5 May, 2026

WIPO Orders Transfer of Typosquatted Domain Used in Law Firm Invoice Diversion Scheme

UDRP Cases

International law firm Gibson, Dunn & Crutcher LLP successfully secured the transfer of the typosquatted domain <gibsonndun.com>. Registered in October 2025, the domain was used to impersonate firm employees in a bad-faith attempt to divert invoice payments from a client. A WIPO panel ordered the immediate transfer of the domain on January 27, 2026.

Case Snapshot

Case Number D2025-4798
Complainant Gibson, Dunn & Crutcher LLP
Respondent NAME REDACTED
Disputed Domain
gibsonndun.com
Threat Tactic Typo Domains
Decision Date 2026-01-27
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4798

Severe Financial and Reputational Risks of Typosquatting and Employee Impersonation

The registration and configuration of the typosquatted domain <gibsonndun.com> represent a targeted vector designed to commit corporate invoice diversion fraud. By transposing the letter "n" from "dunn" to the end of "gibson," the actor exploited a subtle visual typo that is easily overlooked in routine business correspondence. Rather than holding the domain passively, the registrant actively configured it to facilitate outbound email delivery, passing off the communications as originating from genuine employees of the law firm. This setup allowed the bad-faith actor to target an actual client with fraudulent invoice payment instructions, demonstrating how typosquatted domains are weaponized to intercept critical financial workflows.

The attacker elevated the sophistication of this scheme by registering the domain under a pseudonym consisting of a reverse first and last name version of an actual firm employee. This level of targeted customization increases the likelihood of bypassing basic security filters and client skepticism. Although the case record does not confirm whether any monetary funds were successfully stolen or diverted during the fraudulent attempt, the execution of the scheme highlights severe risks for brand owners. For professional service firms where client trust is paramount, the unauthorized deployment of employee identities alongside typosquatted domains poses a dual threat of reputational degradation and unintentional leakage of highly sensitive legal or financial communications.

Strategic Exposure of Phishing Operations and Rapid Enforcement Timeline

The Complainant’s strategy succeeded by directly linking the typosquatted character transposition of the disputed domain <gibsonndun.com> to a highly specific, active phishing scheme. Rather than relying solely on the visual confusing similarity of the transposed letter ‘n’, the Complainant provided concrete evidence of bad faith use, demonstrating that the domain was configured to impersonate firm employees via email to fraudulently divert a client’s invoice payment. This high-utility evidence was reinforced by exposing the Respondent’s registration tactics, which involved using a reverse first and last name pseudonym of an actual firm employee. Presenting this clear trail of identity spoofing and active financial targeting left no plausible defense for legitimate interests, ensuring a straightforward finding of bad faith.

For brand protection professionals, this case highlights the tactical value of an accelerated enforcement timeline when dealing with active corporate impersonation. The Complainant filed the WIPO complaint on November 19, 2025, only forty-nine days after the domain was registered on October 1, 2025. Moving quickly to UDRP arbitration allowed the Complainant to neutralize a sophisticated security threat before it could cause prolonged operational or financial damage. By documenting the exact mechanics of the invoice diversion attempt and the unauthorized use of internal employee identities, the Complainant provided the WIPO panel with a robust, undisputed factual record that bypassed the challenges of redacted registrant information and resulted in a swift transfer order.

Practical Recommendations

  • Establish proactive domain monitoring that specifically targets character-transposition typosquatting (e.g., transposing letters between words like ‘gibsonndun’ for ‘gibsondunn’) to detect and flag malicious registrations immediately.
  • Configure secure email gateways to monitor and block incoming/outgoing traffic from newly registered domains that visually mimic key corporate brands, and implement strict DMARC, SPF, and DKIM policies to prevent domain spoofing.
  • Implement mandatory out-of-band verification protocols (such as a voice call to a trusted, pre-established phone number) for any client or vendor requests to modify invoice payment details or bank accounts.
  • Actively preserve digital forensics—including complete email headers, routing information, and copies of fraudulent invoices—as soon as a phishing attempt is detected to provide irrefutable evidence of bad-faith use in subsequent UDRP filings.
  • Leverage rapid-action UDRP procedures to target active phishing vectors immediately upon detection, minimizing the window of vulnerability between domain registration and recovery (which was limited to seven weeks in this case).

Frequently Asked Questions (FAQ)

Why was the domain <gibsonndun.com> considered confusingly similar to Gibson Dunn’s trademark?

The WIPO panel found the domain to be a clear example of typosquatting, where the respondent transposed the letter ‘n’ from ‘dunn’ to the end of ‘gibson.’ This variation was designed to mimic the well-known GIBSON DUNN brand, making it deceptively similar to the firm’s registered trademark and official digital presence.

What evidence established the respondent’s lack of rights and bad faith usage?

The panel determined the respondent had no legitimate interest as they utilized a pseudonym of a Gibson Dunn employee to register the domain. Bad faith was proven by the respondent’s specific use of the domain to impersonate firm staff in phishing communications aimed at fraudulently diverting invoice payments from a client.

How did the respondent attempt to use the domain in their invoice diversion scheme?

The respondent configured the domain to send fraudulent emails to a client of the law firm. By impersonating Gibson Dunn employees, the attacker sought to trick the client into redirecting legitimate invoice payments to an unauthorized, respondent-controlled bank account.

What was the strategic outcome and timeline of this UDRP action?

Following the registration of the domain on October 1, 2025, and the subsequent discovery of the phishing attempt, Gibson Dunn filed a complaint on November 19, 2025. Due to the respondent’s failure to reply and clear evidence of malicious intent, the panel ordered the immediate transfer of the domain on January 27, 2026.

Recovering Typosquatted Domains Targeting Your Brand

Bad actors often use subtle typosquatted domains to impersonate employees and conduct invoice fraud. If you have identified look-alike domains mimicking your brand, contact our team to discuss your UDRP eligibility and enforcement strategy.

Start domain recovery

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.