5 May, 2026

Sodexo Secures Costa Rican Mimicry Domain sodexocr.com via WIPO

UDRP Cases

Sodexo successfully recovered the domain sodexocr.com after a registrant used the company’s name to register the geographic-mimicry domain. The Panel found the use of a ‘cr’ suffix and the Respondent’s failure to use the site constituted bad faith passive holding. The domain was ordered transferred to the Complainant.

Case Snapshot

Case Number D2026-0929
Complainant Sodexo
Respondent David Hernandez, Sodexo
Disputed Domain
sodexocr.com
Threat Tactic Geographic Mimicry
Decision Date 2026-04-28
Panelist Edoardo Fano
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2026-0929

Regional Impersonation and the Commercial Risk of Identity Theft Registration

The use of geographic suffixes like ‘cr’ for Costa Rica represents a calculated effort to exploit a brand’s localized market presence. For a multinational entity like Sodexo, which provides facilities management and food services across various territories, the registration of sodexocr.com creates an immediate risk of customer-trust erosion. Clients and vendors in the region may mistake the domain for an official regional portal, leading to the potential for traffic diversion or brand dilution. Even while the domain remains in a state of passive holding, its mere existence serves as a deceptive signal to local stakeholders who expect legitimate, region-specific digital infrastructure from a global corporation.

The business threat is significantly amplified by the Respondent’s use of the Complainant’s own name within the registrant contact information. This form of identity theft aims to bypass basic due diligence by making the domain appear officially sanctioned in public records. Such a tactic provides a foundation for sophisticated corporate impersonation and phishing operations. Specifically, the Complainant identified risks related to email scams, where attackers could use the domain to send fraudulent invoices or impersonate employees to solicit sensitive data or redirect payments to unauthorized bank accounts. For a company handling large-scale service contracts, the financial and reputational fallout from a single successful invoice fraud incident can be substantial.

Furthermore, the rapid transition from domain registration on March 3, 2026, to the filing of a UDRP complaint on March 4, 2026, illustrates the narrow window available to mitigate these operational hazards. The Panel’s determination that passive holding constitutes bad faith use in these circumstances confirms that brand owners do not need to wait for an active fraud to occur before seeking relief. This case demonstrates that deceptive registration data, combined with geographic mimicry, creates a credible threat of future illicit activity, necessitating proactive enforcement to protect the integrity of the brand’s regional communication channels.

Strategic Application of Passive Holding and Identity Theft Evidence

Sodexo’s enforcement strategy centered on immediate action, filing the complaint on March 4, 2026, a mere 24 hours after the registration of sodexocr.com. This rapid response allowed the Complainant to move against the domain before it could be utilized for phishing or invoice fraud targeting its regional clients. A critical component of the persuasive evidence was the Respondent’s use of "Sodexo" within the registrant name field. The Panel identified this as potential identity theft, creating a strong presumption of bad faith registration. By highlighting that the Respondent sought to impersonate the brand owner at the registry level, the Complainant effectively neutralized any potential defense regarding rights or legitimate interests, even while the domain remained in an inactive state.

The legal strategy also successfully addressed the challenges associated with passive holding and geographic mimicry. The Complainant demonstrated that the addition of the suffix "cr"—denoting Costa Rica—did not distinguish the domain from the SODEXO trademark, particularly as the Complainant holds specific trademark registrations in that jurisdiction. The Panel found that the Respondent’s failure to use the site did not prevent a finding of bad faith, as the circumstances suggested the domain was held to exploit the Complainant’s reputation. By providing evidence of its extensive trademark portfolio in the European Union and Costa Rica, Sodexo established that the Respondent’s choice of domain was a deliberate attempt to mimic the company’s local corporate presence, necessitating a transfer under the Policy.

Practical Recommendations

  • Implement 24/7 domain monitoring with instant alerts for new registrations combining the core trademark with geographic suffixes (e.g., ‘cr’ for Costa Rica) to facilitate rapid enforcement before malicious content is deployed.
  • Cross-reference WHOIS registrant data with internal corporate records; if a third-party uses your company’s name in the registrant field, highlight this ‘identity theft’ to the Panel as proactive evidence of bad faith registration.
  • File UDRP complaints immediately upon detection of geographic mimicry domains—even if the site is currently inactive—by invoking the ‘passive holding’ doctrine to prevent the domain from being activated for phishing or invoice fraud.
  • Request that the language of the proceeding be English even if the registration agreement is in a local language, particularly in cases of clear corporate impersonation, to reduce translation costs and expedite the decision process.
  • Maintain up-to-date trademark registrations in every jurisdiction where the company has operations to ensure the ‘confusing similarity’ element of the UDRP is easily met regardless of the domain’s geographic suffix.

Frequently Asked Questions (FAQ)

Why did the Panel consider the domain ‘sodexocr.com’ confusingly similar to the SODEXO trademark?

The Panel determined that the disputed domain creates a likelihood of confusion by incorporating the protected ‘SODEXO’ mark in its entirety, with the addition of the ‘cr’ suffix simply implying a regional, Costa Rican association with the official brand.

How did the Respondent demonstrate bad faith in the registration of the domain?

Bad faith was established through the respondent’s unauthorized use of the complainant’s company name in the domain’s registration contact details—a form of identity theft—and the subsequent failure to establish any legitimate rights or interests in the domain.

Can a domain that is inactive or ‘passively held’ still be deemed to be used in bad faith?

Yes. The Panel found that even without active content, the passive holding of the domain, combined with the clear potential for phishing or corporate impersonation using the brand’s name, satisfies the criteria for bad faith use under the UDRP.

What is the key takeaway for businesses regarding the timing of UDRP enforcement?

This case highlights the value of proactive monitoring; Sodexo successfully identified the registration and filed its complaint within one day of the domain creation, preventing the respondent from operationalizing potential phishing or invoice scams.

Seeing brand abuse in a regional domain zone?

Proactive monitoring of country-code top-level domains (ccTLDs) can help identify malicious impersonation before it scales. Protect your regional operations by assessing your vulnerability to geographic mimicry and unauthorized brand use.

Request regional audit

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.