A fake website posing as my business has popped up! What can I do?

Tony Grujovski

Tony Grujovski

As scam texts and emails become more common, so are websites posing as legitimate businesses. These websites often look like the real deal, making it difficult for unsuspecting consumers to spot. Consumers may end up providing personal information and credit card details to the scammer under the mistaken belief they are dealing with the legitimate business (known as “phishing”).

Scam websites can cause serious damage to your brand reputation. What are your options to get these websites taken down?

Option 1: Contact the domain name registrar

Domain name holders are required to agree to terms of service when they register any domain name. Those terms prevent a domain name being used to resolve to a phishing or other scam website. And if breached, then the registrar can block or cancel the domain name.

As an example, GoDaddy’s reporting abuse webpage contains details for reporting different types of domain name abuse, including phishing websites.

So a good first step is to report a scam website to the registrar that administers the domain name being used to provide access to the website. You can find out the identity of the registrar by running a WHOIS search on the domain name.

Option 2: File a domain name proceeding

The .au Dispute Resolution Policy or “auDRP” is a more formal process for obtaining a transfer of a .com.au or .au domain name which is being used to run a fraudulent/scam website. The equivalent process for top-level domain names (think .com, .net, .org) is the Uniform Domain Name Dispute Resolution Policy or “UDRP”. Both methods allow you to wrest control of a domain name linked to a scam website (and in so doing, disable the website) where the domain name incorporates your trade mark.

Our previous article on domain name recovery options discussed the process involved in making an auDRP complaint. You will need to show that the domain name holder lacks a legitimate interest in the domain name and has registered it or is using it in bad faith. Generally speaking, you won’t have much difficulty establishing this if you’re dealing with a scam website because the domain name is being used to impersonate your business. And users are being led to the scam website because the domain name is confusingly similar to your trade mark.

The UDRP and auDRP effectively prioritise the right of a brand owner to a domain name incorporating its trade mark over a third party who lacks a legitimate interest.

In terms of time and cost, the auDRP and UDRP methods are mid-range options. They are cheaper alternatives to trade mark infringement litigation, but they’re more expensive than contacting the domain name registrar (option 1 above) or reporting to Scamwatch (option 3 below). The main advantage of domain name proceedings is in the result, if successful: the domain name will be transferred to you. But the main disadvantage is that even if you succeed, a determined scammer can just launch another scam website from a different domain name. Let the whack-a-mole tournament begin.

Option 3: Report to Scamwatch

Historically, Australian regulators and enforcement agencies worked with internet service providers (ISPs) to block scam websites. The power of ISPs to block such websites on request of a regulator or enforcement agency is found in section 313(3) of the Telecommunications Act 1997 (Cth).

Section 313 is a serious power reserved for use in preventing sophisticated scamming activity. For this reason, there’s a fair bit of red tape involved in its use. To reduce the burden on affected businesses, ASIC (our financial services regulator) and ACCC (our competition and consumer rights regulator) have recently launched a new method for taking down fraudulent and malicious websites.

ASIC needs to come up with a better name for it, but the Investment Scam Website Takedown Capability was launched in July 2023 and has already resulted in the takedown of some 2500 websites. The ACCC has implemented a similar capability via the National Anti-Scam Centre and Scamwatch, a consumer scam reporting website. During 2022, Scamwatch received almost 240,000 reports with a reported consumer loss of over $569 million.

Importantly, these takedown methods circumvent the Telecommunications Act power because they don’t engage with the ISP. Rather, they involve a partnership between ASIC and ACCC (on the one hand) and Netcraft, a cybercrime disruption service provider. Netcraft facilitates website takedowns by gathering evidence of fraudulent activity and notifying providers of the website’s infrastructure, such as hosting providers and domain name registrars, who will then most likely execute a website takedown in accordance with their terms of use. So rather than have the ISP block the website via the Telecommunications Act power, ASIC and ACCC target the website’s backend infrastructure providers who have the right to disable scam websites via their terms of service. This is a much quicker takedown process than the Telecommunications Act. And in scam world, time is everything. The longer a fraudulent website stay active, the greater the potential for consumer harm.

Scam websites of all kinds can be reported to the regulators via the Scamwatch website. There’s no cost for making a report.

Other potential options

Businesses operating in specific regulated industries will have additional reporting options. For instance, the operation of gambling services is regulated in Victoria by the Victorian Gambling and Casino Control Commission (VGCCC). If the scam website is offering a gambling activity, you can report the website to VGCCC for not having the appropriate licence.

If the fraudulent website is using a third party service to perpetuate a phishing scam, such as Shopify to collect personal information and process payments, you can also report the website to the service provider directly. The scammer’s service may be cancelled because they have breached the terms of use.

Which option is best?

It depends on the outcome you want. If you want to obtain control of the domain name associated with the scam website, then option 2 is best. If you just want to see the website taken down and don’t care about the associated domain name, go with option 1 or option 3. There may be other roundabout methods you can use to have the scam website disabled if your business operates in a particular regulated industry and/or the website integrates third party platforms whose terms of service may have been breached.

Is your business being impersonated online? Contact us. We’ll formulate a strategy that fits your goals and your budget.

Share Post

Share on facebook
Share on google
Share on twitter
Share on linkedin