No Catch: Facebook Moved to Claim Domains Used For Employee Cybersecurity Training

On Tuesday, Proofpoint, Inc. and Wombat Security Technologies (collectively Proofpoint) filed a complaint in the District of Arizona against Facebook, Inc. and Instagram LLC seeking declaratory relief under the Lanham Act that its use of domain names similar to the defendants for cybersecurity training purposes is not in bad faith and does not infringe on the defendants’ trademarks.

According to the complaint, Proofpoint is a leading security company offering cybersecurity solutions to protect companies. Accordingly, “(o)ne of the ways Proofpoint provides its cybersecurity solution services is by conducting training to help its clients’ workforce recognize cybersecurity threats, including phishing attacks. To make the training exercise more realistic, Proofpoint ( ) intentionally (uses) domain names that look like typo-squatted versions of recognizable domain names,” such as <>, <>, <>, <>, and <> (the ‘Domain Names’).”

Proofpoint claimed that by using the Domain Names that appear similar to well-known companies, it is “able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names.”

Proofpoint stated that as part of its cybersecurity solution, it sends a mock phishing email from the Domain Names to people participating in the training; the individuals either: “(a) ignore the fake phishing email; (b) report the email; or (c) click the simulated phishing link in the email, leading them to one of the Domain Names, in which event they receive a teachable moment notice informing them that they responded to a phishing attempt as part of a training exercise.” The plaintiffs contended that this process reinforces the best behavior for phishing attempts – to ignore or report the phishing email – to employees that clicked on the fake phishing link to safely learn from their mistake and to help them identify phishing, malware, etc. from bad actors in the future.

A screenshot from the complaint, showing the "teachable moment" message shown by the plaintiff's cybersecurity solution.

Moreover, Proofpoint averred that the notice includes a disclaimer stating that, “This phishing simulation was provided by your employer to help teach you to recognize commonly-used phishing risks. To appear as realistic as possible, it may contain the name, brand or logo of unaffiliated third parties.” Additionally, when consumers type in one of the Domain Names into the URL address bar, the consumer is informed that the web address belon gs to Proofpoint and is used for training purposes offered by Proofpoint. They proffered that its registration and use of the Domain Names have been in good faith and for a legitimate purpose; additionally, this purportedly constitutes fair use of the defendants’ relevant trademarks.

A second screenshot from the complaint, showing the "teachable moment" message shown by the plaintiff's cybersecurity solution.

On approximately November 30, 2020, according to the plaintiffs, the defendants filed a Uniform Domain Name Dispute Resolution Policy (UDRP) action against the plaintiffs claiming that the plaintiffs’ Domain Names “are confusingly similar to Defendants’ trademarks FACEBOOK and INSTAGRAM” and that Proofpoint is not using the Domain Names “in connection with a bona fide offering of goods or services”; however, Proofpoint claims that it does have a legitimate interest in these Domain Names and uses them with a bona fide public offering.

Proofpoint argued that it does not create a reasonable likelihood of confusion because it clearly states on the websites that the Domain Names belong to Proofpoint and are used for cybersecurity training purposes, in addition to the aforementioned teachable moment notice and disclaimer. Meanwhile, Facebook and Instagram averred that Proofpoint registered and used the Domain Names in bad faith in the UDRP proceeding.

Nonetheless, in January an arbitrator from the World Intellectual Property Organization Arbitration and Mediation Center issued a decision for the Domain Names to be transferred to Facebook and Instagram and notified Namecheap that upon receipt it must transfer the domain names unless legal action is taken by Proofpoint.

The plaintiffs have sought declaratory relief under the Lanham Act, namely, that it did not violate the Lanham Act, that the plaintiffs have not infringed on the defendants’ trademark rights, that the registrations are lawful, and that the Domain Names are not transferred and instead are unlocked and reactivated with full ownership and use to the plaintiffs.

Proofpoint and Wombat Security Technologies are represented by Hartman Titus PLC and Pattishall McAuliffe Newbury Hilliard & Geraldson, LLP.

Facebook has made other attempts to prevent cybersquatting, suing entities in March 2020 for using similar cybersquatting domain names.