In WIPO case D2025-4525, Hershey Chocolate & Confectionery LLC successfully secured the transfer of <hersheysales-co.com>. The Respondent, Michael Handell of NY BD Sports LLC, registered the domain to impersonate a Hershey employee via email and solicit fraudulent payments from third parties. Panelist Dennis A. Foster ruled that using the lookalike domain for email phishing constitutes bad faith and ordered an immediate transfer.
Case Snapshot
| Case Number | D2025-4525 |
|---|---|
| Complainant | Hershey Chocolate & Confectionery LLC |
| Respondent | Michael Handell, NY BD Sports LLC |
| Disputed Domain | hersheysales-co.com |
| Threat Tactic | Phishing and Email Fraud |
| Decision Date | 2025-12-31 |
| Panelist | Dennis A. Foster |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4525 |
Exploitation of Brand Equity and the B2B Communication Threat
The registration of hersheysales-co.com by Michael Handell of NY BD Sports LLC illustrates how bad actors weaponize targeted, brand-plus-keyword domains exclusively for business email compromise (BEC). By choosing a domain that appends the corporate signifier "sales-co" to the highly famous HERSHEY trademark, the registrant crafted a highly plausible vehicle for corporate impersonation. Because the domain hosted no active website, it effectively operated under the radar of traditional, visual brand-monitoring systems. This passive web footprint masked a highly targeted, active communication scheme, wherein the registrant sent unauthorized emails impersonating the candy manufacturer and one of its legitimate employees to solicit fraudulent business transactions and payments.
For enterprise brand owners, this exact tactic introduces severe operational, financial, and reputational risks. The primary threat lies in the exploitation of established corporate trust; third-party suppliers and business partners, familiar with Hershey’s long-standing commercial presence dating back to 1906, are highly susceptible to lowering their defenses when approached by what appears to be a legitimate representative. When external partners fulfill unauthorized order solicitations or redirect payments to fraudulent accounts, it strains critical B2B relationships and exposes the victimized enterprise to complex liability disputes. Although this specific scheme did not compromise Hershey’s password-protected systems or internal networks, the outer boundary of its corporate communication ecosystem was breached, proving that brand equity itself is frequently leveraged to facilitate external financial fraud.
Panelist Analysis of Confusing Similarity, Lack of Rights, and Bad Faith Exploitation
Under the first element of the UDRP Policy, Panelist Dennis A. Foster evaluated whether the disputed domain name <hersheysales-co.com> is identical or confusingly similar to a trademark in which the Complainant possesses rights. Hershey Chocolate & Confectionery LLC established its rights through numerous registrations for the HERSHEY and HERSHEY’S marks, including U.S. Reg. No. 54,041 dating back to July 19, 1906. The disputed domain incorporates the famous HERSHEY mark in its entirety, merely appending the descriptive terms "sales" and "co" separated by a hyphen. Under established UDRP practice, the addition of generic or business-related terms does not prevent a finding of confusing similarity when the complainant’s highly recognizable trademark remains the dominant element of the domain name.
Regarding the second element, the Panel examined whether Michael Handell of NY BD Sports LLC had any rights or legitimate interests in the disputed domain name. The Respondent failed to reply to the Complainant’s contentions or present evidence of a bona fide offering of goods or services, commonly known trade name rights, or legitimate noncommercial fair use. Instead, the factual record demonstrated that the domain was utilized to transmit unauthorized email communications impersonating the Complainant and an employee. The Panel concluded that deploying a lookalike domain specifically to solicit fraudulent business transactions and payments under false corporate pretenses is the antithesis of a legitimate interest.
Addressing the third element, the Panel determined that the registration and use of the disputed domain occurred in bad faith. Given the international fame of the HERSHEY trademark, the Panel found that the Respondent’s registration of <hersheysales-co.com> could only have been executed with prior knowledge of the brand, pointing directly to bad faith registration. Furthermore, the active deployment of the domain for an email-based phishing and impersonation scheme, despite the lack of any hosted website content, constitutes bad faith use under the Policy. This tactic leverages the Complainant’s famous brand equity to lower the defenses of supply chain partners during fraudulent outreach.
Strategic Application of Fame and Email-Based Bad Faith Evidence
The Complainant’s successful strategy relied heavily on establishing its long-standing trademark rights and international reputation to demonstrate that the Respondent acted with clear knowledge of the brand. By presenting trademark registrations dating back to July 19, 1906, including U.S. Reg. No. 54,041, Hershey Chocolate & Confectionery LLC established undisputed prior rights and massive global equity. This extensive historical record made the Respondent’s registration of the domain name <hersheysales-co.com> on May 30, 2025, highly suspect. By demonstrating that the HERSHEY mark is internationally famous, the Complainant effectively convinced the Panel that the Respondent, Michael Handell of NY BD Sports LLC, could not have registered the domain in good faith.
Crucially, the Complainant did not let the absence of an active website weaken its case, instead presenting direct evidence of how the domain was actively weaponized for email phishing and corporate impersonation. The Complainant documented that the Respondent used the domain name to send unauthorized email communications impersonating a legitimate Hershey employee and contacting third parties to solicit fraudulent business transactions and payments. By delivering concrete proof of this targeted outreach, the Complainant successfully argued that registration and use of a domain name to execute a fraudulent scheme constitutes bad faith under the UDRP. This evidentiary approach demonstrates to brand owners that robust proof of backend email abuse is highly persuasive to panels, even when a disputed domain lacks any live web content.
Practical Recommendations
- Implement proactive domain monitoring programs targeting high-risk commercial and operational keyword combinations (such as ‘[brand]sales’, ‘[brand]-co’, or ‘[brand]invoice’) to identify lookalike registrations before they can be weaponized.
- Configure threat intelligence feeds to actively monitor and alert on the creation of Mail Exchanger (MX) records on newly registered, brand-similar domains, as this is a primary indicator of preparation for email-based phishing and corporate impersonation.
- Establish clear protocols for securing and preserving evidence of third-party phishing targets, such as full email headers and fraudulent solicitation messages, to decisively satisfy the ‘bad faith use’ requirement in UDRP filings even when no active website exists.
- Educate supply chain partners and vendors on standard corporate domain structures and implement strict out-of-band verification processes for any transactional or payment requests originating from modified or lookalike domain variations.
Frequently Asked Questions (FAQ)
Why was the domain <hersheysales-co.com> considered confusingly similar to the HERSHEY brand?
The WIPO panel determined that the domain name incorporates the famous ‘HERSHEY’ trademark in its entirety, creating a high likelihood of confusion for third parties who might reasonably believe the site or associated emails were affiliated with or authorized by Hershey Chocolate & Confectionery LLC.
How did the respondent demonstrate a lack of rights or legitimate interests in the disputed domain?
The respondent failed to provide any evidence of rights or legitimate interests and did not reply to the complainant’s contentions. The lack of an active website at the domain, coupled with its use for unauthorized impersonation, further confirmed that no legitimate business purpose existed.
What evidence proved the respondent acted in bad faith?
Bad faith was established because the respondent utilized the <hersheysales-co.com> domain to send fraudulent email communications, impersonating Hershey employees to solicit payments from business partners. The panel noted that the international fame of the HERSHEY trademark made it impossible for the registration to be in good faith.
What was the strategic outcome of this UDRP case?
The panel ruled in favor of the complainant, ordering the immediate transfer of the domain name to Hershey Chocolate & Confectionery LLC. This action successfully neutralized a platform used for email-based business compromise (BEC) and corporate impersonation.
Are your domain assets being used to facilitate supply chain fraud?
Bad actors are increasingly weaponizing look-alike domains for Business Email Compromise (BEC) rather than active websites. Learn how to proactively detect and neutralize impersonation domains before they are used to solicit fraudulent payments from your partners.
This case note is for informational purposes only and is not legal advice.



