a decade prior to the 2025 registration, the likelihood of users perceiving the site as an official portal was heightened, directly facilitating phishing activities under the guise of legitimate employment operations.
This fraudulent activity generates substantial reputational harm and imposes significant operational costs on the brand owner. When a third party utilizes a well-known trademark to deceive job seekers, the brand’s professional integrity is compromised, potentially alienating future talent and damaging the company’s standing in the labor market. Beyond the immediate threat to individuals, Carvana faces increased expenses related to security monitoring and incident response needed to neutralize such phishing infrastructure. The commercial risk also involves the erosion of stakeholder trust, as victims of these deceptive practices may attribute their loss of privacy to the brand itself, despite the company having no control over the unauthorized domain.
The tactical choice to append the descriptive abbreviation ‘hr’ to the CARVANA trademark demonstrates a calculated attempt to manufacture an official corporate affiliation. This brand-plus-keyword approach is a form of corporate mimicry intended to bypass standard security skepticism by providing a plausible context for the domain. In the UDRP proceedings, the addition of ‘hr’ was found to exacerbate confusing similarity rather than diminish it, as it pointed directly to an internal division of the complainant. This level of targeted deception indicates that the respondent’s sole purpose was to leverage the complainant’s reputation to lure users into a fraudulent environment, necessitating swift enforcement to protect the brand’s digital ecosystem.
Panel Analysis: Confusing Similarity and Bad Faith in Departmental Impersonation
The Panel’s evaluation of confusing similarity centered on the structural composition of the disputed domain carvanahr.com. By incorporating the entirety of the CARVANA trademark—which has been registered in the United States since 2013—the Respondent created a direct link to the Complainant’s brand. The addition of the descriptive abbreviation ‘hr’ was found not to distinguish the domain, but rather to exacerbate the likelihood of confusion. This suffix specifically suggests an official Human Resources department, leading internet users to believe the domain is an authorized extension of Carvana, LLC’s corporate infrastructure. Under UDRP precedent, the mere addition of such descriptive terms is insufficient to prevent a finding of confusing similarity when the underlying mark remains the dominant element.
Regarding rights and legitimate interests, the evidence established that the Respondent, Jelap Falod, had no authorization or license to use the CARVANA mark. The Panel determined that the domain was utilized to host a fraudulent website designed to mimic the Complainant’s internal HR portal. This setup was specifically intended to deceive users and collect sensitive personal information under the guise of recruitment or onboarding processes. Because the domain was employed for phishing and data harvesting, it could not be considered a bona fide offering of goods or services. Such illegitimate activity precludes any claim to rights or legitimate interests, as the Respondent is not commonly known by the name ‘Carvana’ nor associated with the company in any professional capacity.
The finding of bad faith registration and use was supported by the established reputation of the CARVANA mark prior to the 2025 registration of the disputed domain. Given that the mark was well-known long before the Respondent’s actions, the Panel concluded that the Respondent was clearly aware of the Complainant’s rights at the time of registration. The deliberate pairing of the mark with a term implying an official corporate function demonstrates an intent to trade on the brand’s goodwill for deceptive purposes. The use of the domain to harvest data through a fake HR interface provides clear evidence of bad faith, as it targets a specific segment of the public—prospective or current employees—to facilitate fraud.
For IP professionals and brand owners, this case illustrates the persistent threat of ‘brand plus keyword’ tactics where attackers leverage corporate department identifiers like ‘HR’ or ‘IT’ to build trust. The decision confirms that when a domain name is used to facilitate phishing through the impersonation of internal departments, panels will look past minor suffixes to the underlying intent of the registrant. Rapid recovery through the UDRP remains a critical tool for neutralizing these fraudulent environments before they can lead to large-scale data breaches or significant reputational damage among a company’s workforce and applicant pool.
Strategic Alignment of Trademark Prominence and Fraudulent Intent
Carvana’s successful strategy hinged on demonstrating that the addition of the ‘hr’ abbreviation was not a distinguishing feature but a mechanism to intensify confusing similarity. By pairing the well-established CARVANA trademark—registered since 2013 under U.S. Reg. No. 4,328,785—with a term identifying a specific internal corporate function, the Respondent created a domain that explicitly suggested an official connection to the Complainant’s Human Resources department. The Panelist, John C. McElwaine, agreed that such permutations implying an organizational structure exacerbate rather than mitigate the likelihood of consumer confusion. This legal positioning allowed the Complainant to satisfy the first UDRP element while simultaneously establishing the foundation for bad faith intent through targeted corporate impersonation.
The persuasiveness of the case was further solidified by evidence regarding the Respondent’s active use of the domain for a fraudulent website. By documenting that carvanahr.com was configured to impersonate an HR onboarding portal for the purpose of collecting sensitive personal information under the guise of recruiting, Carvana proved the Respondent lacked any rights or legitimate interests. Under established UDRP principles, utilizing a famous mark for phishing or deceptive recruitment practices is inherently illegitimate and cannot constitute a bona fide offering of goods or services. This evidence of data collection under false pretenses, combined with the Respondent’s failure to respond by the December 9, 2025 default deadline, enabled the Panel to conclude that the domain was registered and used in bad faith specifically to exploit the Complainant’s reputation.
Practical Recommendations
- Expand automated domain monitoring to include common corporate department suffixes such as ‘hr’, ‘payroll’, ‘legal’, and ‘it’ appended to core brand marks to identify impersonation early.
- Preserve high-resolution screenshots and source code evidence of fraudulent onboarding or recruitment forms to provide the UDRP panel with definitive proof of phishing and lack of legitimate interests.
- Argue that descriptive abbreviations denoting official departments (e.g., ‘hr’) increase confusing similarity by falsely suggesting an authorized organizational division of the brand owner.
- Establish a protocol between IP teams and Human Resources to monitor third-party job boards and social media for unauthorized recruitment links pointing to non-corporate domains.
- Document and present the long-standing registration history and public fame of the brand mark to satisfy the bad faith requirement by showing the respondent had constructive or actual knowledge prior to registration.
Frequently Asked Questions (FAQ)
Why did the panel consider ‘carvanahr.com’ confusingly similar to the CARVANA trademark?
The panel found that the addition of the descriptive abbreviation ‘hr’—representing ‘Human Resources’—did not distinguish the domain from the complainant’s mark. Instead, it exacerbated the likelihood of confusion by falsely suggesting an official departmental connection to Carvana.
How did the respondent attempt to establish rights to the disputed domain?
The respondent failed to provide any response or evidence. The panel determined that the respondent had no legitimate rights or interests, noting that the domain was used exclusively for a fraudulent website impersonating the company’s HR department to solicit personal information.
What evidence proved the respondent’s bad faith in this case?
Bad faith was established by the fact that the well-known CARVANA trademark was registered long before the domain. The respondent’s use of the domain to host a phishing site that mimicked official corporate onboarding processes provided clear evidence of an intent to deceive users for illegitimate gain.
What is the primary business risk associated with this type of corporate impersonation tactic?
The primary risk is the theft of sensitive personal data from job applicants or employees through fraudulent portals. This tactic damages brand reputation and imposes significant operational costs, requiring companies to actively monitor and neutralize phishing infrastructure.
Facing corporate impersonation through a domain?
Protect your brand from fraudulent HR recruitment sites and data collection schemes. Learn how a UDRP filing can help you neutralize malicious impersonation domains.
This case note is for informational purposes only and is not legal advice.



