WIPO Arbitration and Mediation Center

ADMINISTRATIVE PANEL DECISION

Kimley-Horn and Associates, Inc. v. Contact Privacy Inc., Customer 1246614033 / Larry William

Case No. D2020-0661

1. The Parties

The Complainant is Kimley-Horn and Associates, Inc., United States of America (“United States”), represented by Nelson Mullins Riley & Scarborough, L.L.P., United States.

The Respondent is Contact Privacy Inc., Customer 1246614033, Canada / Larry William, United States.

2. The Domain Name and Registrar

The disputed domain name <kimely-horn.com> (the “Domain Name”) is registered with Google LLC (the “Registrar”).

3. Procedural History

The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on March 18, 2020. On March 19, 2020, the Center transmitted by email to the Registrar a request for registrar verification in connection with the Domain Name. On March 20, 2020, the Registrar transmitted by email to the Center its verification response disclosing registrant and contact information for the Domain Name which differed from the named Respondent and contact information in the Complaint. The Center sent an email communication to the Complainant on March 20, 2020 providing the registrant and contact information disclosed by the Registrar, and inviting the Complainant to submit an amendment to the Complaint. The Complainant filed an amended Complaint on March 23, 2020.

The Center verified that the Complaint together with the amended Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).

In accordance with the Rules, paragraphs 2 and 4, the Center formally notified the Respondent of the Complaint, and the proceedings commenced on March 30, 2020. In accordance with the Rules, paragraph 5, the due date for Response was April 19, 2020. The Respondent did not submit any response. Accordingly, the Center notified the Respondent’s default on April 20, 2020.

The Center appointed Ellen B Shankman as the sole panelist in this matter on April 29, 2020. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.

4. Factual Background

The date of the Domain Name registration was confirmed by the Registrar to be March 5, 2020.

The trademark KIMLEY-HORN serves as a house-mark of the Complainant and is protected as a registered trademark in multiple jurisdictions world-wide.

The Complainant provided evidence of multiple trademark registrations for the mark KIMLEY-HORN including, inter alia, United States Registrations No. 2,788,474 KIMLEY-HORN (registered on December 2, 2003) and United States Registration No. 4,685,771 KIMLEY HORN and Design (registered on February 10, 2015), both for word marks logos, that predate the date of the Domain Name registration, for a variety of financial analysis and consultation services, and engineering consultation services.

The Complainant also provided evidence of phishing emails that imitated an employee of the Complainant. For the sake of privacy the identities have been redacted.

The Panel also conducted an independent search to determine that the Domain Name resolves to a website showing an error message.

5. Parties’ Contentions

A. Complainant

Founded in 1967, the Complainant is one of the United States’ premier planning, engineering, and design consulting firms offering full services in a wide range of disciplines. The Complaint alleges that since at least as early as 1967, when the firm was founded, the Complainant adopted and has extensively and continuously used the KIMLEY-HORN trademark in connection with the marketing, advertising, promotion, and provision of the Complainant’s planning, engineering, and design consulting firm services. Because of its extensive, continuous, and substantial investment in and use of the trademark in commerce, the Complainant’s KIMLEY-HORN trademark has acquired a substantial amount of reputation and goodwill in the marketplace, which consumers recognize as belonging exclusively to the Complainant. Consumer recognition of said reputation and goodwill is further demonstrated by the long and distinguished list of third-party awards and recognitions the Complainant and the Complainant’s employees have received over the years, including but not limited to, being ranked in Fortune Magazine’s “100 Best Companies to Work For” and “100 Best Workplaces for Millennials” rankings as well as being the top ranked firm in Civil Engineering News’ “Best Civil Engineering Companies to Work For” ranking.

Additionally, the Complainant registered and has continually used the <kimley-horn.com> domain name since at least as early as April 12, 1996. In addition to being used as the location of the Complainant’s main website, the Complainant also utilizes the <kimley-horn.com> domain name to host email addresses for the Complainant’s employees. The Respondent registered the Domain Name on March 5, 2020. That very same day the Respondent attempted a phishing/business email compromise attack on the Complainant. Specifically, the Complainant alleges that the Respondent appears to have gained access to a previous email thread between one of the Complainant’s Project Accountants, and an employee of one of the Complainant’s clients, [names redacted], regarding an outstanding invoice and the Respondent began corresponding with the employee of the client posing as an employee of the Complainant using the email address “[name redacted]@kimely-horn.com” in an attempt to have the direct payment of the outstanding invoice to the Respondent’s bank account under the guise that the Complainant had recently changed its wire/ACH payment accounts. To combat the Respondent’s phishing attack, the Complainant filed a phishing abuse complaint with the Registrar.

The Complainant contends that the Domain Name is unquestionably confusingly similar to the Complainant’s KIMLEY-HORN mark as the Domain Name is virtually identical to the Complainant’s KIMLEY-HORN mark but for the transposition of the letters “l” and “e” in “kimley”, and that the transposition of letters should not prevent a finding of confusing similarity. Further, the Respondent has no prior rights or legitimate interests in the Domain Name. The Complainant has not authorized the Respondent to use the KIMLEY-HORN mark. The Respondent is not a licensee of the KIMLEY-HORN mark. Moreover, the Respondent is not commonly known by the name Kimley-Horn.

The Complainant argues that the Respondent’s registration of the Domain Name, which is virtually identical to the Complainant’s KIMLEY-HORN mark, was done intentionally to capitalize on the reputation and goodwill associated with the KIMLEY-HORN mark in order to facilitate the Respondent’s phishing/business email compromise attack. The Respondent used the Domain Name to impersonate the Complainant’s employee in connection with a phishing/business email compromise attack directed at one of the Complainant’s clients. Such use of the Domain Name constitutes registration and use of the Domain Name in bad faith.

To summarize the Complaint, the Complainant is the owner of multiple registrations for the trademark KIMLEY-HORN, in respect of a civil engineering services. The Domain Name is confusingly similar to the trademark owned by the Complainant. The transposition of two letters of the trademark does not prevent a finding of confusing similarity. Therefore, the Domain Name could be considered virtually identical and/or confusingly similar to the Complainant’s trademark. The Complainant contends that the Respondent has no rights or legitimate interests in respect of the Domain Name. The Domain Name was registered and is being used in bad faith. That continued use of the Domain Name would lead to a likelihood of confusion as to the source, sponsorship, affiliation or endorsement of the Respondent by the Complainant and is a source of fraudulent phishing activity. Thus, the Respondent’s registration and use of the Domain Name constitutes bad faith registration and use under the Policy, and the Complainant requests transfer of the Domain Name.

B. Respondent

The Respondent did not reply to the Complainant’s contentions.

6. Discussion and Findings

The burden for the Complainant under paragraph 4(a) of the Policy is to prove:

(i) that the Domain Name registered by the Respondent is identical or confusingly similar to a trademark or service mark in which the Complainant has rights;

(ii) that the Respondent has no rights or legitimate interests in respect of the Domain Name; and

(iii) that the Domain Name has been registered and is being used in bad faith.

A. Identical or Confusingly Similar

The Panel finds that the Complainant has satisfactorily proven that it has registered trademark rights for KIMLEY-HORN.

Further, the Panel agrees that the Domain Name is confusingly similar to the Complainant’s KIMLEY-HORN mark as the Domain Name is virtually identical to the Complainant’s mark but for the transposition of the two letters “l” and “e” in “kimley”. This finding is consistent with previous UDRP panels and it is well established that the transposition of letters in a mark is a common typographical variant and such common typographical variants typically give rise to a finding of confusing similarity. See e.g. Volvo Trademark Holding AB v. Unasi, Inc., WIPO Case No. D2005-0556 (transposition of the letters “l” and “o” in the domain name <vlovo.com>); K&L Gates, LLP v. Global Domain Privacy / Macianne Pakinston, Norlan links consultants, WIPO Case No. D2018-1525; ACCOR v. Brigit Klostermann, WIPO Case No. D2005-0627.

The Panel finds that the Domain Name is confusingly similar to the Complainant’s trademark. Further, the Panel finds that the transposition of two letters in the Domain Name does not change the overall impression of the designation as being connected to the trademark of the Complainant. It does not prevent a finding of confusing similarity between the Domain Name and the Complainant’s trademark. See Pfizer Inc. v. Asia Ventures, Inc., WIPO Case No. D2005-0256. See also Ansell Healthcare Products Inc. v. Australian Therapeutics Supplies Pty, Ltd., WIPO Case No. D2001-0110, stating “The incorporation of a Complainant’s well-known trademark in the registered Domain Name is considered sufficient to find the Domain Name confusingly similar to the Complainant’s trademark.”

Accordingly, the Panel finds that the Complainant has satisfied the first requirement that the Domain Name is identical or confusingly similar to the Complainant’s registered trademark, under paragraph 4(a)(i) of the Policy.

B. Rights or Legitimate Interests

Paragraph 4(c) of the Policy in turn identifies three means through which a respondent may establish rights or legitimate interests in a domain name. Although the complainant bears the ultimate burden of establishing all three elements of paragraph 4(a) of the Policy, UDRP panels have recognized that this could result in the often impossible task of proving a negative, requiring information that is primarily, if not exclusively, within the knowledge of the respondent. Thus, the consensus view is that paragraph 4(c) shifts the burden of production to the respondent to come forward with evidence of a right or legitimate interest in the disputed domain name, once the complainant has made a prima facie showing. See, e.g., Document Technologies, Inc. v. International Electronic Communications Inc., WIPO Case No. D2000-0270.

The Complainant asserts that the Respondent has no rights or legitimate interests in respect of the Domain Name and that it is not related to or affiliated in any way with the Complainant, nor has the Complainant authorized the Respondent to use its trademarks.

In addition, UDRP panels have categorically held that the use of a domain name for illegal activity, such as phishing attacks or impersonation/passing off, or other types of fraud can never confer rights or legitimate interests on a respondent. See section 2.13.1 of the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition (“WIPO Overview 3.0”); See Kimley-Horn and Associates, Inc. v. Abrahim Hashim, WIPO Case No. DCO2019-0017 (“The use of the domain name for such a fraudulent purpose as phishing, obviously, cannot be held to constitute a bona fide use of the disputed domain name”); see also CMA CGM v. Diana Smith, WIPO Case No. D2015-1774 (“such phishing scam cannot be considered a bona fide offering of goods or services nor a legitimate noncommercial or fair use of the Domain Name”).

Based on the available record, the Panel finds that the Complainant has established a prima facie case, which was not refuted, and that the Respondent lacks rights or legitimate interests in the Domain Name.

Therefore, the Complainant has satisfied the second requirement that the Respondent has no rights or legitimate interests in the Domain Name, under paragraph 4(a)(ii) of the Policy.

C. Registered and Used in Bad Faith

The Panel is persuaded that the Respondent registered the Domain Name, which is virtually identical to the Complainant’s trademark, and on the same day used the Domain Name to conduct a phishing/business email compromise attack targeting one of the Complainant’s clients by impersonating an employee of the Complainant. The Panel finds such use to constitute registration and use of the Domain Name in bad faith.

This finding is consistent with other UDRP panels, see, e.g., Halliburton Energy Services, Inc. v. Gregory Wilson / Infotech Ltd., WIPO Case No. D2017-0956 (“Sent on the very day the disputed domain name was registered and incorporating the disputed domain name in the address”; bad faith found); see also Independent Health Association Inc. v. Registration Private, Domains By Proxy, LLC / [K. A.], WIPO Case No. D2016-1625 (phishing attack involving impersonation of complainant as part of an employment scam).

It is exactly such kind of opportunistic bad faith that the Policy was designed to address. Given the evidence of the Complainant’s prior rights in the trademark, the distinctiveness of the Complainant’s trademark and reputation, the timing of the registration of the Domain Name with apparent full knowledge of the Complainant and the impersonation of an employee of the Complainant for phishing and fraudulent financial gain, the Panel finds that the Complainant has satisfied the third requirement that the Respondent has registered and is using the Domain Name in bad faith, under paragraph 4(a)(iii) of the Policy.

7. Decision

For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the Domain Name <kimely-horn.com> be transferred to the Complainant.

Ellen B Shankman
Sole Panelist
Date: May 12, 2020