International law firm Gibson, Dunn & Crutcher LLP successfully secured the transfer of the typosquatted domain <gibsonndun.com>. Registered in October 2025, the domain was used to impersonate firm employees in a bad-faith attempt to divert invoice payments from a client. A WIPO panel ordered the immediate transfer of the domain on January 27, 2026.
Case Snapshot
| Case Number | D2025-4798 |
|---|---|
| Complainant | Gibson, Dunn & Crutcher LLP |
| Respondent | NAME REDACTED |
| Disputed Domain | gibsonndun.com |
| Threat Tactic | Typo Domains |
| Decision Date | 2026-01-27 |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4798 |
Severe Financial and Reputational Risks of Typosquatting and Employee Impersonation
The registration and configuration of the typosquatted domain <gibsonndun.com> represent a targeted vector designed to commit corporate invoice diversion fraud. By transposing the letter "n" from "dunn" to the end of "gibson," the actor exploited a subtle visual typo that is easily overlooked in routine business correspondence. Rather than holding the domain passively, the registrant actively configured it to facilitate outbound email delivery, passing off the communications as originating from genuine employees of the law firm. This setup allowed the bad-faith actor to target an actual client with fraudulent invoice payment instructions, demonstrating how typosquatted domains are weaponized to intercept critical financial workflows.
The attacker elevated the sophistication of this scheme by registering the domain under a pseudonym consisting of a reverse first and last name version of an actual firm employee. This level of targeted customization increases the likelihood of bypassing basic security filters and client skepticism. Although the case record does not confirm whether any monetary funds were successfully stolen or diverted during the fraudulent attempt, the execution of the scheme highlights severe risks for brand owners. For professional service firms where client trust is paramount, the unauthorized deployment of employee identities alongside typosquatted domains poses a dual threat of reputational degradation and unintentional leakage of highly sensitive legal or financial communications.
WIPO Panel Legal Analysis: Assessment of Typosquatting, Employee Impersonation, and Billing Fraud
Under the first element of the UDRP, the panel evaluated the confusing similarity between the disputed domain name <gibsonndun.com> and the Complainant’s registered GIBSON DUNN trademark. The Complainant established ownership of U.S. Trademark Registration No. 2,614,712, with rights dating back to 1911. The panel found that the disputed domain name is a direct typosquatted variant of the mark, created by transposing the letter ‘n’ from ‘dunn’ to the end of the word ‘gibson’. This typographical manipulation does not distinguish the domain from the trademark; instead, it relies on common user typing errors to foster confusing similarity.
Regarding the second element of the Policy, the panel determined that the Respondent lacks rights or legitimate interests in the disputed domain name. The Respondent received no authorization or license to use the Complainant’s GIBSON DUNN trademark. Furthermore, the evidence revealed that the Respondent used a reverse first and last name version of an actual employee of the Complainant to complete the domain registration. This unauthorized use of a firm employee’s identity to register a deceptive domain name precludes any claim to a bona fide offering of goods or services or legitimate noncommercial use.
The panel’s finding of bad faith registration and use was supported by the active deployment of the typosquatted domain in a deceptive scheme. The Respondent configured <gibsonndun.com> to send spoofed emails to a client of the Complainant. By impersonating firm employees through this lookalike domain, the Respondent actively attempted to fraudulently divert an outstanding invoice payment to an unauthorized account. This deliberate exploitation of the domain for commercial fraud and client deception constitutes clear evidence of registration and use in bad faith.
Strategic Exposure of Phishing Operations and Rapid Enforcement Timeline
The Complainant’s strategy succeeded by directly linking the typosquatted character transposition of the disputed domain <gibsonndun.com> to a highly specific, active phishing scheme. Rather than relying solely on the visual confusing similarity of the transposed letter ‘n’, the Complainant provided concrete evidence of bad faith use, demonstrating that the domain was configured to impersonate firm employees via email to fraudulently divert a client’s invoice payment. This high-utility evidence was reinforced by exposing the Respondent’s registration tactics, which involved using a reverse first and last name pseudonym of an actual firm employee. Presenting this clear trail of identity spoofing and active financial targeting left no plausible defense for legitimate interests, ensuring a straightforward finding of bad faith.
For brand protection professionals, this case highlights the tactical value of an accelerated enforcement timeline when dealing with active corporate impersonation. The Complainant filed the WIPO complaint on November 19, 2025, only forty-nine days after the domain was registered on October 1, 2025. Moving quickly to UDRP arbitration allowed the Complainant to neutralize a sophisticated security threat before it could cause prolonged operational or financial damage. By documenting the exact mechanics of the invoice diversion attempt and the unauthorized use of internal employee identities, the Complainant provided the WIPO panel with a robust, undisputed factual record that bypassed the challenges of redacted registrant information and resulted in a swift transfer order.
Practical Recommendations
- Establish proactive domain monitoring that specifically targets character-transposition typosquatting (e.g., transposing letters between words like ‘gibsonndun’ for ‘gibsondunn’) to detect and flag malicious registrations immediately.
- Configure secure email gateways to monitor and block incoming/outgoing traffic from newly registered domains that visually mimic key corporate brands, and implement strict DMARC, SPF, and DKIM policies to prevent domain spoofing.
- Implement mandatory out-of-band verification protocols (such as a voice call to a trusted, pre-established phone number) for any client or vendor requests to modify invoice payment details or bank accounts.
- Actively preserve digital forensics—including complete email headers, routing information, and copies of fraudulent invoices—as soon as a phishing attempt is detected to provide irrefutable evidence of bad-faith use in subsequent UDRP filings.
- Leverage rapid-action UDRP procedures to target active phishing vectors immediately upon detection, minimizing the window of vulnerability between domain registration and recovery (which was limited to seven weeks in this case).
Frequently Asked Questions (FAQ)
Why was the domain <gibsonndun.com> considered confusingly similar to Gibson Dunn’s trademark?
The WIPO panel found the domain to be a clear example of typosquatting, where the respondent transposed the letter ‘n’ from ‘dunn’ to the end of ‘gibson.’ This variation was designed to mimic the well-known GIBSON DUNN brand, making it deceptively similar to the firm’s registered trademark and official digital presence.
What evidence established the respondent’s lack of rights and bad faith usage?
The panel determined the respondent had no legitimate interest as they utilized a pseudonym of a Gibson Dunn employee to register the domain. Bad faith was proven by the respondent’s specific use of the domain to impersonate firm staff in phishing communications aimed at fraudulently diverting invoice payments from a client.
How did the respondent attempt to use the domain in their invoice diversion scheme?
The respondent configured the domain to send fraudulent emails to a client of the law firm. By impersonating Gibson Dunn employees, the attacker sought to trick the client into redirecting legitimate invoice payments to an unauthorized, respondent-controlled bank account.
What was the strategic outcome and timeline of this UDRP action?
Following the registration of the domain on October 1, 2025, and the subsequent discovery of the phishing attempt, Gibson Dunn filed a complaint on November 19, 2025. Due to the respondent’s failure to reply and clear evidence of malicious intent, the panel ordered the immediate transfer of the domain on January 27, 2026.
Recovering Typosquatted Domains Targeting Your Brand
Bad actors often use subtle typosquatted domains to impersonate employees and conduct invoice fraud. If you have identified look-alike domains mimicking your brand, contact our team to discuss your UDRP eligibility and enforcement strategy.
This case note is for informational purposes only and is not legal advice.



